Re: Do I still need a software firewall?

From: Duane Arnold (notme_at_notme.com)
Date: 10/19/03


Date: Sun, 19 Oct 2003 11:05:05 GMT

Wolfgang Kueter <wolfgang@shconnect.de> wrote in
news:bmtmdv$anf$1@news.shlink.de:

> Duane Arnold wrote:
>
>> IMHO, routers are not very good on protecting on the outbound.
>
> Wrong. Routers are perfect for that but are limited to packet
> filtering (stateful or stateless depending on the model). Most models
> can filter outgoing traffic. But routers (packet-filters) do not
> unserstand protocols. If you want more you need an application level
> gateway, that unterstands the protocol.

Not the cheap NAT routers for the home and most of them do not have any
outbound protection period. Now if one wants to go spend some serious
cash, I am sure one can get a router that can do it all.
  
>
>> If the
>> router is protecting on the outbound from a Trojan communicating on a
>> compromised machine, then IMHO, it's too late,
>
> Right. The machine is compromiosed. The desaster was to install the
> trojan horse.
>
>> at least a host based FW will protect in that area.
>
> Wrong. There is quite some malware around that just switches the
> firewall simulation on the infected host off. How can you trust
> software than runs on an comprosided machine?

Well, I'll have to say that my machine was only compromised once, back
about two years ago with the Code Red worm. I blamed ZA for that, but at
that time, the reality was that I didn't know what I was doing at the
time. Now I do for the most part.

And I'll say that BlackIce is doing its job and is allowing me to control
what is and what is not to run on the machine that includes running and
communicating out too. Bottom line here is if any malware hits the
machine that BI doesn't know about, it will alert. Then I will use my
common sense from that point. I am always on top of what is running on
the machines and communicating out.
  
>
>> The protection of the router is out of the picture, if one starts
>> doing high risk internet things like port forwarding, then one will
>> need a host based FW on the machine to protect it.
>
> Wrong. When you talk about portforwarding, you talk about redirecting
> incoming traffic to internal machines. This has nothing to do with
> outgoing communication. Bedides that machines that offer public
> services should be placed in a separate network segment usually called
> DMZ.

I should say that the protection of the router for a machine being port
forwarded too on the inbound is out of the picture. I know this for a
fact on the cheap Linksys router and port forwarding the ISS and FTP
ports to the machine. The only thing protecting on the inbound was the
host based FW on the machine.

>
> A separate machine (Router, ALG or a combination of both) is always
> the better place to control the other machines because it is
> independant. The question is how (on which layer of the network layer
> model) it controls the others, packet filtering is the one common
> option, application level gateway functionality is the other.

Of course you're right. But we are talking home user environment here and
not a business environment Most home users are just going to use a router
with a host based FW solution on the machine to backup the router.

On my next purchase of a router, I'll be getting one with as much bells
on it that my money can afford. And BlackIce is still going to be there.
:)

In a business environment, one should have the budget to do anything to
secure the network. I agree with you for the most part as I view you as
one of the Top Guns too and I am learning. But the reality for the home
user network is a different story. Most are going to take the path I have
taken, using a router with a host based FW solution on the machines.

Duane :)