Do I need a software firewall in addition to a NAT router/firewall?

Hi:

I have operated Linux and Windows XP boxes behind a Linksys WRT54G NAT
router with it's firewall enabled as well as blocking anonymous internet
requests (black-hole) mode for years, and have not had any problems
(that I am aware of). Because of the hw router, I figured I didn't need
to run firewall software on the PCs behind the router. This includes
running the XP box totally unsecured with it's firewall turned off, and
no anti-virus software.

Now I am worrying that maybe this isn't so true. There are several
means by which things could go wrong. What comes to mind are (in order
starting with what I think are the most likely risks): java and
javascript code that runs in the web browsers (see note below), Active-X
controls in M$ IE, recent exploits involving things which I would have
considered passive such as images and flash video, downloading a program
infected by a virus or trojan. Also, this recent DNS hijacking business
is scary.

We have used administrative controls to mitigate some of these hazards,
by doing the following:

1. Basically nothing about the java, javascript, and flash/images.
2. For Active-X, my wife who uses XP frequently, only uses IE for
accessing trusted sites such as a bank or a merchant that cannot
function without IE (almost never). We primarily use Firefox on XP.
She also uses XP to Skype.
3. To avoid viruses we simply don't install programs that aren't from a
source that is trusted. By that I mean, a vendor that we sought out and
know well, like Vmware, Skype, Mozilla, OpenOffice, etc. We use
Seamonkey or Thunderbird on Linux for email (including my wife). So
attachments are of little danger. We are pretty good at spotting scams,
and my wife knows how to look at full headers, etc. We use no M$
software except for XP itself.
4. In case the XP is compromised, which I regard as more likely than
Linux, we don't run my Linux box at the same time as her XP, since I
have the most important family data on my Linux box. Thus, the only way
anyone could get to important personal data is if an exploit that got on
her XP could access her ext2 partition (unlikely) and install something
into the Linux partition, or crack the router, then wait in the router
to attack either of the Linux machines when they are up. I consider
these scenarios extremely unlikely.

So it's mainly the browser scripts and other exploits that are the main
danger. Should I be running software firewalls on both XP and Linux
boxes, and anti-virus programs on XP, or is the router and our
administrative policies enough?

Thanks for comments.

 

For starters.

Not for me. Only thing I do on XP is TurboTax.
Skype and banking are on done on linux.
I will not do business with a merchant which requires Internet Explorer.


http://groups.google.com/group/alt.os.linux.mandriva/msg/1bc4674ee714a691

 

David Brown wrote:[a lot]

Thanks for the responses, folks.