Completely replace software firewall with hardware firewall?

Discussion in 'Broadband' started by Sandi, Mar 21, 2005.

  1. Sandi

    Sandi Guest

    Here in the UK, I am on NTL cable and have just one PC attached.

    My head is spinning with all the configuration rules and exceptions
    which need configuring for a software firewall.

    I thought I was doing ok with user guides like the section called:
    "Personal firewall configuration for cable modems"
    http://homepage.ntlworld.com/robin.d.h.walker/cmtips/security.html

    But it turns out that things are still more complicated than that.
    As an example, I installed Outpost and came across this advice page.
    http://www.outpostfirewall.com/forum/showthread.php?t=9858
    Oh wow. It's all too much! :) I just want protection without
    becoming an enthusiast or even expert in firewall configuration.

    QUESTION ONE: If I buy a hardware firewall then will it completely
    replace the need for me to have a software firewall? That would save
    me some headaches!

    QUESTION TWO: I might get a second PC and want to attach both PCs to
    the cable network at the same time. I have heard I can do it with a
    box which includes a hardware firewall as well as some other
    functions. But exactly what sort of box is it that I would need?
    Any suggestions about recommended hardware devices would be welcome.

    Sandi
     
    Sandi, Mar 21, 2005
    #1
    1. Advertisements

  2. Sandi

    Leythos Guest

    Nothing is perfect and nothing can protect you from all threats, not even
    a combination of Appliance and software.

    In general, an appliance is a better bet than software, if your computer
    were to be compromised by some means, with a software based (we call those
    personal firewalls) the compromiser could disable your personal firewall
    application. It's much harder to put a hole in an appliance from a
    compromised machine that it is to put a hole in a PFW.
    Most of the devices you are going to be able to purchase under $400 are
    called NAT Routers, they are not firewalls (even though they are called
    Firewalls by their vendors), but they do provide what I consider the best
    first layer of protection and would never setup a network without at least
    that minimum layer. A NAT router acts to block unsolicited inbound
    traffice, but in almost every case, it doesn't do anything to block
    outbound traffic - this means nothing gets in unless your computer
    requests it (and if you were compromised you don't personally have to
    request anything, the virus/worm can do it without you).

    I installed a NAT Router in a Sorority, 40+ girls in a house, all with
    different computers and versions of Windows, not one of them has been
    compromised since we installed it, not one unsolicited packet has made it
    inbound, and they are able to do all they need.

    Units like the Linksys BEFSX41 are nice, as are the DI804HV units from
    D-Link, but something as cheap as the Linksys BEFSR41 unit will do as well
    as most SOHO units.

    One nice thing about the Linksys units is that you can also run a free
    program called WallWatcher to monitor all inbound and outbound traffic
    through the Linksys router - it lets you see what's happening in
    real-time, so, once you learn to read it, you can see if your computer's
    been compromised. I don't run a personal firewall on any computer behind a
    NAT Router or Firewall Appliance, but I also know how to secure the
    computers so that I don't need one.
     
    Leythos, Mar 21, 2005
    #2
    1. Advertisements

  3. Sandi

    Chet Guest

    If you have an hardware firewall then there is no need for a second software
    firewall, this only causes issues with some routing packets


    Personally I would recommend one of the Edimax Routers, but I'm sure others
    will also point out the Linksys and Netgear broadband ranges too
     
    Chet, Mar 21, 2005
    #3
  4. Sandi

    Nat Stott Guest

    QUESTION ONE: If I buy a hardware firewall then will it completely
    But a hardware firewall can't distinguish between packets you've requested,
    and packets a virus has requested.
     
    Nat Stott, Mar 21, 2005
    #4
  5. Sandi

    Nick H Guest

    1 - Up to you. A hardware firewall is good for protection from all
    intruders gaining direct access to your PC/network, but no good at
    detecting things from calling home. It is also much easier to set up. A
    software firewall gives you the extra protection in detecting things from
    calling home, but they can be quite easy to configure incorrectly and
    leave you vulnerable. A hardware firewall is independent of your PC and
    so uses no PC resources.

    2 - You want a Router. This automatically provides firewall protection.
    Before you get a recommendation, you need to decide if you want a
    wireless or wired setup (although some routers support both). To
    complicate things, some routers can act as print servers which can help
    with sharing printers.

    Personally I only run a hardware firewall, but I am looking for a free
    software one which fits particular criteria as well. Jetico may be the
    one for me when thay have sorted a blocking bug for me. Kerio 2.1.5 is no
    good for one of my apps, and 4 does not support WinME. ZoneAlarm did not
    used to do something I wanted, but it may do now, so I might try it
    again. I never got to grips with the old Outpost.
     
    Nick H, Mar 21, 2005
    #5
  6. Sandi

    Chet Guest

    Agreed, but all virus are caught by you AV software I would have thought
    thus not sending out any packets, there is no use sticking a firewall in
    front of you network if you do not have any AV software running locally
     
    Chet, Mar 21, 2005
    #6
  7. AV software can only catch viruses/tojans it already knows about. So a
    software firewall can still serve a purpose in stopping outgoing
    traffic if you get infected by something your AV software doesn't know
    about yet.

    Unfortunately the sort of people who manage to install viruses and
    trojans are the same people that will probably just click "allow" when
    the software firewall spots something fishy going on....
     
    Andrew Norman, Mar 21, 2005
    #7
  8. Sandi

    Eirik Seim Guest

    They won't have to. The virus needs only to add the ~20 lines of
    code needed to click the "allow" button itself. There is no way
    a personal firewall will protect a compromised system as long as
    it allows user interaction and/or does not run with higher privs
    than the virus can obtain.


    - Eirik
     
    Eirik Seim, Mar 21, 2005
    #8
  9. Sandi

    Leythos Guest

    Absolutely correct, and a Firewall is not suppose too. An application
    monitoring service running on your local computer that monitors
    APPLICATIONS does that. Some packages, personal firewalls, have
    application monitors, but not all. Appliances don't monitor the
    applications on a computer, they monitor traffic to/from the PC - and if
    you setup your firewall/router correctly, limit the outbound ports (such
    as limiting SMTP to your ISP's SMTP server only), you can eliminate most
    of the ways that viruses spread.
     
    Leythos, Mar 21, 2005
    #9
  10. Sandi

    Duane Arnold Guest

    You can get yourself a NAT router that's going to stop the inbound
    threats and ease the complicated rules and provides good protection. The
    NAT router is a plug it up and go device with little configuration on
    your part.
    Once again the NAT router that has (logging) that you can use with a log
    viewer so you can watch inbound and outbound traffic to/from the network.

    http://www.homenethelp.com/web/explain/about-NAT.asp

    However, NAT routers cannot stop outbound and some people supplement the
    NAT router with a PFW solution that can stop outbound. If you go that
    route with supplement PFW solution on the machines, then find one that
    you can disable the complicated bloat ware in it such as Application
    Control and the other stuff. The PFW solution should be able to stop all
    outbound period or by port or IP if need be -- simple rules.

    Or get yourself a low-end (true) firewall appliance that has router
    capabilities that can stop inbound and outbound and has logging too. And
    the FW appliance has the rules already made and all you have to do is
    enable them if needed along with the ability to make additional more
    complicated rules yourself for inbound or outbound, but most likely you
    will not need to make any rules. Here too, the low-end SOHO FW is
    basically a plug it up and go device with little configuration on your
    part.

    Duane :)
     
    Duane Arnold, Mar 21, 2005
    #10
  11. Sandi

    nemo outis Guest


    I sympathize.

    Yes, it is an acute PITA to realize that to do a litttle surfing
    and emailing in relative security, you must devote untold hours
    to mastering the arcana of firewalls, virus checkers, spyware
    eliminators, and on and on.

    But such is life on the internet.

    The question is: Are you willing to settle for "not bad" or
    "pretty good" protection, or do you wish to be (nearly)
    bombproof.

    The latter takes enormous effort including educating yourself
    about endless nooks and crannies of OSs and programs. The former
    can be done with much less effort but the risks remain
    considerable.

    What can I say? It's up to you to choose.

    Regards,

    PS Fortunately there are tools that cater to the different
    mindsets. While, for instance, no firewall will be rock-solid
    when used "out of the box," those like Zonealarm will provide
    considerable - but by no means complete - protection for those
    who don't want to spend a lot of efort.

    OTOH you can diddle with, say, Sygate endlessly to get it "just
    so" and it will provide better - but still not perfect -
    protection.
     
    nemo outis, Mar 22, 2005
    #11
  12. That's bullshit. It doesn't cause issues with routing of packets
    whatsoever. A hardware firewall offers inbound protection. A software
    firewall offers both inbound and outbound protection. A combination of
    both is the optimal arrangement.

    --

    Regards,
    Ian Kenefick
    Got a virus?
    Go to www.ik-cs.com > 'Got a virus?'
     
    Ian JP Kenefick, Mar 22, 2005
    #12
  13. Sandi

    Duane Arnold Guest

    A NAT router with (no FW) only provides inbound protection with no outbound
    protection.

    You'll notice the part (is not a real FW but good enough).

    http://www.homenethelp.com/web/explain/about-NAT.asp
    Well, so does a FW appliance with a (true/real) FW that can stop inbound or
    outbound traffic by port, protocol or IP and is better than a NAT router
    supplemented with a PFW solution running on a machine, IMHO. If one has a
    FW appliance, one doesn't need the combination of a NAT (no FW) router and
    a PFW solution. And one doesn't need a PFW solution.

    (What does a FW do) software or FW appliance?

    http://www.vicomsoft.com/knowledge/reference/firewalls1.html

    Duane :)
     
    Duane Arnold, Mar 22, 2005
    #13
  14. Yes, but a hardware solution cannot offer in/out-bound application
    level protection. A modified dll by an unknown virus would bypass AV
    and hardware firewall. A personal firewall would detect the
    modification and allow you to block it pending further investigation.
    Hardware based solution cannot enforce this.

    --

    Regards,
    Ian Kenefick
    Got a virus?
    Go to www.ik-cs.com > 'Got a virus?'
     
    Ian JP Kenefick, Mar 22, 2005
    #14
  15. Good point, but you can setup most of the software firewalls so that
    you have to enter a password to change the allow/disallow rules.
     
    Andrew Norman, Mar 22, 2005
    #15
  16. Sandi

    Ninho Guest

    Nick H said :
    Would you add some details about that app and KPF 2.1 incompatibility
    ? Possibly opening a new thread in comp.security.firewall .

    Regards
     
    Ninho, Mar 22, 2005
    #16
  17. Sandi

    Leythos Guest

    Hardware (Appliances) Firewalls offer inbound and outbound protection,
    they do not offer application protection. NAT Routers are NOT FIREWALLS!
     
    Leythos, Mar 22, 2005
    #17
  18. WHO ever SAID they WERE? :)

    --

    Regards,
    Ian Kenefick
    Got a virus?
    Go to www.ik-cs.com > 'Got a virus?'
     
    Ian JP Kenefick, Mar 22, 2005
    #18
  19. Sandi

    Leythos Guest

    The vendors, the people that don't know the difference between a NAT box
    and a firewall, the people that make statements like "Firewalls don't
    offer any outbound protection/blocking" :)
     
    Leythos, Mar 22, 2005
    #19
  20. I would hardly refer to static policies as outbound protection. In
    order to provide outbound protection you must work from the
    application layer. A hardware solution does not provide this.
    --

    Regards,
    Ian Kenefick
    Got a virus?
    Go to www.ik-cs.com > 'Got a virus?'
     
    Ian JP Kenefick, Mar 22, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.