Firewall software or router w/firewall?

Discussion in 'other firewalls' started by yodafan, Sep 10, 2002.

Thread Status:
Not open for further replies.
  1. yodafan

    yodafan Guest

    hey guys,

    Which is a better firewall, a rule based firewall or a router? Ne one know the pros and cons over the other?
    YODA
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    yodafan,

    The two main differences between the two:

    1.) A router with a built in NAT firewall only covers inbound communications, so IMHO a software firewall is also needed to control your outbounds.

    2.) A good ruless based firewall not only controls inbound and outbound packets, but also can have an application filter included also.

    IMHO the best software firewalls are:
    a.) free versions - Kerio or Sygate @ the following links: http://www.kerio.com/us/kpf_home.html and http://soho.sygate.com/products/shield_ov.htm
    b.) paid version: Look'n'Stop @ http://www.looknstop.com/En/index2.htm

    I hope this helps you somewhat. I have both a router with NAT firewall and use Look'n'Stop along with it.

    Regards,
    Kent
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    puff-m-d explained the basic differences well.

    He also made another good point...running both. Which is great if you believe in layering your security.

    If sharing your connection or a small home network are in your future, having both a router/gateway and running a software firewall on the systems behind it works well.

    CrazyM
     
  4. yodafan

    yodafan Guest

    so umm... software firewall is better. But can a router be taken down, cuz umm software firewalls can be damage by trojans and unworkable. So could this be a plus for routers, since they are hardware?
     
  5. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Your point is well taken and, indeed, is part of the reason that CrazyM suggested using both, if you can afford to do so.

    The software firewall hosted on a general purpose computer regardless of the operating system is always vulnerable to a potential exploit against the underlying OS (and please remember not every exploit needs to come in over the wire). But it does provide application-specific control if you configure it correctly (again, with the proviso that it's installed on the specific computer running the application).

    A hardware-based firewall appliance (which, incidentally, I do not confuse with a simple router using NAT) is much less susceptible to exploitation from getting a virus, trojan or worm (primarily because many of them simply don't have any RAM that can be used for this purpose). On the other hand, the firewall appliance cannot provide application-level control at all for the very simple reason that it has no information on what application is involved.

    To some extent, the argument is similar to the old proposition of running two software firewalls concurrently; only better -- because there's no real chance of conflicts or having common vulnerabilities.

    To me, however, it's primarily a matter of using layered defenses. And the necessity of layered defenses is indisputable. At the current time, there is no single hardware or software product, no single procedure, no single policy that will guarantee your security from all threats when on the Internet. (And relying exclusively on a firewall certainly won't do it.)
     
Loading...
Thread Status:
Not open for further replies.