Behind a router - is a firewall needed?

Discussion in 'other firewalls' started by Jadda, Mar 28, 2008.

Thread Status:
Not open for further replies.
  1. Jadda

    Jadda Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    422
    Hi.

    My computer is behind a router and I have a software firewall to. But do I really need it? I tested my router at ShieldUp and all of them, or almost all, was marked green, which means stealth.

    This has probably been taken up before, so if there are som threads that are a good read to me, bring them on. :)

    Thanks.
     
  2. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Depends on your comfort level. The router does not have outbound protection. I use both a router and software firewall (Outpost). I just feel safer knowing the software firewall will protect me from any outbound problems.
     
  3. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    and just to put the other side of the story - I don't have a software firewall and don't have any problems. If previous threads are anything to go by you will get answers both for and against. Being pedantic is it "needed" ? Probably not.
     
  4. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,118
    wich version or outpost do u use?
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Which means almost nothing to your security :)
    Reasons for using a host-based firewall:
    - You aren't always behind your router. This is true for laptop users. The Windows built-in firewall is fine.
    - With a personal firewall, you can have a more fine-grained control over the network traffic. Usually, the firewall features of routers are too simple and/or cumbersome to use.
    - You may want/need outbound control.
    - Enforcing a network access policy is part of your security setup, even if it has little value per se.
     
  6. Jadda

    Jadda Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    422
    For your information, I did not know what steath ment, I just wanted to inform you, if it was a good thing. :D But then again, I can just enable Windows firewall, since I guess it is good enough for me.

    Thanks for the reply.
     
  7. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    6.0.2284.253.0485 (latest version)
     
  8. TouchuvGrey

    TouchuvGrey Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    441
    Location:
    South Mississippi USA ( ya'll )
    I have a router with a hardware firewall, i
    have on the 6 computers behind that router
    Look n Stop ( 2 ) Online Armor ( 3 ) and
    Firestarter ( 1, linux computer )

    I might not need them depending on
    who's opinion is involved, but i feel safer
    having them.
     
  9. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    WFW and NAT are both inbound,so disable WFW and only NAT is enough i guess.I have no critical data on my disks so missing outbound protection is not that serious.
    Only exeption is shopping online in case i use SBIE for having temporarily outbound controll.
    but i will also admit that nothing is 100% bullit proof.
     
  10. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    As was pointed out to me in a thread not long ago, NAT does in fact
    act as a firewall by dropping unsolicited inbound, but offers no
    protection against malformed packets, which is one of the things the
    "stateful" part of SPI does. That's one reason I think many routers
    offer users the additional option of a built-in SPI firewall.
    IMO, it would be wise to run at least one SPI filter somewhere facing
    outward. That might be in the router, or on the machine.
    On the machine it can be as simple as the Windows FW, or more complex
    such as a third party two-way firewall.

    BTW, not all routers with hardware FWs come from the manufacturer
    with that feature automatically turned on - mine didn't.
     
  11. gud4u

    gud4u Registered Member

    Joined:
    Nov 9, 2004
    Posts:
    206
    I use both router and firewall/HIPS. The router is always on duty, preventing unsolicited input, even when I have my software firewall off - for whatever reason. It's a layer that's redundant 99% of the time, but I simply feel safer with that additional protection.

    But the router is dumb. Once I contact a web site, the router authorizes downloads from the web site. The download may be relatively harmless content such as tracking cookies (Doubleclick, Adgardener, etc.), but I don't want them on my system. Once I elect to contact a web site, the router provides absolutely no protection against infection from that site.

    The software firewall/HIPS monitors suspicious content and suspicious behavior up front, whether simply an attempt to install a tracking cookie or more serious infection attempt.

    If I had to give up one of these front-layer devices, it would be the - always on duty, but dumb - router.
     
    Last edited: Mar 30, 2008
  12. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Interesting view completely opposite to my own. So long as we both remain free from infection I suppose that is all that really matters - interesting nonetheless.
    Perhaps all that really matters is that a well thought out approach is applied with the actual approach chosen being not all that important ?
     
  13. wat0114

    wat0114 Guest

    The router blocks unsolicited traffic. If you initiate the connection, the router correctlty allows it.

    That's not the router's job.

    The router would be the last layer I give up. Keep in mind it does a terrific job of keeping all that Internet "noise" off your pc's network connection, eliminating the work your software fw would have to do to process/log it.
     
  14. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    I second that.

    /C.
     
  15. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I do as well.

    To answer the thread subject question - I don't see a firewall as needed, but it can be very desireable as a simple communications control measure for any valid or malicious process.

    Blue
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    One reason I keep Software firewalls, is I do have a wireless machine on the network. That means in theory someone could get on the network on the inside of the router. Yes the network is well protected but still...

    Pete
     
  17. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    In a typical home internet usage, yes. But there is still that 1%.

    That would depend on what is being considered a "router". If this is NAT, I agree.
     
  18. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Do you need a software firewall ? Maybe it´s better not to have a firewall than to have a bad one.

    Some degree of outbound protection is desirable (forget about all the leaktests, they are not that important), it´s a good thing not to allow every piece of software on your computer to phone home whenever it wants to. And if it´s not real malware, it probably won´t use any of the leaks (see leaktests) to bypass your firewall.

    A good software firewall can be very useful for inbound protection.
    It´s a bit technical for me, but (deep) stateful inspection, packet inspection, ´application firewall´, ´proxy firewall´ are things worthy of study to select what is best for you.

    A router´s firewall (at least mine) will allow things to pass which you don´t want on your machine. Say, you make a connection to a website, and ask for some content. How will you know if you get what you asked for, without malware included ? That´s where a good software firewall comes in handy.
    (I have read about at least one router capable of some form of deep stateful inspection, but I´m sceptical, there is only so much a hardware firewall can do).

    I just checked the McAfee firewall, it offers special protection (not in it´s default configuration, the default configuration is hardly a firewall at all) against a number of special attacks from the outside.

    So ´a firewall is not a firewall´.

    But it´s true that most people do well with just the Windows firewall, as long as there are no wireless connections.
     
  19. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    The kind of problems s/w firewall must prevent are of the specific kind you may not realise it happened. For example, with h/w firewall you cannot block particular program from accessing internet. Then, once it connected somewhere and transferred the data, no other harm for you that you could notice.

    The main difference is application control. No one h/w firewall can control network activity app-based. Ideally the both are needed. But either you need ideal solution depends on the security policy you use.
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Exactly the reason why XP box (from which we do on-line banking has a software firewall), Vista64 box (for gaming) has no software FW. Although both PC's are behind a router with SPI (and MAC adress checking) using wireless just adds a theoretical entry. Son prefers fixed cable and no sw FW because ping is better in gaming.
     
  21. Nike_P

    Nike_P Registered Member

    Joined:
    Mar 30, 2008
    Posts:
    122
    Location:
    Europe
    i´m behing a router and i have outpost-firewall and windows firewall on :)
    so does this mean that i have 3 firewall on my laptop?
     
  22. wat0114

    wat0114 Guest

    No, it means you have 2 on your laptop, which is one too many ;)
     
  23. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country

    Part of my security policy is to only install software that I would be happy to allow access to the internet. Not sure what data you feel might be transfered and why this should concern me.

    I agree fully that the ideal solution depends on the security policy used - which is why I would argue that a software firewall is not needed - meaning that the necessity for a software firewall can be avoided by taking other measures. The soft warm secure feeling that it gives some should be considered as a want rather than as a need. As I wrote - I accept that the distinction sounds a little pedantic.
     
  24. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    I agree with these Long[broad]View. LOL :D
     
  25. Dogbiscuit

    Dogbiscuit Guest

    Software firewalls can be a useful tool to help ensure privacy behind a router. When using a service like Tor to hide your identity, you can prevent websites from possibly learning your real IP address through browser plugins like Flash, for example, by configuring a software firewall to block Flash from sending back such information.

    Using a firewall (even a simple firewall like the Windows XP firewall) in addition to a router will add more latency to your internet connection, though you might not notice it much.
     
Loading...
Thread Status:
Not open for further replies.