Skip to navigation

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.

// Home / Blogs

Posted on October 5th, 2009 by Steve Cassidy

Google and Firewalls, round one

Google and firewalls don't mixMy mailbox has been filling up with pleas for an end to confusion. Not globally, just in the tiny bit of the sum total of human achievement which concerns Google and their applications.

For ages, I have been telling everyone within reach to get themselves a hardware firewall. I hate the fact that “Firewall” has come to mean a whole lot of different things to different people – some say it’s software, others believe it’s a thing a router just does as if by magic; others still say “firewall” and mean “endpoint”… but that’s a digression.

It seems as though Google’s calendar web application wants to actually sniff around in your machine, to pick up re-publishable events in whatever local calendar program you’re using – and it does it from afar. This means, it doesn’t work unless your PC is naked to the web on the particular traffic port it wants to use – and opinions vary over what port that is. There’s a slew of sync utilities, many forum threads, and ominous mentions of Port Forwarding configurations for various chunks of hardware.

Port Forwarding is a pain in the neck in smaller businesses: OK for one or two servers but not so good once you have more than that. When users start demanding this feature, life becomes very painful – once, as the whole internet connection has to be rejigged and then again later, when their inadequately-protected PCs come under attack.

So far, not one of Google’s applications has fallen foul of this trap. Everything works by simply sending traffic out from the PC, which firewalls and routers are generally set to permit – the replies come back with the appropriate routing data and everyone’s happy. If my early experiments are correct then the right sync product for your particular calendar peccadillo sidesteps the need to open firewall ports – but to my mind, having this need present in the first place is an early sign of lazy, monopoly position thinking.

And to ram that point home: while dealing with one of my hardware-firewall using clients, I was obliged to drop into a remote-control session and work through the errors on a PC in the Statenkwartier, The Hague. To do this I encouraged the user to sign up for the free version of LogMeIn and then mail me their username & password. LogMeIn makes zero demands of a hardware firewall, and manages to completely remote control the machine – perhaps this kind of simplicity (and clear user assent to remote access) is something Google need to remind themselves about…

Posted in: Hardware, Rant, Real World Computing, Software

Permalink

Follow any responses to this entry through the RSS 2.0 feed.

Social Bookmark this article: What is this?

Add to: DiggDigg
Add to: Del.icio.usDelicious
Add to: RedditReddit
Add to: StumbleUponStumbleUpon
Add to: SlashdotSlashdot
Add to: GoogleGoogle
Add to: FacebbokFacebook

You can skip to the end and leave a response. Pinging is currently not allowed.

8 Responses to “ Google and Firewalls, round one ”

  1. Mike Clarkson Says:
    October 5th, 2009 at 1:55 pm

    Maybe I’ve missed an article on why hardware firewalls are so necessary? (and what you mean by firewall…). And I wonder where MS ISA fits in, in your view?

    On the Google Calendar issue, I’ve not seen anything you describe – I’m using the Calendar feature of Gmail (not signed up to Google Apps or anything posh like that), and can see an Import calendar from file feature – does it only start hunting after you use that?

     
  2. Steve Cassidy Says:
    October 5th, 2009 at 2:09 pm

    MS ISA is a funny one. On the one hand, they are extremely clear that it’s exceptionally secure: on the other hand, I think that the places which deploy it are Goldilocks configurations – it has to be *just right* and the things that can make it wrong, are nothing to do with the tech merit of ISA.

    My strongest reason for hardware firewalls (as distinct from ISA) is that I don’t want to reboot the server with 10 other jobs to do, just to implement a firewall feature change. With a Watchguard, Sonicwall or Draytek, I can alter those settings and none of the workers have any idea it’s happened.

    But you are right – there could be a proper article in this!

     
  3. Mike Clarkson Says:
    October 5th, 2009 at 2:57 pm

    Thanks for your reply. I guess the last piece in the jigsaw would be why you don’t seem to like a NAT router doing that job? (with the emphasis on *small* businessess). For what it’s worth, I’ve had good experience of ISA – where it wins quite well is its web and server publishing rules – it’s good and easy for handling e.g. multiple internal sites on one server. And for logging integrated with AD – I guess Draytek et al do that, but not sure?

     
  4. Steve Cassidy Says:
    October 5th, 2009 at 3:34 pm

    AD integrated logging isn’t really that necessary in small networks – IP address based logging covers most of the bases, and Draytek et al have Syslog for that level of detail.

    I don’t like routers doing the firewall job because it blurs their role, and because they have fairly primitive operating systems. I think it’s much better to buy into something that has shrunk down from the rocket-science world, rather than something that is trying to be just 10% smarter than a modem. Besides, as I have pointed out in a recent column, my last dedicated hardware firewall that saved my bacon, I bought on ebay. For £6…

     
  5. Gavin Moorhouse Says:
    October 5th, 2009 at 5:22 pm

    I find ISA a robust, but highly complicated product.

    Sonicwall and Draytek are both superb, they just work and do what they are told without any fuss.

    However I find WatchGuards to be unreliable as they always need rebooting for no reason. I’m talking about the Edge series in particular.

     
  6. Steve Cassidy Says:
    October 5th, 2009 at 6:12 pm

    Interesting! My experiences are the reverse of yours, almost. I find WGs just run, pretty much forever, and I hugely prefer their config upload architecture in the bigger boxes. Sonics run for a long time, but there comes a point where they start not quite doing what the web interface says they are doing…

     
  7. Nick Says:
    October 7th, 2009 at 2:53 pm

    What makes a hardware firewall different from a “software” firewall? For example a WatchGuard is running a custom software build, as is the SonicWall.

    Are they any better (and in which ways) than a completely software firewall such as IP Cop?

     
  8. Steve Cassidy Says:
    October 7th, 2009 at 2:58 pm

    For the purposes of this conversation, IPCop and Smoothwall and Monowall are indistinguishable from a hardware firewall, because they are a single-purpose ‘box’ which happens to live on a PC hardware platfrom. Even when virtualised, they still have only one purpose. I guess the most remarkable difference is that they are eaily obtained by crackers for attack attempts in peace and quiet, whereas a hardware box is less easily obtainable.

     

Leave a Reply

* required fields

* Will not be published

Categories

Authors

Archives

advertisement

SEARCH
SIGN UP

Your email:

Your password:

remember me

Create an account

advertisement


Hitwise Top 10 Website 2008