Re: Router vs. desktop firewall

From: Thomas Hertel (Thomas.Hertel_at_gmx.net)
Date: 12/31/03 

Date: Wed, 31 Dec 2003 18:17:27 +0100

Mark Adams <madams9@juno.dotcom> schrieb:

[snip]
>
>I've been testing ports with Shields Up! at www.grc.com. I've noticed
>that blocking WAN requests at the router results in an all-green,
>everything-stealthed pass from Shilds Up. Unblocking WAN req's. and
>just running the iptables firewall (configured via Guarddog), or the
>built-in firewall in WinXP results in some ports stealthing, the rest
>blocked.
>
>My question is: if I block WAN requests at the router, do I really need
>to enable a firewall at the desktops? Since I am probably going to get
>both, "Yes" and "No" responses to that question, please help me
>understand the reasoning behind either position.

Well, if nothing comes in through the router, there should be nothing
to block on the desktops, unless you also want to have some
restrictions when it comes to internal traffic. If you do frequently
install trojans and the like, you might want to block outgoing traffic
with a personal firewall, but also this is better done on the router.
And, of course, the best way is just not to install that stuff in the
first place :-). Further, this kind of malware may (and will) fool or
deactivate your personal firewall.

However, you should not block WAN traffic, but reject it. As you
mentioned yourself, Shields Up (and thus any other scanner and any
potential attacker) sees your "stealthed" ports anyway. If you do not
have any port open, you are fine. The word "stealth" is not even worth
the air it takes to carry it from me to you.

Regards
Thomas 

-- 
"The opinions expressed herein are subject to change without notice"
Aus dem Copyright-Vermerk einer Studie der Gartner Group
Email für Non-Spam: Meine_Initialen_bei_arcendo_punkt_com

Relevant Pages

  • Re: What is broken:McAfeee firewall or my router ????? Urgent, ple
    ... your computer regardless of what McAfee firewall said. ... If your router is ... warned about those ports being available right away if you had any of those ...
    (microsoft.public.security)
  • Re: What is broken:McAfeee firewall or my router ????? Urgent, ple
    ... your computer regardless of what McAfee firewall said. ... If your router is ... warned about those ports being available right away if you had any of those ...
    (microsoft.public.security)
  • Re: adsl router security
    ... ]>used the virtual server feature to route packets on ports 21 and 80 to the ... ]>running ssh and mysqld but no other network services. ... if you can if the router is programable ... Remember all a firewall does is to prevent certain packets getting ...
    (comp.os.linux.security)
  • Re: FIREWALL- worth the effort ?
    ... I only use internet intermitently and "pull the plug out" ... Do you have a home Cable/DSL Router? ... forward any ports from the outside world to your Macthrough ... The other function of a firewall is to prevent out bound ...
    (comp.sys.mac.system)
  • Router vs. desktop firewall
    ... The Internet connection is via a Linksys BERW11S4 router ... I've been testing ports with Shields Up! ... built-in firewall in WinXP results in some ports stealthing, ... if I block WAN requests at the router, ...
    (comp.security.misc)