Do I need firewall software?

I've been using a Linksys AP for almost a year. I have a portable PC
running XP on which I installed Norton Personal firewall. Recently I
was asked to set up Cisco's VPN software on my PC so I can use it from
home to access my employer's LAN. Apparently, though, this software
won't work while I have Norton running. I've been told that my AP
will provide all the firewall protection I need, and I can uninstall
Norton. I'd really like to do do this. Is the Norton software really
redundant? Also, I undestand that XP has its own built-in firewall,
although I never took any steps to turn it on.

Also, I find that if my PC cannot access the AP (if, for example, the
AP gets accidentally unplugged), the PC freezes up, sometimes even
while booting. The PC (a Tishiba Satellite PRO) came installed with
a wireless card, and certainly worked great *before* I acquired my AP,
so the culprit mus be some software I installed later. I haven't
installed much, and strongly suspect the Norton Personal Firewall. I
Haven't uninstalled it because I'm reluctant to connect even briefly
with no firewall, but if I don't really need it in the first place,
I'll take it off. Has anyone else heard of similar problems? This
does not happen when I reset the AP or can't ping it, but only when
the AP is physically turned off.

TIA.
* * * * * * * * * * * * * * * * * * * *
To email me, remove the gag in my address.

Tanguero . <(E-Mail Removed)> wrote:
> I've been using a Linksys AP for almost a year. I have a portable PC
> running XP on which I installed Norton Personal firewall. Recently I
> was asked to set up Cisco's VPN software on my PC so I can use it from
> home to access my employer's LAN. Apparently, though, this software

That's odd. With the Nortel Contivity VPN Client, we were given a copy of
Norton Personal Firewall. It was company policy that we had to have a
personal firewall on any PC that used VPN to get into the corporate LAN.
The corporate offering was recently changed to ZoneLab. I liked Norton
much better.

> won't work while I have Norton running. I've been told that my AP
> will provide all the firewall protection I need, and I can uninstall

Bogus. I don't think any AP provides any firewall. Some routers do. Most
routers offer NAT as a sort of firewall that is moderately effective.

> Norton. I'd really like to do do this. Is the Norton software really
> redundant? Also, I undestand that XP has its own built-in firewall,
> although I never took any steps to turn it on.

That is available, but I haven't used it.

When I connect to public access points, I feel much better knowing that I
have my own firewall in place. I am surprised that your corporate people
would suggest lowering your level of security.

--
---
Clarence A Dold - Hidden Valley (Lake County) CA USA 38.8-122.5

On Sun, 13 Jul 2003 20:50:09 +0000 (UTC),
(E-Mail Removed) wrote:


>> won't work while I have Norton running. I've been told that my AP
>> will provide all the firewall protection I need, and I can uninstall
>
>Bogus. I don't think any AP provides any firewall. Some routers do. Most
>routers offer NAT as a sort of firewall that is moderately effective.
>
I just took another look at the Linksys manual (model is BEFW11P1 in
case anyone is interested) and it says:

The EtherFast Wireless AP + Cab;e/DSL Router with PrintServer provides
the ideal solution for connection your wireless network to a
high-speed broadband Internet connection and a 10/100 Fast ethernet
backbone. Configurable as a DHCP server for your existing network,
the EtherFast Wireless AP + Cable/DSL Router with Printserver acts as
the only recognized Internet gateway on your Local Area Network. and
serve as an internet firewall against unwanted intruders.

I will say that I've never had a popup message from Norton Firewall
about any incursion attempts in the 9 months or so I've been using the
AP. Also, the AP is actually called a "Wireless AP + Cable/DSL
Router" so I thought perhaps the router functionality would serve as a
firewall.

>
>When I connect to public access points, I feel much better knowing that I
>have my own firewall in place. I am surprised that your corporate people
>would suggest lowering your level of security.
>
They're not very bright or competent. When I expressed concern about
security they told me "oh that's ok- the VPN software will protect
against any intrusion to our network". I then pointed out that it
would not protect my personal PC, and they just hemmed and hawed. It
was on a later conversation that they suggested that the AP would
provide sufficient protection, but obviously I'm not taking their word
for it.
* * * * * * * * * * * * * * * * * * * *
To email me, remove the gag in my address.

On Mon, 14 Jul 2003 01:46:56 GMT, (E-Mail Removed) (Tanguero .)
wrote:

>I just took another look at the Linksys manual (model is BEFW11P1 in
>case anyone is interested) and it says:
>
>The EtherFast Wireless AP + Cab;e/DSL Router with PrintServer provides
>the ideal solution for connection your wireless network to a
>high-speed broadband Internet connection and a 10/100 Fast ethernet
>backbone. Configurable as a DHCP server for your existing network,
>the EtherFast Wireless AP + Cable/DSL Router with Printserver acts as
>the only recognized Internet gateway on your Local Area Network. and
>serve as an internet firewall against unwanted intruders.
>
>I will say that I've never had a popup message from Norton Firewall
>about any incursion attempts in the 9 months or so I've been using the
>AP. Also, the AP is actually called a "Wireless AP + Cable/DSL
>Router" so I thought perhaps the router functionality would serve as a
>firewall.
>

Just as a followup; I called Linksys tech support and they said that
the router would function as firewall and that it wasn't necessary to
have an extra firewall. To me, though, the question is *how good* a
firewall it is. I didn't get a fully warm and fuzzy feeling from the
rep. (I kept trying to pin him down on whether I absolutely didn't
need a firewall and he kept saying "it's up to you").


* * * * * * * * * * * * * * * * * * * *
To email me, remove the gag in my address.

(E-Mail Removed) (Tanguero .) wrote in
news:(E-Mail Removed):

> On Sun, 13 Jul 2003 20:35:50 GMT, Duane Arnold <(E-Mail Removed)>
> wrote:
>
>>(E-Mail Removed) (Tanguero .) wrote in
>>news:3f11b9cb.94077976@news- server.nyc.rr.com:
>>
> The Linksys AP is also billed as a router, so (as described in the FAQ
> you were good enough to supply) perhaps it would also function as a
> firewall? I guess my question is whether it is a *sufficient*
> firewall.

Well, you said AP not router.

If you had a router with a firewall that router would cost $500 and up.

At most you have a router with NAT and maybe SPI --- firewall like.

http://www.homenethelp.com/web/explain/about-NAT.asp
http://security.ziffdavis.com/print_...a=38771,00.asp

I myself have a host based packet filtering firewall on all the machines
behind the router.

HTH

Duane

--
The protection of the machine is a process and not a given!

"Tanguero ." <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Sun, 13 Jul 2003 20:50:09 +0000 (UTC),
> (E-Mail Removed) wrote:

> They're not very bright or competent. When I expressed concern about
> security they told me "oh that's ok- the VPN software will protect
> against any intrusion to our network". I then pointed out that it
> would not protect my personal PC, and they just hemmed and hawed. It
> was on a later conversation that they suggested that the AP would
> provide sufficient protection, but obviously I'm not taking their word
> for it.

Once the VPN is established, your PC *IS* part of "their" network. Any
intrusion into your PC is an intrusion into their network. Would they
really want a PC on their network with its own unprotected direct connection
to the Internet? If anything, they should be insisting that you have a
firewall (and antivirus software, for that matter) on your PC, instead of
recommending that you remove what you have. I don't see anything wrong with
removing or disabling the firewall as a troubleshooting measure, but as a
long-term solution, I would avoid it.

I agree with another post here, the firewall should be configurable to allow
the VPN connection, and subsequent traffic to access machines on the LAN via
the VPN. Keep in mind that in doing so you could be leaving the security of
your machine up to "them" (the IT guys at the office), because you may need
to disable all firewall protection between your machine and the office LAN
for it to work properly.

(E-Mail Removed) (Tanguero .) wrote in news:3f1210b5.116327249
@news-server.nyc.rr.com:

> Just as a followup; I called Linksys tech support and they said that
> the router would function as firewall and that it wasn't necessary to
> have an extra firewall. To me, though, the question is *how good* a
> firewall it is. I didn't get a fully warm and fuzzy feeling from the
> rep. (I kept trying to pin him down on whether I absolutely didn't
> need a firewall and he kept saying "it's up to you").
>
>

That router doesn't have a true firewall that can be configured. It has
NAT and maybe SPI at best.

http://www.zyxel.com/index.php
http://www.watchguard.com/products/

Those are hardware appliances that have a *firewall*.

Once again, Linksys is not in the class with them. Linksys is good at
stopping most attacks from a home user standpoint. I don't use NPF but I
know that it has features that the firmware of that Linksys router cannot
do.

If nothing else keep NPF on the machine for the outbound that the router
doesn't have in the firmware. And besides, you start opening those ports
to high risk Internet activity, the router is out of the picture.

Duane
--
The protection of the machine is aprocess and not a given!

Michael Quinlan <(E-Mail Removed)> wrote:

> If I understand you correctly, you can stop this from happening by disabling
> the "use default gateway on remote network" (assuming you're using Windows).

I don't know where this setting is.
If it's part of the Microsoft VPN setup, I'm not using that.
I'm using Nortel Contivity VPN client.
The Sonicwall VPN client and the Checkpoint VPN client also killed the
local network. I prowled around those configs as well.

> subnet as your IP on the VPN. If you need to access other subnets on the
> corporate LAN, the easiest thing to do is leave the "default gateway"
> setting enabled.

I do need to access multiple subnets on the corporate network.
I really only want access to my local network printer.
I have to carry my laptop over to the printer, and plug in a parallel cable
if I want to print while on VPN ;-)
Ocassionally I would like to share files with my other computers, but not
often.

> Or, maybe I didn't understand you correctly, in which case, never mind.

You did understand. I just don't think Nortel allows that change.
I've heard mention of it before, but I don't think it applies to the VPN
clients that I've used. It might be configurable on the VPN server side,
but we don't get to suggest changes there.

--
---
Clarence A Dold - Hidden Valley (Lake County) CA USA 38.8-122.5

<(E-Mail Removed)> wrote in message
news:bf2k9n$nm9$(E-Mail Removed)...
> Michael Quinlan <(E-Mail Removed)> wrote:
>
> > If I understand you correctly, you can stop this from happening by
disabling
> > the "use default gateway on remote network" (assuming you're using
Windows).
>
> I don't know where this setting is.
> If it's part of the Microsoft VPN setup, I'm not using that.
> I'm using Nortel Contivity VPN client.
> The Sonicwall VPN client and the Checkpoint VPN client also killed the
> local network. I prowled around those configs as well.

I'm not familiar with non-MS VPN clients, so I can't really say if or where
this setting exists. I have to admit though, if I were on the IT side of
your connection, I would want it to work just the way it does - you're
connected to us and NOTHING ELSE.