Lonk, thank you for switching to a layout that has an ö ;).

But,

Arend's definition differs from yours. Arend said it can't be PC. is this what you mean when you say purpose built?

>> It might, but it differs more from yours ;). A PC that's built for a purpose with a stripped down os and specifically designed os could be purpose built yes. The matter comes to how you boil down to the lines of software firewall and hardware firewall.

you say they are purpose build "boxes", and then you say these boxes can be VM's. so they are not build at all but ran inside the full OS of some other kind, even further away from the definition of dedicated purpose built "box"
and then you go on writing linux based firewalls and isa are not purpose build since they are not bare metal. but the VM in your previous comment is a bare metal?
and yet again, that vm is running under windows or linux based host.

>> I'm removing myself from only including "prebuilt" hardware, it's a matter of purpose - yes, a linux distro can be purpose built, windows machines not so much, it's a matter of overhead as well. If you run a vm under a full OS, it's still not that OS that handles the fw parts, it's the VM using resources from the host machine to provide the features.

you get more bare metal taking a PC and installing linux on it with kernel optimized for this kind of stuff.
>> You could, but the amount of tinkering that's needed for it.. good luck ;).

about your comment on firewalls and transport layer. that might have been the case in 80's and early 90's but all today's firewalls should work on application level. if they don't it's like using fax instead of email or 28k modem in place of anything faster as they both do communication in a way that fits the definition of "communication".
>> I included the consumer fw's here, all still does not act on application level. Nah mate, I mean that even if it states it's operating on the application level, it's not always application aware 100%. And it's not a matter of the 80's and 90's.. it's a matter of into the 00's. Today, most (even consumer products) does this to some extent, but lack the processing power to do it "enough". Same as with low end stuff.

I also agree with doc, to some degree - it's a matter of layers and actually keeping stuff up to date. If we just left everything as it is now, of course it will be compromised sooner rather then later.

Lonk, Port scanners and using traps is one way, but yes - no direct access in any direction and having jump boxes that gets wiped and updated till the next day is a more fun way to ensure that if something gets compromised, it's not critical.

But back to the traps - every little script kiddie out there got several ip's to go with, so perhaps you simply shoot down the first obvious scanner, but what if the attack takes another approach as phishing or dns poisoning? Even better, gets in as a MiTM? A simple scanning tool is just to parse the masses of external IP's, checking if there's anything just responding to requests. Even if you block that, you've just hit a flag, and they will hand that data over to the next "parser", and depending on their lazyness level, either start identifying what's behind the ip, or just start throwing possible remote exploits at you. Still, you've just marked yourself as "active" :).
_________________________
as long as it works - why fix it?
If it doesn't work - kix-it!