router vs software firewall

If I am not networking, is there any advantage to having a router vs a downloadable firewall?

 

It was believed that routers and hardware firewalls were stronger because they were not part of the operating system. After recent revelations about router and modem backdoors and NSA tampering, I'm not sure it holds true any more.

Barring backdoors and NSA coerced vulnerabilities, routers aren't as vulnerable to attacks from the web. This assumes that there are no undocumented vulnerabilities or backdoors in UPnP (Universal Plug and Play) or that it's disabled. This also assumes that remote administration is also disabled.

Software firewalls, being installed on the PC are vulnerable to malicious code that exploits that PC. IMO, that argument is largely moot. In order for malware to disable or bypass a software firewall, the PC has to already be infected. It is possible for software firewalls to crash or fail from driver problems or other incompatibilities. Routers and hardware firewalls are single purpose operating systems. They don't suffer from such problems.

Most modems already have a limited form of an inbound firewall. Often it's nothing more than NAT, which is sufficient to block inbound traffic. If outbound control is important to you, a software firewall is the way to go.

 

A router modem will have a hardwall firewall that provides powerful protection on its own but a software firewall is more configurable and allows you to decide what inbound AND outbound connections to allow through on your PC.

And redundancy is always a good thing to have.

 

I just wonder the behind router (or the hardware firewall), who will eventually try to break into, because the firewall itself cannot have settings, and we only can set password for our router.

Software firewall is just another protection against network threats and spreading of any viruses, malware, but in the first place, will hardware firewall notice us if there is any intrusion or break in?

 

The router can be hacked/exploited. It's not only the firewall. The DNS setting, MAC address, etc can be compromised as well.

If the router has a sound alarm which will beep if it detects an intrusion, perhaps.

 

That's sound scary. But for personal uses, I think it is not a big problem to worry about right?

 

Can you use both as an added layer, do they work sufficiently together, or is it overkill?

Edit: Please keep in mind I have no tech experience and would be using it out of the box.

 

AFAIK mostly they target the business/corporate environments. But I see nothing wrong to be cautious and take a few safety steps.

Some routers disabled it/them by default. My router has NAT firewall enabled out-of-the-box, but the SPI firewall was disabled. There are also a few settings you might need/want to configure, like hide SSID for example.

As for the overkill part, it depends. Some people just use the hardware firewall, some others only use the software firewall, the rest use both. Technically they shouldn't conflict. Do remember that the router firewalls are on the first line, so some firewall tests might not give satisfying results of your favorite software firewall.

 

Are there specific security features in a router I should be looking for?

 

I'm not an expert about this, but the most valuable features I can think of right now is the support to use WPA2PSK (most if not all routers these days have it), and both SPI and NAT firewalls.

 

Encryption WPA2 EAS (and not mixed with PSK), possibility to fully turn OFF WPS (WiFi Protected Set-up) as WPS (PIN option) is intrinsically vulnerable.
Most recent NETGEAR or ASUS routers can do the above. Don't know other brands as I have not used them.
You should also look for routers for which alternative firmware are available or to be developed (www.dd-wrt.com or www.myopenrouter.com/). So you are not bound to manufacturer life cycle of the product .

 

What is EAS? Unless you meant WPA2PSK with AES encryption?

 

LoL, yes... WPA2 with AES... sorry. But not the mixed approach as you suggest. Recent router distinguish between WPA PSK and WPA2 AES. This way you force EAS (more secure) and not a backward-compatability with WPA (=PSK). In more dated routers you don't have this separation and they come together WPA2 PSK/AES.

http://www.speedguide.net/faq_in_q.php?qid=331

 

a hardware firewall and a software firewall compliment each other and provide a layered defense better than either separately. the software firewall, is providing outgoing defense as well, and the hardware firewall takes some of the load off the software firewall which keeps it from impacting the pc's performance. all in all, the whole is greater than the sum of the parts.

 

As a retired networking guy, I agree 100% with the previous post.

 

They work together no problem, but using a router "out of the box" may or may not be optimal depending on its default settings. I would encourage you to work with folks here who will help you make sure the router is as secure as possible. Accessing and changing the router settings is not difficult.

A new router's settings are accessed using a default user name and password, typically "admin" and "password". The first thing to do is change the password. Another issue is WiFi may not have security turned on - it may be an open network like you find in a coffee shop where anyone can connect to it. You either want to turn on the security (password protected WPA2) or turn off the radio if you don't need to use Wifi. Routers typically come with an installation wizard that will walk you through both of these steps when you're first setting it up.

 

Snow days mean work laptops used at home.

We could not connect to the workplace servers unless they went thru our installed and configured "at-home-router".

Why? Don't know for sure, but only that it was the only way.

 

Get out the tinfoil hat.

Hardware firewalls are plenty configurable. Have you ever used a nice hardware firewall?

They dont compliment anything. Any rules you have in a hardware firewall must exist in a software firewall for said software to work if it requires an outbound connection. If said software is blocked going outbound by either firewall it wont work. It also doesnt take any load off the hardware or improve performance by running both simultaneously. If its installed on a PC and running it affects performance. The only way to remove the impact is to use a hardware firewall by itself.

 

Software firewalls have visibility into which specific process/executable is involved in the traffic. This ability is essential to creating fine-grained rules. Hardware firewalls do not have this visibility or capability, although they can in some protocols/cases accomplish the same objective by examining identifying information that is on the wire (User-Agent for example).

Software firewalls would be quite vulnerable in the case of their host OS being compromised. Whereas hardware firewalls should be quite resilient in such a case (one exception being malware on the compromised device is able to capture the user/pass when the user logs into the hardware firewall, another being a case where UPnP is enabled).

A software firewall can offer protection even when portable devices aren't operating on their home network (few people lug a hardware firewall around). Hardware firewalls can offer protection to guest devices without a (good) software firewall and/or devices which cannot be equipped with a software firewall.

I would say that is a complementary relationship. I would point out that in a case where a hardware firewall is blocking a considerable amount of traffic that would go on to encounter a software firewall, that hardware firewall is serving to eliminate a load that the software firewall device would otherwise have to bear.

 

Specific processes are irrelevant provided you know how to setup a firewall properly with port forwarding and blocking all inbound and outbound traffic except for specific ports that you need.

Again malware being on the compromised PC wouldnt matter if the firewall is setup properly as said malware wouldnt be able to communicate the data back home due to proper ports being blocked.

Hardware firewall also doesnt prevent resources from being used on a PC that also has a software firewall. Sure there are rules on the hardware side that block traffic before it hits the software firewall, but the software firewall and services are running and consuming resources regardless of what the hardware firewall blocks. Even if the hardware firewall blocked all incoming traffic the software running would consume resources in itself.

If you compare software firewall resource of what ever internet security suite you use with or without a hardware firewall in use it consumes the same amount of resources regardless of rules on the hardware firewall.

 

Yes, unplug your PC from the internet. You will never mitigate 100% of everything.

 

i beg to differ. hardware firewall routers default to a basic incoming request protection and most also add attack detection and dos protection. entering routing and firewall rules is manual and tedious for either outgoing or incoming protocols, and services. you can do it, but it's not worth the effort for a home user. they do a very good and fast job of what they do, however. they are generally port, IP source/destination, protocol, dependent. many network engineer specialize in just configuaring these.

the software firewalls are easier, most autogen their rules as well as allowing reasonably easy entry of your own. they can be application dependent for outgoing rules, and in general more flexible and easier to configure by the end user. they have evolved over the last decade or so and do not have the performance impact they had in the early days.certain attacks, like DOS - Denial of Service - attempt to overload your system by repetitive multiport attacks. they can bog down your pc's software firewall. the hardware firewall can more easily devote itself to repelling these, it's like it has a seperate dedicated CPU to protect you. in fact it does just that. it's just a pain in the keester to program new rules into it.

i think of it as a Roman legion. the front line shield (fire) wall keeps out 99 percent of the attacking barbarian horde, but some always get thru. the
reserve cohort of (software firewall) veterans behind the shield wall take care of those. the general (CPU) stands behind them and looks pretty in his muscle armour and does very little.

it's a layered defence. with an anti-malware 'reserve' legion you can beat almost any barbarian. sadly, as in rome, it's not 'if' the barbarians will get thru your walls, it's a matter of 'when'. as they breach one defence, they should come against a new line.

 

From an end-device perspective, allowing the specific software that *should* be performing network operations while disallowing all other software that *shouldn't* be performing network operations is often a/the primary objective. I believe what you are describing is basically a work around to the lack-of-visibility problem when using a firewall that is external to the end-device: using port assignments and port forwarding rules in a way that will cause the end-device software involved to be reflected in the end-device port involved. An approach which may be useful but also comes up short relative to software firewalls. To be sure we're on the same page, please detail your hardware firewall only approach for two scenarios:

1) I want to periodically run WebServerX software on my end-device and, when doing so, have it open to all Internet clients on MyPublicIPAddress:80. While also preventing any other software on my end-device from successfully opening itself to connections on MyPublicIPAddress:80. No UPnP, or if you intend to use it, explain how I am to prevent everything except WebServerX from using it.

2) I want two different applications on my end-device (App1, App2) to be able to establish SSH connections to any/all Internet hosts, and I want no other software on my end-device to be able to do so.

There are a number of ways that malware can attempt to sneak information past both software firewalls and hardware firewalls. I don't think the task of blocking them all is as easy as your comment suggests, but I'll wait to confirm I know precisely what your scheme entails.

True

 

Guess mine is more dated then. It's been like years since I configured my router but what I remember is I chose WPA2PSK, then they showed me the option to use TKIP or AES, which then I chose AES. Unless I'm all wrong to begin with and my memory decided to get dusty once again.