Re: hardware vs software FW

From: Leythos (void_at_nowhere.com)
Date: 09/14/03 

Date: Sun, 14 Sep 2003 14:39:47 GMT

In article <LtU8b.3165$v%5.1037@fed1read02>,
wendikun@NO_SPAM_hotmail.com says...
> > This is how all of the home based NAT routers work, at least the ones
> > under $200. From within IIS you can deny access to specific IP addresses
> > by adding them to the site's configuration.
> >
> Are you saying that there's no difference getting the Linksys ($60) vs the
> Netgear ($120) with Dos and SPI support???

No, I don't think I said anything like that - get the most bang for the
buck and make sure it's installed. I have no issues with DLink, Linksys,
NetGear, etc... Anything that blocks uninvited INBOUND is what most
people need.

>
> > > You port forward the ports, then the machine needs a host base FW such
> > > asBlackIce, Outpost, Sygate, ZA, Norton to protect it.
> >
> It seems that the host-based (software) FW can do what the Netgear router
> (Dos and SPI) can do. As a matter of fact, what is the advantage of using
> hardware FW? Is speed the only reason?

Hardware and software comparisons have been posted many times in this
group - here are a couple items:

Hardware
1) hardware means they stop BEFORE they hit your computer
2) hardware means users have LESS chance to misconfigure their
protection
3) hardware means they can share their connection with more than one
computer and all are protected

Software
1) Users will be Alerted and asked to make a choice to Allow, Deny -
hope they make the right choice every time.
2) Users must rely on their computers to be stable before installation
3) Users OS may be impacted (broken) by installation (slim, but
possible)
4) User's CPU and Memory are used, machine may crawl during a large
attack.
5) Users may have to configure subnet exceptions if already running a
small network - hope they get this right
6) Users may have to open outbound DNS in firewall (manually) to get to
internet (latest version of free ZA did this to 8 people I know).

For technical users I don't have a problem with software firewalls
(personal firewalls), but for the cost of registering the product they
could install a router with NAT and be protected from INBOUND also.

> > Since you are only forwarding a SPECIFIC PORT or PORTS, not all of them,
> > you need to protect your OS/Application by having NIGHTLY UPDATES if
> > it's a Windows computer. You also need a good antivirus program. In most
> > cases, the router is your best line of defense - get a good router, av
> > software, and PATCH THE OS NIGHTLY.
> >
> NIGHTLY updates/patches!?! You mean FW vendors actually release patches on
> the daily basis?

Some release patches every couple days - but I was talking about
Microsoft - if you are port forwarding to a machine running a MS OS, and
you are not an IT person with a real firewall (not just a personal one)
then you should set Windows Update to run at least nightly around 2AM
and then reboot the computer. Most home users forget to do the update -
that's why the last wave of worms was able to propagate so quickly. 

-- 
--
spamfree999@rrohio.com
(Remove 999 to reply to me)