Re: Is there a risk with firewalls?
- From: "Mr. Arnold" <MR. Arnold@xxxxxxxxxx>
- Date: Wed, 20 Jun 2007 16:26:16 GMT
"NoSpam" <NoSpam@xxxxxxxxxxx> wrote in message news:l9bei.1557$5h6.497@xxxxxxxxxxx
Dear Mr. Arnold,
Among the many responses I found your explanation and advice most useful.
It appears that a NAT router is the safest way to protect my or any PC from
intenet intrusions occurring at any time and coming from tine Internet?
True or Flse?
The NAT router's job is to stop unsolicted inbound traffic from reaching your computer. With using a PFW with a machine that has a direct connection to the modem, which will have a direct connection to the Internet, there is the time during the boot process, that unsolicted inbound traffic can get there first before the PFW is up and running on the network connection.
If the machine is connected to the NAT router, then this vulnerabilty is eliminated if you boot the computer, as it's stopping all unsolicted inbound traffic. It's best to get a NAT router that has SPI in the solution. which can do this better, than just a NAT router without SPI.
http://www.homenethelp.com/web/explain/about-NAT.asp
However, if you have malware running on the computer and it's making a solictation for traffic, then nothing going to stop the solicted traffic not the NAT router, FW appliance, PFW or host based gateway FW solution.
Let me take that back, you can stop the traffic if you had a standalone FW solution like a NAT router, FW appliance or a host based FW running on a gateway computer, protecting a LAN and you knew the inbound or outbound remote Internet IP and were able to set rules for these types of solutions.
Think about this, if the 3rd PFW was stopping traffic due to possible malware running on the machine, because you set some kind of rules, then what happens to those rules during the boot process with the PFW?
There are some additional questions which remain:
1.) Is a firewall such as Zone Alarm still needed even if one has a NAT
router
stalled? The NAT router prevents access to the PC from any other site
but
the one the PC has been connected to, but it does not prevent a malware
program from contacting a site of its choosing. Is this the reason why
one
still needs a firewall in addition to a NAT router?
ZA is not a FW solution. ZA is a machine level packet filter running on the machine at the machine level. Yes, your reasoning has to why someone would use ZA behind a NAT router is a valid reason, for what it's worth.
2.) Why is the vulnerable period between boot and final activation of a
software
firewall not mentioned and described in the help texts for commercial
soft-
ware firewalls? It appears that Microsoft with Vista has officially
acknowledged
that such a vulnerable period exists. ( I found that out the hard way.)
I don't know. You'll have to ask producers of the products as to why they don't make this known.
3.) Finally you say that a firewall needs two network interface cards one
facing
the internet, the other the local network. There are no such interface
cars
on my PC or on most of the PCs using software firewalls such as Zone
Alarm.
I therefore do not follow your explanation.
That's because ZA and the others are not FW solutions. They are machine level packet filters running at the machine level to protect the O/S and programs running on the local machine. There is no physical separation of networks using this type of solution.
The NAT router comes closer to being a FW solution than a single machine running a PFW, because the NAT router has two interfaces the WAN (Wide Area Network port), the port that's connect to the Internet (facing the Internet), and the NAT router has the LAN (Local Area Network ports) ports facing the LAN that machines connect to behind the router.
You can buy more Network Interface Cards and place them into a computer, with one NIC connected to the WAN side to the modem facing the Internet and the other NIC(s) in the machine facing the LAN so that other machine can be connected to those NIC(s). They you can buy a host base FW solution a network FW solution that can control the traffic between the WAN and LAN.
A PFW such as ZA cannot to that and is not consider a FW solution.
A solution such as the one in the link which has some questions with answers you may want to review and others are host based software FW solutions that run on gateway computers, using two or more NIC(s) to protect a network.
http://www.vicomsoft.com/knowledge/reference/firewalls1.html
Here is another link that will help you better understand FW(s).
http://www.more.net/technical/netserv/tcpip/firewalls/
Don't get me wrong now as I am not stupid enough to not use a PFW/packet filter on my machine when it's not behind my FW appliance and it's connected to the Internet with a direct connection to a modem or to some foreign LAN like a wireless cafe. But when the machine is behind my FW appliance, the PFW is disabled on the machines.
.
- Follow-Ups:
- Re: Is there a risk with firewalls?
- From: Sebastian G.
- Re: Is there a risk with firewalls?
- From: NoSpam
- Re: Is there a risk with firewalls?
- References:
- Is there a risk with firewalls?
- From: NoSpam
- Re: Is there a risk with firewalls?
- From: Mr. Arnold
- Re: Is there a risk with firewalls?
- From: NoSpam
- Is there a risk with firewalls?
- Prev by Date: Re: latest screenos 5.4 please
- Next by Date: Re: Is there a risk with firewalls?
- Previous by thread: Re: Is there a risk with firewalls?
- Next by thread: Re: Is there a risk with firewalls?
- Index(es):
Relevant Pages
|
