Router and software firewalls?

Since I ditched my external USB modem and started to use a Netgear
router/modem I've noticed that ZoneAlarm isn't detecting any inbound alerts.
I know that the Netgear router/modem has its own basic firmware firewall but
I'm a bit confused as to why that firewall log is only displaying 1 or 2
inbound alerts per day instead of the 20 to 30 or more per hour I was
receiving when not using the router/modem.

Is it normal for no inbound alerts at all to register with a software
firewall when a basic hardware firewall is being used earlier on in the
chain?

Gareth.

"Gareth" <(E-Mail Removed)> wrote in message
news:2bswc.11259$(E-Mail Removed)
> Since I ditched my external USB modem and started to use a Netgear
> router/modem I've noticed that ZoneAlarm isn't detecting any inbound
> alerts. I know that the Netgear router/modem has its own basic
> firmware firewall but I'm a bit confused as to why that firewall log
> is only displaying 1 or 2 inbound alerts per day instead of the 20 to
> 30 or more per hour I was receiving when not using the router/modem.
>
> Is it normal for no inbound alerts at all to register with a software
> firewall when a basic hardware firewall is being used earlier on in
> the chain?

Yes it's normal.

Put in the simplest terms - the default configuration of a router is to
allow connection of more than one computer to the internet this means
that when something totally un-invited arrives the router by default has
no way of deciding where it should send it (which computer) so it just
gets dropped.

This works like a simple firewall but it's actually inherent to the NAT
(Network Address Translation) the router performs in order to allow
sharing of the internet connection between more than one computer.

--

Brian Gregory (In the UK).
(E-Mail Removed)
To email me remove the letter vee.

On Sat, 5 Jun 2004 23:55:29 +0100, "Gareth" <(E-Mail Removed)>
wrote:

>Since I ditched my external USB modem and started to use a Netgear
>router/modem I've noticed that ZoneAlarm isn't detecting any inbound alerts.
>I know that the Netgear router/modem has its own basic firmware firewall but
>I'm a bit confused as to why that firewall log is only displaying 1 or 2
>inbound alerts per day instead of the 20 to 30 or more per hour I was
>receiving when not using the router/modem.

The h/w firewall is probably blocking everything inbound except email,
but is not logging the junk traffic such as ARP packets, harmless
script-kiddy probes etc. Thats probably a good thing as there's no
point logging low-danger junk when there's plenty of real stuff to
log. My own f/w is somewhat more chatty in its logs, which can be a
slight pain sometimes.

>Is it normal for no inbound alerts at all to register with a software
>firewall when a basic hardware firewall is being used earlier on in the
>chain?

Yes. I get ~20 alerts per day, but only because I opened port 80 for
my webserver. With port 80 closed, I get almost none.

> This works like a simple firewall but it's actually inherent to the NAT
> (Network Address Translation) the router performs in order to allow
> sharing of the internet connection between more than one computer.


Does this mean that computers on an ICS network are safer than a single
machine directly connected to the internet, assuming no h/w or s/w firewall
in ether case?

And if that is the case, does the added immunity from attack apply to the
ICS gateway itself,or just the computers behind it?


Graham.



%profound_observation%

"Mark McIntyre" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Sat, 5 Jun 2004 23:55:29 +0100, "Gareth" <(E-Mail Removed)>
> wrote:
>
> >Since I ditched my external USB modem and started to use a Netgear
> >router/modem I've noticed that ZoneAlarm isn't detecting any inbound
alerts.
> >I know that the Netgear router/modem has its own basic firmware firewall
but
> >I'm a bit confused as to why that firewall log is only displaying 1 or 2
> >inbound alerts per day instead of the 20 to 30 or more per hour I was
> >receiving when not using the router/modem.
>
> The h/w firewall is probably blocking everything inbound except email,
> but is not logging the junk traffic such as ARP packets, harmless
> script-kiddy probes etc. Thats probably a good thing as there's no
> point logging low-danger junk when there's plenty of real stuff to
> log. My own f/w is somewhat more chatty in its logs, which can be a
> slight pain sometimes.

email forwarding through the h/w firewall is only likely if you run your own
local email server, otherwise you probably use POP to get it from an ISP
server - in which case your PC has to initiate a connection for mail as
well.

i dont know which netgear you have, but my fr314 does log most things - it
is set to email the log when full, or each sunday to my PC.
If you havent set email alerts, there should be a log you can access from
the web management interface.

the fr314 doesnt log ARP queries though - which is probably a good thing on
a cable broadband link with dozens of ARPs per minute.
>
> >Is it normal for no inbound alerts at all to register with a software
> >firewall when a basic hardware firewall is being used earlier on in the
> >chain?
>
> Yes. I get ~20 alerts per day, but only because I opened port 80 for
> my webserver. With port 80 closed, I get almost none.
--
Regards

Stephen Hope - return address needs fewer xxs

On Sun, 6 Jun 2004 00:29:56 +0100, "Graham" <(E-Mail Removed)> wrote:

>
>> This works like a simple firewall but it's actually inherent to the NAT
>> (Network Address Translation) the router performs in order to allow
>> sharing of the internet connection between more than one computer.
>
>
>Does this mean that computers on an ICS network are safer than a single
>machine directly connected to the internet, assuming no h/w or s/w firewall
>in ether case?

Not really, because the ICS machine is not a NAT box, and a probe of
the ICS machine might compromise it, and thus your entire network. Its
much harder to compromise a dedicated NAT unit because its not running
any s/w except that routing protocols, and so has less vulnerabilities
than a windows machine running a zillion other pieces of s/w.

>And if that is the case, does the added immunity from attack apply to the
>ICS gateway itself,or just the computers behind it?

Neither.

On Sat, 5 Jun 2004 23:55:29 +0100, "Gareth" <(E-Mail Removed)>
wrote:

>Since I ditched my external USB modem and started to use a Netgear
>router/modem I've noticed that ZoneAlarm isn't detecting any inbound alerts.

As expected.

>I know that the Netgear router/modem has its own basic firmware firewall but
>I'm a bit confused as to why that firewall log is only displaying 1 or 2
>inbound alerts per day instead of the 20 to 30 or more per hour I was
>receiving when not using the router/modem.

Thats because the public address on the router is now the endpoint for the
those connections, not your PC as previously.

>Is it normal for no inbound alerts at all to register with a software
>firewall

Quite, the packets are being stopped dead at your perimeter router.



greg

--
"vying with Platt for the largest gap
between capability and self perception"

On Sun, 6 Jun 2004 00:29:56 +0100, "Graham" <(E-Mail Removed)> wrote:

>
>> This works like a simple firewall but it's actually inherent to the NAT
>> (Network Address Translation) the router performs in order to allow
>> sharing of the internet connection between more than one computer.
>
>
>Does this mean that computers on an ICS network are safer than a single
>machine directly connected to the internet, assuming no h/w or s/w firewall
>in ether case?

Assuming the PC running ICS has been suitably hardened, the answer to that
question is yes.

>And if that is the case, does the added immunity from attack apply to the
>ICS gateway itself,or just the computers behind it?

If you harden the ICS gateway that is indeed the case.


If the PC running ICS is not used for anything else, It would be prudent to
replace the win32 bit and install any one of the following on there instead

www.astaro.com
www.smoothwall.org
www.ipcop.org
http://m0n0.ch/wall/


All are good and would provide additional defence in depth for your
existing network.



greg



--
"vying with Platt for the largest gap
between capability and self perception"

"Brian Gregory [UK]" <(E-Mail Removed)> wrote in message
news:40c2538f$0$20510$(E-Mail Removed)...

> Put in the simplest terms - the default configuration of a router is to
> allow connection of more than one computer to the internet this means
> that when something totally un-invited arrives the router by default has
> no way of deciding where it should send it (which computer) so it just
> gets dropped.
>
> This works like a simple firewall but it's actually inherent to the NAT
> (Network Address Translation) the router performs in order to allow
> sharing of the internet connection between more than one computer.

Hmm, is the implication of this that when using a single PC with a NAT
router it is not really necessary to use a software firewall under XP?

Gareth.

On Sun, 6 Jun 2004 18:27:35 +0100, "Gareth" <(E-Mail Removed)>
wrote:

>
>> This works like a simple firewall but it's actually inherent to the NAT
>> (Network Address Translation) the router performs in order to allow
>> sharing of the internet connection between more than one computer.
>
>Hmm, is the implication of this that when using a single PC with a NAT
>router it is not really necessary to use a software firewall under XP?
>

Defence in depth is the key to securing any network, big or small.

For the sake of 30 odd quid, you are *lot* more secure using a router.


greg

--
"vying with Platt for the largest gap
between capability and self perception"