Firewall/Router Question

Ok stupid question of the night, talking to a buddy on the phone just now.
I always thought you needed a firewall no matter what. He says he doesnt run one because he has a router.
So....Do you still need a firewall if you have a router?

 

Personally i say you don't need a software firewall if you have a firewalled router. However many people like the added security of running a software firewall. It really all comes down to personal preferences.

 

Maybe thats our confusion, theres routers and firewall routers?
Or are they both the same

 

I agree. In my experience a properly configured router provides sufficient in-bound protection.

 

If you have a router, any kind, that's sufficient alone for inbound protection. Some people like to run a software firewall in addition to the router in order to have some protection for outbound traffic, i.e. the software firewall will ask permission for any or most apps to connect out. A router won't cover that. Some people don't care much about outbound control, so for them, a router alone is fine. Depends on what you want and/or need...

 

So instead of trying out comodo, (full blown firewall) I could get something lighter that does just outbound?

And again..Is there such a thing as a router and a firewall router?

Want something to protect my butt from the nasty stuff!!

 

Someone with more technical expertise can add to or correct my comments,
but I believe it works this way:

All home routers do NAT (Network Address Translation). That effectively
hides your machine on the Internet.

Some routers go the extra step and add Stateful Packet Inspection,
which is highly desirable as it verifies that inbound packets are
associated with an established connection.

I run an in-bound software packet filter on my machine. By regularly
reading its logs, I can verify that nothing is getting by my router.
If you are running Windows with a router, you can do the same by
turning on the Windows firewall and enabling the logging of dropped
packets. You may get the occasional entry on port 80 due to late packets,
but that is because of the Windows firewall SPI, and is probably nothing
to be concerned about. If you are worried, just leave the Windows
firewall (edit: or some other firewall) turned on.

 

I usually run a software firewall mostly because my laptop isn't always connecting into my home network since it is portable.

 

AKAJohnDoe,

A router is sufficient in terms of stealthing/closing the ports, although some older routers do not stealth port 113. Firewall experts will argue that the network stack is of a lower layer than the process stack, leaving your system vulnerable to attacks on the network level (meaning your HIPS won't even get the change to react). Therefore you need a router not ony with a build in NAT firewall, but it also has to do Stateful Packet Inspection (SPI). SPI inspects the headers of the messages also. Some routers even offer Deep Packet Inspection (DPI) which also checks the contents of the message transmitted.

The good thing about Hardware firewall's is that it has build in options to deal with Denial of Service (DoS) attacks, does not respond to unsollicitated Pings on the wide area network (WAN) side, has a Quality of Service (QoS) engine et cetera.

It is always a good idea to change the name of SSID (not the factory standard), change the IP address on which you can change your Router's setting, change the user and admin password and apply Mac Address Control (MAC) also when using wireless connections.

When you do not know how to find these settings, you either spend some time on the manual or you use an additional software firewall (e.g. the Windows or Vista default inbound firewall or an more advanced outbound traffic control FW).

I have a hardware FW with NAT/SPI (no DPI) and have disabled XP and Vista Firewall on our PC's. On XP we use TF to control some outbound traffic and the Avast Network module as a light network IDS, on Vista we use VistaFireWallControl to control in some degree outbound traffic.

I am sure the FW experts on this forum are able to help you with your considerations, because it is all a personal preference on the 'devils' triangle of knowledge, user friendliness and security.

Regards Kees

 

DSA from privacyware.com could be a good choice for you.

 

With a router in place, yes, you can skip the full blown firewall and put in one of the popular (and lighter) HIPS apps that cover outbound and also give you more protection in general against the nasty stuff. Best if you just keep the nasties off the PC to begin with though...

 

My router was configured (by me) when I installed it. I did change the SSID and IP address, the administrative and user logins and passwords, the range of IP addresses DHCP has available (both the addresses themselves and the range of addresses), shut down unnecessary protocols, and so forth. I do not use MAC filtering; it does not really add anything in my usage. The wireless runs in mixed B\G mode via WPA-PSK.

I've used a number of software firewalls as well. If I was regularly connecting into other networks would still have one installed. However, again in my usage, the only thing that the logs of any of the major firewalls show as being blocked regularly is WMP.

 

In your case (but it is still up to you off course), I doubt on the added protection of a software firewall.

Regards Kees