Firewall/Router Question

Discussion in 'other firewalls' started by Phazor, Dec 13, 2007.

Thread Status:
Not open for further replies.
  1. Phazor

    Phazor Registered Member

    Joined:
    Jun 27, 2002
    Posts:
    111
    Ok stupid question of the night, talking to a buddy on the phone just now.
    I always thought you needed a firewall no matter what. He says he doesnt run one because he has a router.
    So....Do you still need a firewall if you have a router?
     
  2. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Personally i say you don't need a software firewall if you have a firewalled router. However many people like the added security of running a software firewall. It really all comes down to personal preferences.
     
  3. Phazor

    Phazor Registered Member

    Joined:
    Jun 27, 2002
    Posts:
    111
    Maybe thats our confusion, theres routers and firewall routers?
    Or are they both the same
     
  4. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    I agree. In my experience a properly configured router provides sufficient in-bound protection.
     
  5. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    If you have a router, any kind, that's sufficient alone for inbound protection. Some people like to run a software firewall in addition to the router in order to have some protection for outbound traffic, i.e. the software firewall will ask permission for any or most apps to connect out. A router won't cover that. Some people don't care much about outbound control, so for them, a router alone is fine. Depends on what you want and/or need...
     
  6. Phazor

    Phazor Registered Member

    Joined:
    Jun 27, 2002
    Posts:
    111
    So instead of trying out comodo, (full blown firewall) I could get something lighter that does just outbound?

    And again..Is there such a thing as a router and a firewall router?

    Want something to protect my butt from the nasty stuff!!
     
  7. FadeAway

    FadeAway Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    270
    Location:
    USA
    Someone with more technical expertise can add to or correct my comments,
    but I believe it works this way:

    All home routers do NAT (Network Address Translation). That effectively
    hides your machine on the Internet.

    Some routers go the extra step and add Stateful Packet Inspection,
    which is highly desirable as it verifies that inbound packets are
    associated with an established connection.

    I run an in-bound software packet filter on my machine. By regularly
    reading its logs, I can verify that nothing is getting by my router.
    If you are running Windows with a router, you can do the same by
    turning on the Windows firewall and enabling the logging of dropped
    packets. You may get the occasional entry on port 80 due to late packets,
    but that is because of the Windows firewall SPI, and is probably nothing
    to be concerned about. If you are worried, just leave the Windows
    firewall (edit: or some other firewall) turned on.
     
  8. AKAJohnDoe

    AKAJohnDoe Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    989
    Location:
    127.0.0.1
    I usually run a software firewall mostly because my laptop isn't always connecting into my home network since it is portable.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    AKAJohnDoe,

    A router is sufficient in terms of stealthing/closing the ports, although some older routers do not stealth port 113. Firewall experts will argue that the network stack is of a lower layer than the process stack, leaving your system vulnerable to attacks on the network level (meaning your HIPS won't even get the change to react). Therefore you need a router not ony with a build in NAT firewall, but it also has to do Stateful Packet Inspection (SPI). SPI inspects the headers of the messages also. Some routers even offer Deep Packet Inspection (DPI) which also checks the contents of the message transmitted.

    The good thing about Hardware firewall's is that it has build in options to deal with Denial of Service (DoS) attacks, does not respond to unsollicitated Pings on the wide area network (WAN) side, has a Quality of Service (QoS) engine et cetera.

    It is always a good idea to change the name of SSID (not the factory standard), change the IP address on which you can change your Router's setting, change the user and admin password and apply Mac Address Control (MAC) also when using wireless connections.

    When you do not know how to find these settings, you either spend some time on the manual or you use an additional software firewall (e.g. the Windows or Vista default inbound firewall or an more advanced outbound traffic control FW).

    I have a hardware FW with NAT/SPI (no DPI) and have disabled XP and Vista Firewall on our PC's. On XP we use TF to control some outbound traffic and the Avast Network module as a light network IDS, on Vista we use VistaFireWallControl to control in some degree outbound traffic.

    I am sure the FW experts on this forum are able to help you with your considerations, because it is all a personal preference on the 'devils' triangle of knowledge, user friendliness and security.

    Regards Kees
     
    Last edited: Dec 14, 2007
  10. zaxxon

    zaxxon Registered Member

    Joined:
    Dec 8, 2007
    Posts:
    15
    Location:
    Norway
    DSA from privacyware.com could be a good choice for you.
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    With a router in place, yes, you can skip the full blown firewall and put in one of the popular (and lighter) HIPS apps that cover outbound and also give you more protection in general against the nasty stuff. Best if you just keep the nasties off the PC to begin with though... :)
     
  12. AKAJohnDoe

    AKAJohnDoe Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    989
    Location:
    127.0.0.1
    My router was configured (by me) when I installed it. I did change the SSID and IP address, the administrative and user logins and passwords, the range of IP addresses DHCP has available (both the addresses themselves and the range of addresses), shut down unnecessary protocols, and so forth. I do not use MAC filtering; it does not really add anything in my usage. The wireless runs in mixed B\G mode via WPA-PSK.

    I've used a number of software firewalls as well. If I was regularly connecting into other networks would still have one installed. However, again in my usage, the only thing that the logs of any of the major firewalls show as being blocked regularly is WMP.
     
    Last edited: Dec 14, 2007
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    In your case (but it is still up to you off course), I doubt on the added protection of a software firewall.

    Regards Kees
     
Loading...
Thread Status:
Not open for further replies.