Do I need a software firewall if I use a NAT router?

Hello,

I know this may be a silly question, but I am a little confused. Should I be using a software firewall? I have a nat router with a built in firewall. I currently use the Windows XP firewall. I have used another software firewall before, but it was very heavy on the resources; so I uninstalled it. I did scans online and my computer is always stealthed with or without the software firewall. I heard that I could just use windows firewall, since I have the nat router with firewall. Is this true?

Thanks,
Danny.

 

The NAT router and the Windows firewall are pretty much redundant. If you have the router, you can turn off the Windows firewall if you want. Both protect against inbound traffic only.

If you want to try to intercept outbound traffic and communication by apps or malware or whatever, then you can add a software firewall. If you're not concerned about outbound traffic, then you don't need it. A HIPS is also another alternative.

 

Both block inbound however you will want to keep the windows firewall on if it is a laptop and will be online outside your network.

Difference may be that the NAT router's OS and windows may have different vulnerabilities. A little while back there was an IGMP exploit for windows and because windows firewall didnt drop IGMP, it would have hit your computer if it wasn't behind your NAT. Your NAT is probably based on linux and that may have its own vulnerabilities if not patched properly.

 

A NAT firewall should provide some basic protection, but how does the router know if the incoming traffic is what you want to come in ?

Here a good software firewall with SPI (Stateful Packet Inspection) comes into play. I emphasize GOOD, because they are not all good ...

Alternatives for SPI are Deep Inspection, Proxy Firewalls, and maybe others. There is a thread in this section about inbound protection.

It is actually possible to attack a software firewall, using various techniques, so if your firewall offers protection against those it´s a plus.

A hardware firewall combined with a software firewall is a good combination. I´ve heard about routers offering SPI, but I doubt whether that is possible.

Do you have a wireless connection ? Make sure to properly encrypt it (WEP is out of date) and that the wireless connection doesn´t bypass your firewall, but is filtered by your firewall.
And while we are at it, it´s a good idea to change the default password of the router and to disable UPNP in the router. (This is something different than the windows universal plug and play service)

Also, basic outbound filtering is useful, but you don´t need a ´leaktest-proof´ firewall.

 

Fly, that is a very interesting (and disturbing) statement. I've not seen that possibility mentioned before.

Any tips how to determine this? Apply a "block all" rule and make sure you can't connect? or can the issue run deeper making detecting a bypass difficult?

 

Two questions:

Why would a "leaktest proof" firewall not be needed?

And is there really a fully "leaktest proof" firewall?

If one allows an application that was compromised to by pass the firewall filter, after the firewall gave notice, because that application had been allowed. That is a leak.

 

It is my opinion that any personal PC (i.e.: not a corporate PC) should always have a software firewall in place. The Windows firewall if nothing else. Notebooks should always have one even if in a corporate environment.

 

I suppose it depends on your firewall. Make sure you know how it works.

Currently I'm still using a McAfee firewall, and I have configured it NOT to trust 'the network'. But I have had some issues with it in the past.

 

I'll save myself some time by not responding to that -although you could consider this a response.

 

Wouldn't keeping Windows patched also have prevented that exploit?

 

Hello Fly,
Thank you for your response. I am using WINDOWS XP Pro SP2, Brazilian Portuguese Version. I have a speedstream modem that is connected to a vonage router, both have firewalls enabled. I don't have a wireless connection. I am going to change the default passwords after I post this message and will figure out how to disable the UPNP.

I upgraded to the ESET Smart Security; so I am using their firewall. So far it is working good and isn't hogging up the resources. The only other security program I use is PeerGuardian and that is only when I use Limewire.

Please let me know if you have any other recommendations.
Thank you,
Danny

 

Window of vulnerability between the exploit being used and the patch becomes available.

 

The reason I asked was because the TCP/IP/IGMPv3 and MLDv2 vulnerability from early this year (in MS Security Bulletin MS08-001) was responsibly disclosed. According to Microsoft, there was no PoC code published when the security bulletin was originally issued, and the vulnerability was not reported to have been exploited before disclosure, so there was essentially no window of vulnerability.

Are you referring to a different vulnerability?

 

I'm not sure if it is that is the exact one.

I used the IGMP exploit as an example. What I'm suggesting is that even with a firewall turned on, remote exploits still exist whether it is windows or another os on the router.

The issue with patching is different. Not everyone keeps upto date. There may also be zero days/unknown vulnerabilities. Patching is part of the solution.

 

I understand Vista comes with both outbound and inbound protection. But it looks like we are talking XP. IMO an outbound firewall is nice but is optional. Keep a clean system and you have few concerns.

I believe with a NAT Router properly secured and set up I would keep windows firewall on (it is basically hassle free and use almost no resources). It is an extra layer of inbound protection that costs so little.

 

Actually I just remembered something: some routers (and maybe modems?) have a remote administration feature (access from the internet). It's a potential vulnerability and if you don't need it I would recommend that you disable it.

 

A hardware firewall also contains software (or embeded logic) and it is able to interpretate the protocols used, so it can also interpretate the packet headers, ergo there are SPI capable hardware firewalls.

When you have a hardware FW there are several reasons for using the build in firewall of your operating system
A) you might be on wireless connection
B) one of the computers is a laptop also used outside this environment
C) additional protection during boot up offered by the internal (OS) FW against a minimum of CPU cycles



Regards Kees

 

@mercurie: Yes, a kind of insurance.

@huangker: It seems reasonable to be 'safe rather than sorry' with multiple layers of protection, especially directly facing the internet, if you assume that all code probably has a flaw someplace that can be exploited.

But in terms of what can be proven today, has there ever been a zero-day vulnerability in the XP SP2 firewall? (a critical or serious flaw, and where the attack vector is the internet)

If so, then laptop users connected to public networks should be advised that Windows Firewall has been bypassed before, and that this would have allowed fully patched systems to become compromised, simply by establishing an internet connection.

If not, then in at least the last 4 years, had you kept updated and used only Windows Firewall, you would not have been compromised any more than if you had also been behind a NAT router.