Re: Do I still need a software firewall?

From: Duane Arnold (notme_at_notme.com)
Date: 10/19/03


Date: Sun, 19 Oct 2003 11:05:05 GMT

Wolfgang Kueter <wolfgang@shconnect.de> wrote in
news:bmtmdv$anf$1@news.shlink.de:

> Duane Arnold wrote:
>
>> IMHO, routers are not very good on protecting on the outbound.
>
> Wrong. Routers are perfect for that but are limited to packet
> filtering (stateful or stateless depending on the model). Most models
> can filter outgoing traffic. But routers (packet-filters) do not
> unserstand protocols. If you want more you need an application level
> gateway, that unterstands the protocol.

Not the cheap NAT routers for the home and most of them do not have any
outbound protection period. Now if one wants to go spend some serious
cash, I am sure one can get a router that can do it all.
  
>
>> If the
>> router is protecting on the outbound from a Trojan communicating on a
>> compromised machine, then IMHO, it's too late,
>
> Right. The machine is compromiosed. The desaster was to install the
> trojan horse.
>
>> at least a host based FW will protect in that area.
>
> Wrong. There is quite some malware around that just switches the
> firewall simulation on the infected host off. How can you trust
> software than runs on an comprosided machine?

Well, I'll have to say that my machine was only compromised once, back
about two years ago with the Code Red worm. I blamed ZA for that, but at
that time, the reality was that I didn't know what I was doing at the
time. Now I do for the most part.

And I'll say that BlackIce is doing its job and is allowing me to control
what is and what is not to run on the machine that includes running and
communicating out too. Bottom line here is if any malware hits the
machine that BI doesn't know about, it will alert. Then I will use my
common sense from that point. I am always on top of what is running on
the machines and communicating out.
  
>
>> The protection of the router is out of the picture, if one starts
>> doing high risk internet things like port forwarding, then one will
>> need a host based FW on the machine to protect it.
>
> Wrong. When you talk about portforwarding, you talk about redirecting
> incoming traffic to internal machines. This has nothing to do with
> outgoing communication. Bedides that machines that offer public
> services should be placed in a separate network segment usually called
> DMZ.

I should say that the protection of the router for a machine being port
forwarded too on the inbound is out of the picture. I know this for a
fact on the cheap Linksys router and port forwarding the ISS and FTP
ports to the machine. The only thing protecting on the inbound was the
host based FW on the machine.

>
> A separate machine (Router, ALG or a combination of both) is always
> the better place to control the other machines because it is
> independant. The question is how (on which layer of the network layer
> model) it controls the others, packet filtering is the one common
> option, application level gateway functionality is the other.

Of course you're right. But we are talking home user environment here and
not a business environment Most home users are just going to use a router
with a host based FW solution on the machine to backup the router.

On my next purchase of a router, I'll be getting one with as much bells
on it that my money can afford. And BlackIce is still going to be there.
:)

In a business environment, one should have the budget to do anything to
secure the network. I agree with you for the most part as I view you as
one of the Top Guns too and I am learning. But the reality for the home
user network is a different story. Most are going to take the path I have
taken, using a router with a host based FW solution on the machines.

Duane :)



Relevant Pages

  • Re: Ports for Ultra VNC behind a firewall - for remote support
    ... and the vendor for the app they use build a Ultra VNC connection into ... Unless your router allows port forwarding based on MAC address, ... has is to forward a port to a particular host by its IP address. ... The client actually makes an outbound connect to the service ...
    (alt.computer.security)
  • Re: Why do I need a software firewall?
    ... >> It was my understanding that a router gave a hardware firewall which ... The OP asked comparing with his filtering router. ... MAC-Filtering bringt so viel Schutz vor "Hackern" wie Zeitungspapier vor ... (MAC filtering is protecting against "hackers" like newsprint ...
    (comp.security.misc)
  • Re: How well does the Windows Vista Firewall work?
    ... I was going to look for a firewall program too, but saw that the Vista built in Windows Firewall took over that job. ... My desktop is hard wired to my router ... A router is a border device that sits at the junction point between two networks,the network it is protecting from usually the Internet and the network it is protecting the LAN. ...
    (microsoft.public.windows.vista.general)
  • Re: Hardware vs Software
    ... router protecting against malignant content on ... >> precious router. ... >> but then you have ZoneAlarm on your computer, ...
    (microsoft.public.security.virus)
  • Re: Have NAT Do I need more
    ... So what about packet spoofing and replay attacks? ... IMHO NAT on its own is not enough - but it depends on what you are ... protecting. ... >> and point the gateway through the router. ...
    (comp.security.firewalls)