Re: Do I need Norton firewall now I have an ADSL modem/hub/router/firewall?

From: Chuck (none_at_example.net)
Date: 10/08/04


Date: 8 Oct 2004 11:42:09 -0500

On Fri, 8 Oct 2004 13:28:41 +0100, Alan F Cross <alanx@somewhere.co.uk> wrote:

>Just ditched my USB ADSL modem in favour of the D-Link DSL-G604T WiFi
>ADSL modem/hub/router/firewall. Now want to add security to the now
>exposed networked 2nd PC and laptop.
>
>I have Systemworks (anti-virus, firewall, etc, etc) on 1 PC only, and am
>looking for a 3-user pack. I see Symantec do a 3-user Anti-Virus pack.
>Do I still need the Norton firewall on top of my hardware firewall, or
>does Norton Anti-Virus cover what's needed, in the presence of the
>hardware firewall?
>
>TIA

Alan,

A NAT router (not a true firewall) is a good outer layer in a layered defense.

http://www.firewall-software.com/firewall_faqs/what_is_a_firewall.html
http://support.microsoft.com/?id=321050
http://www.homenethelp.com/router-guide/features-firewall.asp

You need a software firewall on each computer in your LAN; in case one computer
gets infected, a software firewall on the others could save you a lot of
trouble. Depending upon the effectiveness of the intruder detection log on the
D-Link, a software firewall is also a good idea to identify unknown programs
installed on your computer, generating outgoing traffic.

OTOH, both a (NAT) router, and a software firewall, are only 2 layers in a good
layered defense.

The third layer is good software, also on each computer. This layer has
multiple components.

AntiVirus protection. Realtime, plus a regularly scheduled virus scan.
Regularly updated. AV protection is not all that's needed today.

Adware / spyware protection. Realtime, plus a regularly run adware / spyware
scan. Regularly updated.
Complete instructions, using Spybot S&D and HijackThis (both free) are here:
<http://forums.spywareinfo.com/index.php?showtopic=227>.

Harden your browser. There are various websites which will check for
vulnerabilities, here are three which I use.
http://www.jasons-toolbox.com/BrowserSecurity/
http://bcheck.scanit.be/bcheck/
https://testzone.secunia.com/browser_checker/

Block Internet Explorer ActiveX scripting from hostile websites (Restricted
Zone).
<https://netfiles.uiuc.edu/ehowes/www/main.htm> (IE-SpyAd)

Block known dangerous scripts from installing.
<http://www.javacoolsoftware.com/spywareblaster.html>

Block known spyware from installing.
<http://www.javacoolsoftware.com/spywareguard.html>

Make sure that the spyware detection / protection products that you use are
reliable:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Harden your operating system. Check at least monthly for security updates.
http://windowsupdate.microsoft.com/

Block possibly dangerous websites with a Hosts file. Three Hosts file sources I
use:
http://www.accs-net.com/hosts/get_hosts.html
http://www.mvps.org/winhelp2002/hosts.htm
(The third is included, and updated, with Spybot (see above)).

Maintain your Hosts file (merge / eliminate duplicate entries) with:
eDexter <http://www.accs-net.com/hosts/get_hosts.html>
Hostess <http://accs-net.com/hostess/>

Secure your operating system, and applications. Don't use, or leave activated,
any accounts with names or passwords with trivial (guessable) values. Don't use
an account with administrative authority, except when you're intentionally doing
administrative tasks.

The fourth layer is common sense. Yours. Don't install software based upon
advice from unknown sources. Don't install free software, without researching
it carefully. Don't open email unless you know who it's from, and how and why
it was sent.

The fifth layer is education. Know what the risks are. Stay informed. Read
Usenet, and various web pages that discuss security problems. Check the logs
from the other layers regularly, look for things that don't belong, and take
action when necessary.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.



Relevant Pages

  • Re: can sasser& Blaster get to the computer?
    ... Because of a hardware conflict I cannot update the laptop. ... >>Will the desktop computer with the firewall also protect the laptop even if>>I disable the firewall on the laptop? ... Each layer is necessary because no> layer produces complete protection. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: can sasser& Blaster get to the computer?
    ... Because of a hardware conflict I cannot update the laptop. ... >>Will the desktop computer with the firewall also protect the laptop even if>>I disable the firewall on the laptop? ... Each layer is necessary because no> layer produces complete protection. ...
    (microsoft.public.windowsxp.network_web)
  • Re: can sasser& Blaster get to the computer?
    ... Because of a hardware conflict I cannot update the laptop. ... >>Will the desktop computer with the firewall also protect the laptop even if>>I disable the firewall on the laptop? ... Each layer is necessary because no> layer produces complete protection. ...
    (microsoft.public.windowsxp.general)
  • Re: Detect Windows Internet Connection Firewall (ICF)?
    ... Yes I tried that out but it's for the IPv6 firewall which is only installed ... >> Windows pops up with its own confirmation that the user MUST click OK ... >> My users know they are installing a webserver. ... >> of my users they have another software firewall such as ZoneAlarm which ...
    (microsoft.public.vb.general.discussion)
  • Re: Attention pf/ipfw users with uid/gid/jail rules (Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet
    ... Among other things, there are race conditions such that the lookup could return one pcb in the input path and use that for the check, but another pcb during TCP-layer delivery. ... One idea that I'd been pondering was having the inpcb code in the TCP/UDP/SCTP/etc layers invoke event handlers as bindings/connections are made, making credentials and other information available to firewall packages, which could then cache information under their own locks. ... In Mac OS X Leopard, many of the traditional "firewall" sorts of checks are now performed at the socket layer using this sort of approach -- this provides greater application context, allows control of things like binding/listening, not just packet transmission and receipt, and provides access to the data as received at the application layer rather than at the datagram layer, avoiding the need for normalization. ...
    (freebsd-arch)