Behind a router - is a firewall needed?

Hi.

My computer is behind a router and I have a software firewall to. But do I really need it? I tested my router at ShieldUp and all of them, or almost all, was marked green, which means stealth.

This has probably been taken up before, so if there are som threads that are a good read to me, bring them on.

Thanks.

 

Depends on your comfort level. The router does not have outbound protection. I use both a router and software firewall (Outpost). I just feel safer knowing the software firewall will protect me from any outbound problems.

 

and just to put the other side of the story - I don't have a software firewall and don't have any problems. If previous threads are anything to go by you will get answers both for and against. Being pedantic is it "needed" ? Probably not.

 

wich version or outpost do u use?

 

Which means almost nothing to your security
Reasons for using a host-based firewall:
- You aren't always behind your router. This is true for laptop users. The Windows built-in firewall is fine.
- With a personal firewall, you can have a more fine-grained control over the network traffic. Usually, the firewall features of routers are too simple and/or cumbersome to use.
- You may want/need outbound control.
- Enforcing a network access policy is part of your security setup, even if it has little value per se.

 

For your information, I did not know what steath ment, I just wanted to inform you, if it was a good thing. But then again, I can just enable Windows firewall, since I guess it is good enough for me.

Thanks for the reply.

 

6.0.2284.253.0485 (latest version)

 

I have a router with a hardware firewall, i
have on the 6 computers behind that router
Look n Stop ( 2 ) Online Armor ( 3 ) and
Firestarter ( 1, linux computer )

I might not need them depending on
who's opinion is involved, but i feel safer
having them.

 

WFW and NAT are both inbound,so disable WFW and only NAT is enough i guess.I have no critical data on my disks so missing outbound protection is not that serious.
Only exeption is shopping online in case i use SBIE for having temporarily outbound controll.
but i will also admit that nothing is 100% bullit proof.

 

As was pointed out to me in a thread not long ago, NAT does in fact
act as a firewall by dropping unsolicited inbound, but offers no
protection against malformed packets, which is one of the things the
"stateful" part of SPI does. That's one reason I think many routers
offer users the additional option of a built-in SPI firewall.
IMO, it would be wise to run at least one SPI filter somewhere facing
outward. That might be in the router, or on the machine.
On the machine it can be as simple as the Windows FW, or more complex
such as a third party two-way firewall.

BTW, not all routers with hardware FWs come from the manufacturer
with that feature automatically turned on - mine didn't.

 

I use both router and firewall/HIPS. The router is always on duty, preventing unsolicited input, even when I have my software firewall off - for whatever reason. It's a layer that's redundant 99% of the time, but I simply feel safer with that additional protection.

But the router is dumb. Once I contact a web site, the router authorizes downloads from the web site. The download may be relatively harmless content such as tracking cookies (Doubleclick, Adgardener, etc.), but I don't want them on my system. Once I elect to contact a web site, the router provides absolutely no protection against infection from that site.

The software firewall/HIPS monitors suspicious content and suspicious behavior up front, whether simply an attempt to install a tracking cookie or more serious infection attempt.

If I had to give up one of these front-layer devices, it would be the - always on duty, but dumb - router.

 

Interesting view completely opposite to my own. So long as we both remain free from infection I suppose that is all that really matters - interesting nonetheless.
Perhaps all that really matters is that a well thought out approach is applied with the actual approach chosen being not all that important ?

 

The router blocks unsolicited traffic. If you initiate the connection, the router correctlty allows it.

That's not the router's job.

The router would be the last layer I give up. Keep in mind it does a terrific job of keeping all that Internet "noise" off your pc's network connection, eliminating the work your software fw would have to do to process/log it.

 

I second that.

/C.

 

I do as well.

To answer the thread subject question - I don't see a firewall as needed, but it can be very desireable as a simple communications control measure for any valid or malicious process.

Blue

 

In a typical home internet usage, yes. But there is still that 1%.

That would depend on what is being considered a "router". If this is NAT, I agree.

 

Do you need a software firewall ? Maybe it´s better not to have a firewall than to have a bad one.

Some degree of outbound protection is desirable (forget about all the leaktests, they are not that important), it´s a good thing not to allow every piece of software on your computer to phone home whenever it wants to. And if it´s not real malware, it probably won´t use any of the leaks (see leaktests) to bypass your firewall.

A good software firewall can be very useful for inbound protection.
It´s a bit technical for me, but (deep) stateful inspection, packet inspection, ´application firewall´, ´proxy firewall´ are things worthy of study to select what is best for you.

A router´s firewall (at least mine) will allow things to pass which you don´t want on your machine. Say, you make a connection to a website, and ask for some content. How will you know if you get what you asked for, without malware included ? That´s where a good software firewall comes in handy.
(I have read about at least one router capable of some form of deep stateful inspection, but I´m sceptical, there is only so much a hardware firewall can do).

I just checked the McAfee firewall, it offers special protection (not in it´s default configuration, the default configuration is hardly a firewall at all) against a number of special attacks from the outside.

So ´a firewall is not a firewall´.

But it´s true that most people do well with just the Windows firewall, as long as there are no wireless connections.

 

The kind of problems s/w firewall must prevent are of the specific kind you may not realise it happened. For example, with h/w firewall you cannot block particular program from accessing internet. Then, once it connected somewhere and transferred the data, no other harm for you that you could notice.

The main difference is application control. No one h/w firewall can control network activity app-based. Ideally the both are needed. But either you need ideal solution depends on the security policy you use.

 

Exactly the reason why XP box (from which we do on-line banking has a software firewall), Vista64 box (for gaming) has no software FW. Although both PC's are behind a router with SPI (and MAC adress checking) using wireless just adds a theoretical entry. Son prefers fixed cable and no sw FW because ping is better in gaming.

 

i´m behing a router and i have outpost-firewall and windows firewall on
so does this mean that i have 3 firewall on my laptop?

 

No, it means you have 2 on your laptop, which is one too many

 

Part of my security policy is to only install software that I would be happy to allow access to the internet. Not sure what data you feel might be transfered and why this should concern me.

I agree fully that the ideal solution depends on the security policy used - which is why I would argue that a software firewall is not needed - meaning that the necessity for a software firewall can be avoided by taking other measures. The soft warm secure feeling that it gives some should be considered as a want rather than as a need. As I wrote - I accept that the distinction sounds a little pedantic.

 

I agree with these Long[broad]View. LOL

 

Software firewalls can be a useful tool to help ensure privacy behind a router. When using a service like Tor to hide your identity, you can prevent websites from possibly learning your real IP address through browser plugins like Flash, for example, by configuring a software firewall to block Flash from sending back such information.

Using a firewall (even a simple firewall like the Windows XP firewall) in addition to a router will add more latency to your internet connection, though you might not notice it much.