I was reading a column in which the author stated you don't really need a software firewall if you are using an NAT enabled router. Comments on that?
The author is correct if we're talking about straight up inbound attacks, routers are much better at that than software firewalls. A big however though comes into play when we start talking about malware/viruses and, sometimes, not so malicious but a bit "shady" programs that start wanting to "call home". Routers won't stop that where a software firewall (or HIPS if you're so inclined) will, it's called outbound control. If you keep your system clean of shady programs and malware/viruses, then no, a software firewall IMHO is not necessary behind a router. If not used for outbound control it becomes another process just taking up the CPU and memory, not to mention space on the harddrive.
Neither router nor firewall, nor proxy (and even if you combine them altogther) will save you against the hidden internet tunnel. Most endpoints seem to be intercepted or sort of infected and in this case there is no escape.
dw426 - Helpful insight - thank you. He was also saying that an outbound protection is unnecessary if you protect yourself properly the other way. I guess theoretically that's true, but it seems to me that if a malware or keylogger program somehow got on my machine, I would certainly want the outbound protection.
Indeed you would. Taking precautions and having a good security plan in place will keep you out of 99% of trouble, but that extra 1% can be a PITA at best or a nightmare at worst. If you feel outbound protection is necessary, by all means use it. A little more CPU and memory use is small potatoes to the problems some of these things can cause.
LenC, Agree with dw426. Speaking practically and being behind a router/firewall-I ditched my software one a year ago. Additionally am using a HIPS and an AV. Never had any malware!! An excellent HIPS as regards leaktests is ProSecurity 1.42 (or Real-Time Defender,as its now called). See here matousec,or the HIPS from Private Firewall-DSA
I'll leave it to SystemJunkie to explain what is really meant, but, System, would you be referring to the BGP ruckus being raised as brought up here: http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html?
Partially (thanks for the link) but there is so much more would bust the scope of this topic. In short the term security is in most cases only dummy security. Don´t rely on firewalls and believe you are secure, don´t rely on routers and believe you are secure and the same is valid for all kind of security suites, antiviruses, antirootkits.... a computer in correlation with internet is nowadays a too complex scenario to guarantee one individual total control. Firewalls and Hips are good as little watchdogs and to learn more about your system, routers are useful as hubs and maybe to block some simple attacks but not to prevent real threats.
I've found quite a lot of new trojans with the firewall when I used kis 7(now in kis 2009 the hips takes care of it too).
Good. Another one of these threads. I hate digging up old ones with the same questions. But, since there are always new programs and I am only one person, maybe someone knows the solution. I agree also with the article in as much as you don't really need a software firewall if you know what you are doing. As well it is my opinion that those that really really don't know what they are doing have no use for a firewall because they probably become infected easily and a popup from a firewall would do no real good. And then there are those who know a good bit, but still have a ways to go. For them I believe a firewall is maybe not needed, but a very great learning tool for them to see just what is happening with thier computer regarding inbound and outbound events. Now, as I have stated before, what I am looking for is the application that is not a hips, not a firewall, but somewhere inbetween. I want very fast and lightweight and stable. I want a program that just watches for an application or process that tries to go outbound and simply say 'yes' or 'no'. Right now I am using Outpost v2.0 with 2 rules, allow and deny. This really is simplistic in as much as I can see my logs and have very simple app control without having to worry about tweaking every aspect. But the part I do not like is that every packet basically must be sniffed somehow. It is not TDI I know, more kernel level. But I can tell if I load up the connection, that the driver starts to do some serious work. This applies IMO to all firewalls, because they examine every packet. No, what I want is just plain and simple, if a process starts to send/recieve a packet, just allow or not. Nothing more involved. I have other methods to handle the rest of what I need. So, any new news for this type of application? So I keep using a very very basic ruleset for my software firewall, knowing I don't really need it, but wanting to at least KNOW when something is coming or going. And that is why I don't completely follow Leo's advice, because I do still want to know, instead of have no idea whatsoever. Sul.