Routers with Firewalls

If I get a Broadband Internet Router which has a built in hardware firewall
in the router will I still need to activate my Firewall within Windows XP
Home? - I am a bit confused so can you put it in layman's terms.

Cheers,

Andy.




*** Posted via a free Usenet account from http://www.teranews.com ***

"Andy" <(E-Mail Removed)> wrote in message
news:44762f1c$0$24295$(E-Mail Removed).. .
> If I get a Broadband Internet Router which has a built in hardware
> firewall in the router will I still need to activate my Firewall within
> Windows XP Home? - I am a bit confused so can you put it in layman's
> terms.
>
> Cheers,
>
> Andy.
>
>
NO. The windows firewall only stops INCOMING traffic, the same as the
router firewall. The Windows one can be defeated as some programs alter the
registry to put a fake entry in and allow a program to have full rights.
You're best using the free version of Zone Alarm on your PC. Then you can
control what connects OUT from your computer.

"Mal" <(E-Mail Removed)> wrote in message
news:A0tdg.1687$(E-Mail Removed)...
>
> "Andy" <(E-Mail Removed)> wrote in message
> news:44762f1c$0$24295$(E-Mail Removed).. .
>> If I get a Broadband Internet Router which has a built in hardware
>> firewall in the router will I still need to activate my Firewall within
>> Windows XP Home? - I am a bit confused so can you put it in layman's
>> terms.
>>
>> Cheers,
>>
>> Andy.
>>
>>
> NO. The windows firewall only stops INCOMING traffic, the same as the
> router firewall. The Windows one can be defeated as some programs alter
> the registry to put a fake entry in and allow a program to have full
> rights. You're best using the free version of Zone Alarm on your PC. Then
> you can control what connects OUT from your computer.
>
>

Thanks for the reply. So router firewalls only work one way as well then
(incoming) it that right? - I tried Zone Alarm about a year ago but got fed
up with it asking me questions all the time with what I wanted to allow or
block. At least with the Windows XP built in firewall it seems to block
silently.





*** Posted via a free Usenet account from http://www.teranews.com ***

(E-Mail Removed) declared for all the world to hear...
> Thanks for the reply. So router firewalls only work one way as well then
> (incoming) it that right? - I tried Zone Alarm about a year ago but got fed
> up with it asking me questions all the time with what I wanted to allow or
> block. At least with the Windows XP built in firewall it seems to block
> silently.

ZoneAlarm can do that if you set it to. It will ask you the first time
and then remember your decision. Alert levels are up to you.
--
Regards
Jon

In article <447650e7$0$24265$(E-Mail Removed)>, Andy says...

> Thanks for the reply. So router firewalls only work one way as well then
> (incoming) it that right?

No. A decent one can also block outbound traffic but you have to
manually configure it.


- I tried Zone Alarm about a year ago but got fed
> up with it asking me questions all the time with what I wanted to allow or
> block. At least with the Windows XP built in firewall it seems to block
> silently.
>
And alot of time, it'll allow stuff without even asking. I've had it
ask whether I wanted an application blocking and whilst the popup was
on the screen, the application was transferring data across the
internet. Not ideal.



--
Conor,
Grumpy Old Man.
Same shit, different day.

Andy <(E-Mail Removed)> wrote:
>
> "Mal" <(E-Mail Removed)> wrote in message
> news:A0tdg.1687$(E-Mail Removed)...
> >
> > "Andy" <(E-Mail Removed)> wrote in message
> > news:44762f1c$0$24295$(E-Mail Removed).. .
> >> If I get a Broadband Internet Router which has a built in hardware
> >> firewall in the router will I still need to activate my Firewall within
> >> Windows XP Home? - I am a bit confused so can you put it in layman's
> >> terms.
> >>
> >> Cheers,
> >>
> >> Andy.
> >>
> >>
> > NO. The windows firewall only stops INCOMING traffic, the same as the
> > router firewall. The Windows one can be defeated as some programs alter
> > the registry to put a fake entry in and allow a program to have full
> > rights. You're best using the free version of Zone Alarm on your PC. Then
> > you can control what connects OUT from your computer.
> >
> >
>
> Thanks for the reply. So router firewalls only work one way as well then
> (incoming) it that right? - I tried Zone Alarm about a year ago but got fed
> up with it asking me questions all the time with what I wanted to allow or
> block. At least with the Windows XP built in firewall it seems to block
> silently.
>
Depends on the router firewall. Those which have more than a basic
NAT firewall can most certainly stop specific types of outgoing
traffic as well. All of the Zyxel routers have very comprehensive
firewalls as does the latest software for the Speedtouch 716WL -
these are the only ones I know about personally. I believe the
Draytek routers also have a good firewall and some of the Billion
routers.

--
Chris Green

In MsgID<447650e7$0$24265$(E-Mail Removed)> within
uk.comp.home-networking, 'Andy' wrote:

[..]
>>> If I get a Broadband Internet Router which has a built in hardware
>>> firewall in the router will I still need to activate my Firewall within
>>> Windows XP Home? - I am a bit confused so can you put it in layman's
>>> terms.

[..]

>> NO. The windows firewall only stops INCOMING traffic, the same as the
>> router firewall. The Windows one can be defeated as some programs alter
>> the registry to put a fake entry in and allow a program to have full
>> rights. You're best using the free version of Zone Alarm on your PC. Then
>> you can control what connects OUT from your computer.

>Thanks for the reply. So router firewalls only work one way as well then
>(incoming) it that right?

A router (even with no firewall) set up with NAT will by default not pass
incoming connections anyhow (although there are some exceptions as some
are a bit too 'clever' when it comes to UDP traffic) It has no way of
knowing to which machine to send the packet.

If you're talking to the external IP you are, unless you've actively
configured port forwarding, only talking to the router. The router should
not itself have any 'open ports' unless you've configured it to allow
external administration, so incoming connection requests and UDP packets
that don't closely follow outgoing UDP packets will just be discarded.

If you've got an external firewall on top of the NAT, then I believe its
main purpose is to regulate outbound connections, though some will monitor
incoming traffic for things that look like viruses or other forms of
attack. The cleverer firewalls will watch out for tricks like passing data
through as fragmented packets that look innocent until they're stuck back
together (IYSWIM) and various ways of 'piggybacking' illicit data on top
of legal data. You're starting to wander into the territory of IDS there
though.

When it comes to regulating outbound traffic at the router, there is a bit
of a problem in that the router can only see which machine/port the packet
came from and which protocol it is. There is no way for the router to know
which application issued the packet so the control is seriously clunky.

You can allow/disallow on the basis of source or destination (IP
addresses, ports and which protocol ) but that is all the machine can see.
Some firewalls may look 'inside' the packet for more clues, but no
firewall can tell what program sent or is destined to receive the packet.

The only place to regulate which application is responsible for which
socket is on the machine running the app. This is where software firewalls
come into their own.

Hope that helps, if I've missed anything out by all means ask and I'll
happily elaborate.

Dave J

"Andy" <(E-Mail Removed)> wrote in message
news:447650e7$0$24265$(E-Mail Removed)

[snip]

> Thanks for the reply. So router firewalls only work one
> way as well then (incoming) it that right? - I tried
> Zone Alarm about a year ago but got fed up with it asking
> me questions all the time with what I wanted to allow or
> block. At least with the Windows XP built in firewall it
> seems to block silently.

I prefer the questions. At least I know then that the thing is working..!
If it doesn't prompt you when it wants to do something how do you know
it's actually doing it..?

Ivor

Ivor Jones wrote:
> "Andy" <(E-Mail Removed)> wrote in message
> news:447650e7$0$24265$(E-Mail Removed)
>
> [snip]
>
>> Thanks for the reply. So router firewalls only work one
>> way as well then (incoming) it that right? - I tried

They should work both ways. It's just that they don't have any awareness
of user and application on the computer, only networking parameters (eg
address and port).

>> Zone Alarm about a year ago but got fed up with it asking
>> me questions all the time with what I wanted to allow or
>> block. At least with the Windows XP built in firewall it
>> seems to block silently.
>
> I prefer the questions. At least I know then that the thing is working..!
> If it doesn't prompt you when it wants to do something how do you know
> it's actually doing it..?

And how do you know it does anything even if it does ask? :-)

--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)

"Mike Scott" <(E-Mail Removed)> wrote in message
news:nX8ug.33818$(E-Mail Removed)...
> Ivor Jones wrote:
>> "Andy" <(E-Mail Removed)> wrote in message
>> news:447650e7$0$24265$(E-Mail Removed)
>> [snip]
>>> Thanks for the reply. So router firewalls only work one
>>> way as well then (incoming) it that right? - I tried
>
> They should work both ways. It's just that they don't have any awareness
> of user and application on the computer, only networking parameters (eg
> address and port).

Not knowing the user and/or application obviously limits the functionality
of a firewall, and in general there is no way for an external device such as
a router to know either. However, with some routers there is no way to
configure outbound filtering, and even if you can, the default is to allow
everything (in my experience).

>>> Zone Alarm about a year ago but got fed up with it asking
>>> me questions all the time with what I wanted to allow or
>>> block. At least with the Windows XP built in firewall it
>>> seems to block silently.
>>
>> I prefer the questions. At least I know then that the thing is working..!
>> If it doesn't prompt you when it wants to do something how do you know
>> it's actually doing it..?
>
> And how do you know it does anything even if it does ask? :-)

Quite . Ivor: no doubt you trust a pocket calculator to compute the
correct answer to a calculation you provide, so why not trust a firewall to
block packets you asked it to?

Alex