avguser
join:2003-02-09
 ·Verizon FIOS
| Firewall versus Router
This is a two-part question, I suppose.
1. Is it really necessary to run a firewall if you have a router between you and the Internet and you are on a local 172.x.x.x network?
2. Why is a firewall a desirable or necessary level of additional protection? |
|
LeeBee
It's Dark Out There
join:2003-06-18
Swissieland
 ·Cablecom Switzerland
| I assume you mean a software firewall? I like my win32 machines to have Sygate installed so I know what's connecting outbound. Certainly the NAT on the router will deal with most of the shrapnel coming from the wild side.
It's also useful on my WLAN as I can allow people to connect and have the packet filter killing their traffic should they try to connect to one of my "trusted" machines. |
|
ghicken
Premium
join:2004-12-01
Taneytown, MD
| reply to avguser
Once you have established a connection to a webserver, mailserver, DNS server, torrent server, etc. your router can no longer protect you. All packets coming into an established connection are allowed.
A firewall can question any downloadable source, for example HTML code to your browser. If the firewall doesn't catch anything coming in, it can catch packets trying to go out. Malware and really bad software (like Real Audio) constantly establish connections from inside your LAN. Your router can't stop it but a properly set up firewall can.
Having both is definitely good. |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
| reply to avguser
said by avguser  :Why is a firewall a desirable or necessary level of additional protection?
It's part of a layered defense. You should protect each computer from distant computers (on the internet), with a NAT router; and each computer from local computers (on your LAN), with a personal firewall.
»Security »How to Secure (and Keep Secure) My (New) Computer(s): A Layered Approach:
»nitecruzr.blogspot.com/2005/05/p···our.html
--
Cheers,
Chuck
»nitecruzr.blogspot.com/ |
|
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| said by cacroll :each computer from local computers (on your LAN), with a personal firewall. just to clarify, a software firewall is NOT just for protection from local computers on the LAN, but also to protect you from OUTGOING nasties ("phone-home" apps). installing at LEAST a free software firewall like zone alarm is just good sense as a supplement to the wise move of using a router with a good SPI firewall.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
2 edits | said by gracie :said by cacroll :each computer from local computers (on your LAN), with a personal firewall. just to clarify, a software firewall is NOT just for protection from local computers on the LAN, but also to protect you from OUTGOING nasties ("phone-home" apps) That's the reason for a layered defense. Relying upon a software firewall to protect yourself against outgoing nasties is like relying upon your dentist to fill the cavities in your teeth. Better to brush and floss daily; and better to prevent infections by malware, with inner layers of defense.
»Security »How to Secure (and Keep Secure) My (New) Computer(s): A Layered Approach:
»nitecruzr.blogspot.com/2005/05/p···our.html
--
Cheers,
Chuck
»nitecruzr.blogspot.com/ |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
 ·Speakeasy
| reply to avguser
I can only tell you from experience, my own of course. I ran without a router for some time in the beginning and the more I learned about security, the more uneasy I got. I was running Zone Alarm at the time and felt good about that, but i never knew when some nasty was going to come along and for some reason disconnect that program. I learned about secure settings and also about other programs to layer my system, but until I got that router, I felt as if I was running around out side, in public, with only my underwear on. Once I got the router, along with the other things I have and/or have done, I finally felt fully clothed. Layering is the key to many things.  |
|
avguser
join:2003-02-09
·Verizon FIOS
| Thank you for the responses. I do run both a hardware firewall (2Wire) and I also sit behind a [Linksys] router. I was driving in to work and my question popped in to my head. I just couldn't answer the reason why both should be in place, even though I do it anyway. I'm pretty sure a lot of me neighbors run only NAT with no FWv in place.
I particularly liked the note that stated that the firewall will keep the nasties out of my system from places where I make an established connection, as well as out-going crap.
|
|
cosmicvoid
Infinity Or Bust
join:2001-01-02
Kingston, WA
1 edit | The problem with a hardware firewall is that it can't know whether any particular outbound traffic is coming from a rogue application, or even a trusted one doing something unexpected. For example, while watching a video clip, WMP decided to "phone home". WTF? Well, Kerio denied the access, but it was disturbing. Your hardware firewall would have let it pass happily.
--
S@H: 6000 WUs and counting, yow! |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| reply to avguser
Look, the fundamental reason for a SOHO NAT router is so that multiple PCs at your home or office can use the same public IP address (and possibly concurrently). The fact that a SOHO NAT router in and of itself provides you with a certain kind of 'firewalling' against unsolicited inbound probes is just icing on the cake -- but it's not really a firewall, not even a gateway firewall in and of itself unless the device has other features.
And, if you need to have several PCs accessing the Internet over a single public IP address, my own experience suggests that using a SOHO NAT router is far preferable (and indeed likely less expensive over the years) than using something like Microsoft Internet Connection Sharing (ICS).
Unfortunately, security issues have changed a great deal in the past few years. Unsolicited inbound probes for open services on your PC(s) is no longer the major threat (unless you're a complete dweeb and have failed to secure the machine(s) in the first place). Today, the primary concern is things that you may solicit (perhaps unknowingly) via your browser or inadvertently open in e-mail correspondence, chat sessions, or Instant Messaging. To some extent, anti-virus, anti-Trojan, and anti-spyware security utilities (if run memory-resident and regularly updated) can protect you against such threats. But a host-based firewall becomes your final line of defense against such a nasty that may somehow get on your box and then attempt to 'phone home', if you will. For most of the past five years, a host-based firewall meant a personal software firewall (PSF), but this is no longer necessarily the only option. Today, we are starting to see the advent of firmware-based firewalls residing in a chipset on the motherboard, such as the nVidia NFORCE4 chipset (fairly widely available for AMD CPU-based motherboards and coming into availability for Intel CPU-based motherboards). Both the PSFs and the firmware-based firewalls in a chipset on the motherboard present the capability to control applications/processes attempting to initiate an outbound Internet communication. You'll at least get asked (once) if you care to allow this communication. Of course, there's no guarantee that your personal decision is necessarily correct.
The other nice feature about host-based firewalls (whether they're PSFs or firmware-based) is that they provide a modicum of protection from other PCs behind the SOHO NAT Router or gateway firewall appliance that might have become infected simply because the user of the other PC(s) were social engineered. That's not a trivial consideration, either.
--
Regards, Joseph V. Morris |
|
Mele20
Premium
join:2001-06-05
Hilo, HI | Why not just use Process Guard? |
|
