router vs software firewall

Discussion in 'other firewalls' started by Siamese Dream, Jan 16, 2014.

Thread Status:
Not open for further replies.
  1. Siamese Dream

    Siamese Dream Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    52
    Location:
    USA
    If I am not networking, is there any advantage to having a router vs a downloadable firewall?
     
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It was believed that routers and hardware firewalls were stronger because they were not part of the operating system. After recent revelations about router and modem backdoors and NSA tampering, I'm not sure it holds true any more.

    Barring backdoors and NSA coerced vulnerabilities, routers aren't as vulnerable to attacks from the web. This assumes that there are no undocumented vulnerabilities or backdoors in UPnP (Universal Plug and Play) or that it's disabled. This also assumes that remote administration is also disabled.

    Software firewalls, being installed on the PC are vulnerable to malicious code that exploits that PC. IMO, that argument is largely moot. In order for malware to disable or bypass a software firewall, the PC has to already be infected. It is possible for software firewalls to crash or fail from driver problems or other incompatibilities. Routers and hardware firewalls are single purpose operating systems. They don't suffer from such problems.

    Most modems already have a limited form of an inbound firewall. Often it's nothing more than NAT, which is sufficient to block inbound traffic. If outbound control is important to you, a software firewall is the way to go.
     
  3. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,442
    A router modem will have a hardwall firewall that provides powerful protection on its own but a software firewall is more configurable and allows you to decide what inbound AND outbound connections to allow through on your PC.

    And redundancy is always a good thing to have. :thumb:
     
  4. donaldkks

    donaldkks Registered Member

    Joined:
    Jan 16, 2014
    Posts:
    40
    Location:
    Singapore
    I just wonder the behind router (or the hardware firewall), who will eventually try to break into, because the firewall itself cannot have settings, and we only can set password for our router.

    Software firewall is just another protection against network threats and spreading of any viruses, malware, but in the first place, will hardware firewall notice us if there is any intrusion or break in?
     
  5. guest

    guest Guest

    The router can be hacked/exploited. It's not only the firewall. The DNS setting, MAC address, etc can be compromised as well.

    If the router has a sound alarm which will beep if it detects an intrusion, perhaps. :D
     
  6. donaldkks

    donaldkks Registered Member

    Joined:
    Jan 16, 2014
    Posts:
    40
    Location:
    Singapore
    That's sound scary. But for personal uses, I think it is not a big problem to worry about right?
     
  7. Siamese Dream

    Siamese Dream Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    52
    Location:
    USA
    Can you use both as an added layer, do they work sufficiently together, or is it overkill?

    Edit: Please keep in mind I have no tech experience and would be using it out of the box.
     
  8. guest

    guest Guest

    AFAIK mostly they target the business/corporate environments. But I see nothing wrong to be cautious and take a few safety steps.

    Some routers disabled it/them by default. My router has NAT firewall enabled out-of-the-box, but the SPI firewall was disabled. There are also a few settings you might need/want to configure, like hide SSID for example.

    As for the overkill part, it depends. Some people just use the hardware firewall, some others only use the software firewall, the rest use both. Technically they shouldn't conflict. Do remember that the router firewalls are on the first line, so some firewall tests might not give satisfying results of your favorite software firewall.
     
  9. Siamese Dream

    Siamese Dream Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    52
    Location:
    USA
    Are there specific security features in a router I should be looking for?
     
  10. guest

    guest Guest

    I'm not an expert about this, but the most valuable features I can think of right now is the support to use WPA2PSK (most if not all routers these days have it), and both SPI and NAT firewalls.
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Encryption WPA2 EAS (and not mixed with PSK), possibility to fully turn OFF WPS (WiFi Protected Set-up) as WPS (PIN option) is intrinsically vulnerable.
    Most recent NETGEAR or ASUS routers can do the above. Don't know other brands as I have not used them.
    You should also look for routers for which alternative firmware are available or to be developed (www.dd-wrt.com or www.myopenrouter.com/). So you are not bound to manufacturer life cycle of the product .
     
  12. guest

    guest Guest

    What is EAS? Unless you meant WPA2PSK with AES encryption?
     
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    LoL, yes... WPA2 with AES... sorry. But not the mixed approach as you suggest. Recent router distinguish between WPA PSK and WPA2 AES. This way you force EAS (more secure) and not a backward-compatability with WPA (=PSK). In more dated routers you don't have this separation and they come together WPA2 PSK/AES. ;)

    http://www.speedguide.net/faq_in_q.php?qid=331
     
    Last edited: Jan 30, 2014
  14. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    210
    Location:
    CSA Consulate, Glos., UK
    a hardware firewall and a software firewall compliment each other and provide a layered defense better than either separately. the software firewall, is providing outgoing defense as well, and the hardware firewall takes some of the load off the software firewall which keeps it from impacting the pc's performance. all in all, the whole is greater than the sum of the parts.
     
  15. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    657
    Location:
    Southwestern Massachusetts
    As a retired networking guy, I agree 100% with the previous post. :thumb: :thumb: :thumb:
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    They work together no problem, but using a router "out of the box" may or may not be optimal depending on its default settings. I would encourage you to work with folks here who will help you make sure the router is as secure as possible. Accessing and changing the router settings is not difficult.

    A new router's settings are accessed using a default user name and password, typically "admin" and "password". The first thing to do is change the password. Another issue is WiFi may not have security turned on - it may be an open network like you find in a coffee shop where anyone can connect to it. You either want to turn on the security (password protected WPA2) or turn off the radio if you don't need to use Wifi. Routers typically come with an installation wizard that will walk you through both of these steps when you're first setting it up.
     
  17. ragnarok2012

    ragnarok2012 Registered Member

    Joined:
    Jun 20, 2007
    Posts:
    45
    Snow days mean work laptops used at home.

    We could not connect to the workplace servers unless they went thru our installed and configured "at-home-router".

    Why? Don't know for sure, but only that it was the only way. o_O
     
  18. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Get out the tinfoil hat.

    Hardware firewalls are plenty configurable. Have you ever used a nice hardware firewall?


    They dont compliment anything. Any rules you have in a hardware firewall must exist in a software firewall for said software to work if it requires an outbound connection. If said software is blocked going outbound by either firewall it wont work. It also doesnt take any load off the hardware or improve performance by running both simultaneously. If its installed on a PC and running it affects performance. The only way to remove the impact is to use a hardware firewall by itself.
     
  19. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    Software firewalls have visibility into which specific process/executable is involved in the traffic. This ability is essential to creating fine-grained rules. Hardware firewalls do not have this visibility or capability, although they can in some protocols/cases accomplish the same objective by examining identifying information that is on the wire (User-Agent for example).

    Software firewalls would be quite vulnerable in the case of their host OS being compromised. Whereas hardware firewalls should be quite resilient in such a case (one exception being malware on the compromised device is able to capture the user/pass when the user logs into the hardware firewall, another being a case where UPnP is enabled).

    A software firewall can offer protection even when portable devices aren't operating on their home network (few people lug a hardware firewall around). Hardware firewalls can offer protection to guest devices without a (good) software firewall and/or devices which cannot be equipped with a software firewall.

    I would say that is a complementary relationship. I would point out that in a case where a hardware firewall is blocking a considerable amount of traffic that would go on to encounter a software firewall, that hardware firewall is serving to eliminate a load that the software firewall device would otherwise have to bear.
     
  20. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Specific processes are irrelevant provided you know how to setup a firewall properly with port forwarding and blocking all inbound and outbound traffic except for specific ports that you need.

    Again malware being on the compromised PC wouldnt matter if the firewall is setup properly as said malware wouldnt be able to communicate the data back home due to proper ports being blocked.

    Hardware firewall also doesnt prevent resources from being used on a PC that also has a software firewall. Sure there are rules on the hardware side that block traffic before it hits the software firewall, but the software firewall and services are running and consuming resources regardless of what the hardware firewall blocks. Even if the hardware firewall blocked all incoming traffic the software running would consume resources in itself.

    If you compare software firewall resource of what ever internet security suite you use with or without a hardware firewall in use it consumes the same amount of resources regardless of rules on the hardware firewall.
     
  21. drhu22

    drhu22 Registered Member

    Joined:
    Aug 21, 2010
    Posts:
    343
     
  22. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA

    Yes, unplug your PC from the internet. You will never mitigate 100% of everything.
     
  23. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    210
    Location:
    CSA Consulate, Glos., UK
    i beg to differ. hardware firewall routers default to a basic incoming request protection and most also add attack detection and dos protection. entering routing and firewall rules is manual and tedious for either outgoing or incoming protocols, and services. you can do it, but it's not worth the effort for a home user. they do a very good and fast job of what they do, however. they are generally port, IP source/destination, protocol, dependent. many network engineer specialize in just configuaring these.

    the software firewalls are easier, most autogen their rules as well as allowing reasonably easy entry of your own. they can be application dependent for outgoing rules, and in general more flexible and easier to configure by the end user. they have evolved over the last decade or so and do not have the performance impact they had in the early days.certain attacks, like DOS - Denial of Service - attempt to overload your system by repetitive multiport attacks. they can bog down your pc's software firewall. the hardware firewall can more easily devote itself to repelling these, it's like it has a seperate dedicated CPU to protect you. in fact it does just that. it's just a pain in the keester to program new rules into it.

    i think of it as a Roman legion. the front line shield (fire) wall keeps out 99 percent of the attacking barbarian horde, but some always get thru. the
    reserve cohort of (software firewall) veterans behind the shield wall take care of those. the general (CPU) stands behind them and looks pretty in his muscle armour and does very little.

    it's a layered defence. with an anti-malware 'reserve' legion you can beat almost any barbarian. sadly, as in rome, it's not 'if' the barbarians will get thru your walls, it's a matter of 'when'. as they breach one defence, they should come against a new line.
     
  24. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    From an end-device perspective, allowing the specific software that *should* be performing network operations while disallowing all other software that *shouldn't* be performing network operations is often a/the primary objective. I believe what you are describing is basically a work around to the lack-of-visibility problem when using a firewall that is external to the end-device: using port assignments and port forwarding rules in a way that will cause the end-device software involved to be reflected in the end-device port involved. An approach which may be useful but also comes up short relative to software firewalls. To be sure we're on the same page, please detail your hardware firewall only approach for two scenarios:

    1) I want to periodically run WebServerX software on my end-device and, when doing so, have it open to all Internet clients on MyPublicIPAddress:80. While also preventing any other software on my end-device from successfully opening itself to connections on MyPublicIPAddress:80. No UPnP, or if you intend to use it, explain how I am to prevent everything except WebServerX from using it.

    2) I want two different applications on my end-device (App1, App2) to be able to establish SSH connections to any/all Internet hosts, and I want no other software on my end-device to be able to do so.

    There are a number of ways that malware can attempt to sneak information past both software firewalls and hardware firewalls. I don't think the task of blocking them all is as easy as your comment suggests, but I'll wait to confirm I know precisely what your scheme entails.

    True
     
  25. guest

    guest Guest

    Guess mine is more dated then. It's been like years since I configured my router but what I remember is I chose WPA2PSK, then they showed me the option to use TKIP or AES, which then I chose AES. Unless I'm all wrong to begin with and my memory decided to get dusty once again.
     
Loading...
Thread Status:
Not open for further replies.