Re: hardware vs software firewall

From: FB (nospam@nospam.com)
Date: 06/02/02 

From: FB <nospam@nospam.com>
Date: Sun, 02 Jun 2002 16:32:13 +0200

Steve G wrote:
> I understand that a hardware router basically manages the network layer,
> filters packets/ports etc. Pretty much a necessity with a broadband
> connection, correct ?
Not exactly. A router (technical term) is responsible for forwarding
packets on the right way. If he's bridging networks you can call him
Gateway. Some routers (now products) have the additional feature of
packet filters, because both functions operate on the same level. You
need your own router if you want to connect networks. But it's possible
to have a broadband connection and you're directly connected to the ISPs
Gateway. The ISP has it's own routers.

> Now, what a hardware solution (consumer models specifically, dont know much
> about large commercial routers) doesnt do is support application specific
> control (ie. allow you to control which applications have access to outbound
> internet).
Right.

>
> So the value i see with a software firewall solution is the control of
> outbound inet traffic, and from what i understand to specifically to trap
> trojans ? The problem with software firewalls is that they need to prompt
> the user how to deal with every application (those not already config'd)
> that wants to connect out to the inet.
No, some PFWs can be configured without prompting. You could configure
them to permit some ports and to disallow the rest.

> Now, I'm an IT tech, but half the time i have no idea what the hell the dll
> is or whatever program it is, wants to access the inet ? In most cases i
> just assume everthings good (antivirus should handle the bad boys for me),
> and i allow the program to access the inet.
Why not disallow all except the programs you really trust?

> How the hell is a casual user supposed to manage these personal firewalls if
> they're prompted to deal with programs they have no idea what they are ?
> Most of these users just allow all access anyway, so why bother? Or if they
> disallow an application, they may break something and get in a real
> predicament.
It's a general problem, not only related to PFWs. Most PFWs have a
default setup blocking windows NETBIOS. That's not bad because the
average user doesn't know about NETBIOS related problems.

> If someone doesnt need multi-port/NAT (provided by hardware solution), is a
> software solution the better way to go so that both network level and
> application level issues are managed (assuming that the software solution
> can also handle the network layer port filtering stuff) ?
You can't say it's the better way. It depends on your needs. Use a Linux
box with iptables and you'll have a standalone software based packet
filter. Use a personal firewall on the workstation and you can handle
applications. Use a small nice box called hardware router/firewall to
save energy and space.

> I know every configuration is different, has its own requirement based on
> needs, etc, but i'm having a real problem seeing the value of these personal
> software firewalls.
It's relative to your personal feelings. If you think it's useless for
you don't use them. If you know what they can provide use their features
if you need them.

> So I'm thinking that a hardware router/firewall, and antivirus solution
> should basically do the trick on a broadband connection, and that a
> software/application firewall is really only useful for that .01% where you
> might get a trojan ?
I'd rather separate into dedicated router/firewall and personal firewall
  on the workstation. If you don't use untrusted applications you won't
need a personal firewall. If you don't have services open for the public
you even don't need a packet filter. Same applies for virus scanners and
other applications.

Relevant Pages

  • Re: Setting up Airport Express
    ... It is usually referred to as a "MAC Address", ... on their network. ... always the hardware address assigned to the computer sending the packet. ... When your router receives a packet destined for a computer on your LAN, ...
    (uk.comp.sys.mac)
  • Re: Local Area Network Connection Has Constant Activity?
    ... Local Area Network to also link my laptop to the network via a Linksys ... 4-Port Router which I have used for quite some time. ... SocketSniff lets you monitor the network traffic for a selected process, ... packet sniffer that lets you monitor all your network traffic. ...
    (microsoft.public.windowsxp.network_web)
  • Re: hardware vs software firewall
    ... > I understand that a hardware router basically manages the network layer, ... A router is responsible for forwarding ... packet filters, because both functions operate on the same level. ...
    (comp.security.firewalls)
  • Re: Routing issues - ping works one way but not the other
    ... further into the network and out onto the internet. ... client machine on the 192.168.0.x network. ... Box C is a router with two ports. ... Assuming that is the case, the question then is why is this reply packet being judged as invalid? ...
    (comp.os.linux.networking)
  • Re: pinging network from the router
    ... I checked the RRAS filters, non show up under the external connection. ... I don't want to add them now until I can ping the local ... network from the router. ... IP filters are there for protection of your network, ...
    (microsoft.public.windows.server.networking)