how-to block ads
|
docrice
join:2008-03-31
Fremont, CA
| reply to Netant
Re: Software Vs Hardware firewall
There are places for both hardware and software firewalls, and they both come in varying degrees of quality and effectiveness. Software firewalls on individual hosts are important (especially on laptops) to protect you on public networks such as hotspots. Some of them might even map processes to application executables and permit outbound traffic from ones on an authorized list. It's a little more work up-front to ensure you have a good rule base, but it's worth it in the long run because for most people it's the only way they'll ever know if an application is trying to send traffic out (or if there's an attempted inbound connection). If you're curious, you could also use TCPView or fport to see what kind of TCP / UDP connections are happening real-time, although these don't filter traffic.
Hardware firewalls, on the other hand, protects the your entire internal network from external networks. However, it doesn't protect internals hosts from each other. Hardware firewalls (at least the more expensive ones) are capable of deep-packet / application-layer inspections (e.g., Check Point's SmartDefense in FW-1) which examines each individual packet's payload data. For example, SMB or RPC traffic is inspected for protocol compliance and if not, drops them to prevent attacks which rely on "tweaking" the protocols to produce an exploit which may exist on the host. Inbound HTTP requests to your web server or DoS flooding are other examples of where a high-grade hardware firewall with specialized functions comes in handy.
That said, most home-grade hardware firewalls (typically on all-in-one routers) don't do much more than port-level filtering. You can always use a Linux distro specific to this purpose (or something like OpenBSD's pf) if you want a free (but very effective) hardware solution that stands guard at the edge of your network. | |
Latency
@netspectrum.ca
| It seems docrice has the right approach overall. IMHO
There might be a couple of points that require some embellishment;
said by docrice  :There are places for both hardware and software firewalls, and they both come in varying degrees of quality and effectiveness. Software firewalls on individual hosts are important (especially on laptops) to protect you on public networks such as hotspots. Some of them might even map processes to application executables and permit outbound traffic from ones on an authorized list. It's a little more work up-front to ensure you have a good rule base, but it's worth it in the long run because for most people it's the only way they'll ever know if an application is trying to send traffic out (or if there's an attempted inbound connection). If you're curious, you could also use TCPView or fport to see what kind of TCP / UDP connections are happening real-time, although these don't filter traffic. Netant: ZoneAlarm is a pretty decent little software firewall, it's worth keeping in your setup. Although, one needs to wait and see how badly the new company owners (CA) stifle its' innovation, other than charging for it. Above comments by docrice about both egress and ingress (in/out) filtering are important as is application monitoring.
Winblows XP/Vista firewall isn't even worth turning on, even if Vistas' version is improved. You can easily download many better software based firewalls for free. So, for all the "it's better than nothing" Micro$haft people", you can get better for free!
32-bit:
»www.tallemu.com/free-firewall-pr···are.html
and this one I haven't tried out but is interesting; »www.sunbeltsoftware.com/Home-Hom···irewall/
For 64-bit XP you have Comodo: (should use advanced $$ version) »www.personalfirewall.comodo.com/
All firewalls software/hardware have their strong points and all without doubt also have their weak points (although their marketing dept's may disagree). The choice may depend on matching the persons' application to the most appropriate firewall.
Bottom line; every single computer that connects to the internet/intranet/extranet can benefit from a decent software firewall without exception.
said by docrice :Hardware firewalls, on the other hand, protects the your entire internal network from external networks. However, it doesn't protect internals hosts from each other. Hardware firewalls (at least the more expensive ones) are capable of deep-packet / application-layer inspections (e.g., Check Point's SmartDefense in FW-1) which examines each individual packet's payload data. For example, SMB or RPC traffic is inspected for protocol compliance and if not, drops them to prevent attacks which rely on "tweaking" the protocols to produce an exploit which may exist on the host. Inbound HTTP requests to your web server or DoS flooding are other examples of where a high-grade hardware firewall with specialized functions comes in handy. While high-end firewall appliances are good and have cool features, it sounds like overkill for most home users.. (who aren't trying to use DDNS for a home ISP with servers)
said by docrice :That said, most home-grade hardware firewalls (typically on all-in-one routers) don't do much more than port-level filtering. In a perfect world everyone would have $500-700.00 firewall appliance performing deep packet inspection at home. In this world, it would be better if everyone just used a cheap or free software firewall and a cheap hardware firewall/router, as this results in a better default setup than nothing at all.
said by docrice :You can always use a Linux distro specific to this purpose (or something like OpenBSDs' pf) if you want a free (but very effective) hardware solution that stands guard at the edge of your network. OpenBSD for home users? This I'd like to see. Maybe the FreeBSD based PfSense (contains OpenBSD PF) would give them a chance or how about IPCop/Monowall which is simple, has a good GUI and works well on older hardware or Endian?
Don't misunderstand me, one can not go wrong with OpenBSD Packet Filter but the learning curve is steep for most home users.
IMHO If you want to build a router/firewall out of an old computer you have quite a few options depending on your skill-set. IPCop based on Debian LINUX is great to start playing with as a primer for things like OpenBSD.
Bottom line; every single computer that connects to the internet/intranet/extranet can benefit from a hardware firewall without exception.
Perhaps, instead of one (1) expensive router (of which most home users could not properly setup) setup two (2) different cheap ones. Something like a Dlink, and Linksys, or NetTrends (sub $50.00)
Netant: For your setup you could use one wireless router/firewall and one wired for some peace of mind. (This does work)
Steve Gibson at www.grc.com has an interesting page on this type of setup. »www.grc.com/nat/nat.htm and »www.grc.com/nat/nats.htm
Also when setting up your wireless security for WPA2 this page gives great random keys... And it's easier than DICE.
»https://www.grc.com/passwords.htm
ie. 63 random printable ASCII characters:
iM?b82=(pD6o/;WCj\17+j4Z!=9OPYPkkrnIquZ.*F6GGz|fzp`
Use the full keys for best security and always use WPA2 with AES (as good as WPA2-PSK offers, unless you happen to have a couple of RADIUS/MySQL servers lying around).
Regards docrice for taking the time to give a good detailed answer!  (no flames please)
Latency
Bad computer/router/firewall setups are more likely to blame for poor network security than the tool(s) used for the job.
| |
-
|
