olivahec
join:2000-11-18
Sheffield Lake, OH
| Linksys BEFW11SW firewall
I have a stupid question: Does my linksys router have the firewall built into it? and if so, is it automatically activated? and do I need to run the XP firewall with it?
The reason I ask is because I have 3 pc's networked together and cannot share files with the XP firewall up and running,
Thanks,
Hec |
|
Shootist
Premium
join:2003-02-10
Decatur, GA
| No you can not have a network with the XP firewall on. Look in the user manual for you router. It's on the CD that came with the router. The router has NAT which blocks probes from the internet.
--
Are You Ready--Stand By BEEP ******** |
|
cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
| reply to olivahec
Any router that does NAT will have a basic firewall just in the fact that it has NAT. I believe that all of Linksys's Cable/DSL/broadband routers also have a decent firewall on top of the protection built in with NAT. Because of this, it is not necessary to also run Windows XP's firewall in addition to the router's firewall. Windows XP would never get any outside attacks as the router would have stopped them already. Window's firewall would only prevent attacks from other computers inside your network. This all assumes that you haven't set up port forwarding, DMZs, etc.
You may sometimes hear of people running software firewalls in addition to a hardware firewall. Usually this is because they want to monitor outgoing connections and prevent some of them (spyware, adware, etc). |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
| reply to olivahec
Is there such a beast??? BEFW11SW??
Do you mean the BEFW11S4??
If so, this router does not have an SPI firewall or DOS protection it simply has NAT.
NAT is not a replacement for a SW firewall. I can run my PC quite safely with just a SW firewall, the same cannot be said for a plain NAT router (assuming in both instances an up2date AV proggie is running). In other words I think of a SW firewall as a core component and the NAT router as an addition to that, not the other way around.
XP firewall is a useful temporary resource in order to enable you to add a 'real' SW firewall such as free zonealarms by zonelabs or a more robust/tweaking one ZAPro/Kerio for example, that will allow one to
a. screen incoming scans and programs
b. screen outgoing scans and programs***
c. allow varying levels of WAN and LAN security***.
(XP firewall is also useful in that it can be applied without accessing the internet ie to get a SW firewall, so as to be able to then go and apply/download OS patches!! and access the net more securely during a setup)
NAT and XP firewall only address a. and thus are not complete solutions but are redundant. Since we have NAT anyway due to router, we can certainly benefit from this side note to the router. Remember the routers purpose is to provide multiple access to the net for our PCs and to create the infrastructure on the LAN, the technique used NAT network address translation also has the effect of dropping ANY scan or packets arriving at the router that were not initiated or asked for by a PC on the LAN. Ipso facto an incoming blocker. A SW firewall user after router implementation will not see any of those typical annoying scan hits anymore!!!
Often though, we open doors (65000 of them) via ports in the router to serve, or play games etc..... basically bypassing NAT. The SW firewall will help ensure only the programs we authorize are allowed in that port.
Agreed that routers with firewall on top of nat can further delineate which IP addresses and packet types can get through to the PC as well on that port, BUT are not application specific (only the SW firewall is!!).
If we look at programs trying to get out of the PCs, spyware or other nasties that we can get on our PCs by clicking on the wrong button, opening an email, or by using infected CDs, floppies etc........ then NAT fails (from a total security perspective). Due to the fact that these program 'phone home' and the request originate from within the LAN, NAT/router will allow any return instructions/controls to pass through NAT because in effect is trusted as originated by a PC on the LAN. The SW firwall will stop the proggie on the attempt to get to the WAN. Again, a more robust router with a separate firewall MAY (depending on how tight its setup) pick it up as well, if stoppable by IP address or packet type or port but only the SW firewall again is application specific.
Thus, the NAT router, or NAT + Firewall router can work as a team with a SW firewall providing layered defences both in and out. Most of us are pretty careful in our set-up but many also run adaware and sypbot because crap has an insidious way of getting on the computer.....
At the very least I use my SW firewall as a useful tool to help me detect spyware activity and thus alert me to run one of the above but also to add any badly designed web-sites (that allow gator and other crap components) to my URL or Domain Filter. Also, I use the SW firewall to monitor what programs are attempting to act as a server and which are just asking for internet access (gives me the option depending on what I plan to use program for in that session) or attempting to use another program to access the internet.
--
Steve Martin: " If I only had one wish, it would be---> That all Linux users forget their root password!! "
[text was edited by author 2003-09-15 08:35:35] |
|
cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
| You are correct. A NAT router is not a real SPI (stateful packet inspection for those who didn't know) firewall. For me, it is sufficient and it probably is for 95% of people out there with your basic broadband connection at their house. NAT will block the viruses/exploits that have been going around lately.
Personally, I don't care about outgoing packets. I only run software I trust. Yes I'm naive, but oh well.  So that leaves incoming packets. Incoming packets are stopped dead in their tracks because of NAT if a port hasn't been opened from the inside. This is why alot of things get broken by NAT. The router doesn't know that WinMX is listening to port 1234 so it doesn't pass anything through that it gets on 1234.
With DOS attacks, the attacker still could easily overwhelm your connection if he wanted to. That's the nature of limited amounts of bandwidth. The router would still provide the protection from your internal servers. They wouldn't ever see the attack. However, your router would get the attack.
I don't trust any software that is suppose to provide me protection while running on the same machine that it is trying to protect, such as a software firewall. Give me very simple computer that has a single or several limited well defined purposes. The more things you have running on a firewall the more chances your firewall will look like swiss cheese. |
|
