To Firewall or not to Firewall


log in or register to remove this ad

andargor

Rule Lawyer Groupie
Supporter
Or look at a Linux based firewall. A small machine costing literally a few dozen bucks would be enough. Netfilter rocks, if you need incoming traffic.

Or use your Linksys WRT54G (or GS) as a linux box in addition to a WiFi box. Go take a peek at OpenWRT (openwrt.org). Heck, run a web server on it, if you wish.

Andargor
 

werk

First Post
Rl'Halsinor said:
To keep this short I had to reformat my harddrive due to my firewall failing. I was flooded with adware and malware galore in about 10 seconds. I still can't get rid of E2Give. Suffice to say I got a Linksys router to go along with my Norton Anti-virus, Webroot Spy Sweeper, and ZoneAlarm 5.0 Pro. Today I had to shut down down ZoneAlarm and I noticed that I was able to access the internet much faster. In fact, I hadn't been able to log on to these message boards since getting my PC up and running again. I kept getting "This site cannot be posted on from a foreign host." I thought it was due to my router but it seems Zone Alarm may be be the culprit.

So with my router, do I still need Zone Alarm or a firewall in general? It sure is a hog and as I said it sure can slow down internet surfing. It also seems to conflict with other PC utilities or it doesn't remember all the time what you give access to and the ones you deny. Thanks.

E2Give has a special removal process, and my firewall did not protect me from any of that junk on my work computer (this one) even though I am behind a proxy server, hardware firewalls, black ice, norton, and spybot.

A vaccination will not prevent a broken leg.

As for firewall yes or no...A big loud yes. Compare it to someone breaking into your house even though it is locked vs. what would happen if you just left all your windows and doors standing wide open all the time. Do whatever you can to deter intruders, otherwise you welcome them with open arms.
 

I run a hardware based firewall and Norton Internet Security. The HW firewall stops most inbound nasties, but since I have to open some ports, the SW firewall also does a good job of catching the occasional exploit that the hardware firewall missed, since NIS looks at behavior while the firewall just looks at packets. Plus, the default behavior for NIS is to ask me the first time a program tries to access the internet, which is a nice safeguard on those few occasions a piece of mal-ware gets through (or those times where I see no reason why some program should need to call home).

Security in depth. Never trust one thing to keep you safe. Layers are better.
 

azhrei_fje

First Post
I had to smile when I read andargor's post. And I was already smiling pretty hard reading some of these other posts.

Why do you people put up with such a shoddy operating system!? I mean, I can understand the sentiment that, "it's what I'm used to", but if you were used to your car being broken into twice a day, wouldn't you consider a different car, one a little less prone to being victimized? Or at least, a different usage pattern for your car?

My wife does our (personal) accounting on Quicken. I cringe when I think about it (shudder). My plan is to install VMware on a Linux box next week (when I get back from a business trip) and put Quicken inside. No more downloading data from a bank's web site -- she'll download it using Linux and then access the static file from the Windows side. The goal is to prevent Windows from having any kind of "real-time" access to the network. This won't solve every problem, but until I can get Quicken to run properly under Wine, it's about the best I can do.

She does our business accounting on a SUSE Linux machine, with OpenOffice and other tools. And she's gotten good at it! The same machine has our ripped music on it, and she's learning how to burn CDs with K3b. She asked the other day why the Windows CD burning was so much more difficult to use! I had to smile and tell her, "I don't know why. :("

Sorry, I didn't mean to hijack the thread. But her willingness to try something new -- and succeed at it! -- is very gratifying for me. :)
 

talmar

First Post
By its definition, this is true. However, the Linksys router that we all know and love (at least I do!) is a NAT device - Network Address Translation. NAT is a type of firewall, albeit a brute force one.

Somewhat true.

Depending on your network configuration, a NAT router can be a very cost-effective, inexpensive and reliable addition to your computer's security. At US$40 to $70, they can be worth getting even if you only have one computer.

In their default configuration, common NAT routers do effectively handle the particular problem of unsolicited inbound packets reaching a computer on an internal network.

But sometimes networks have requirements that make NAT boxes inadequate.

NAT routers provide very good protection for normal homes, and small offices and home offices (SOHOs) against unsolicited inbound events from outside the network. So a NAT router is normally adequate for homes and SOHOs for protection against incoming events.

However, you will want to consider additional protection for these reasons:

You should definitely run a software firewall on any computer that connects to AOL using a different Internet Service Provider (AOL's Bring-Your-Own-Access plan or AOL MAX using an ISP) no matter what kind hardware firewall or NAT router you have.

AOL BYOA connects to your computer by creating a "tunnel" through the Internet. With AOL BYOA, tunneling uses your real IP address to connect you to AOL's network where you have a second IP address. Traffic using that second IP address is inside the tunnel.

With AOL, the far end of the tunnel is other AOL customers and the Internet, so it is untrusted.

The solution is to use a software firewall. A software firewall will effectively filter the traffic after it leaves AOL's tunnel and before it gets into the rest of your computer. In some countries AOL9 Max includes the free option of installing the McAfee Firewall Express software firewall.

Somewhat similarly, if you connect to an untrusted network using Virtual Private Networking (VPN), you should either use a software firewall or an external VPN firewall.

VPN uses encrypted "tunnels" for privacy. Traffic is only decrypted when it leaves the tunnel. Each end of the tunnel looks somewhat like an extension of the LAN at the other end: one end of the tunnel may have LAN IP addresses such as 192.168.1.xxx and the other end may have LAN IP addresses such as 192.168.10.xxx. Network Address Translation is not used for traffic when it leaves the VPN tunnel, so there is no NAT protection for traffic through the tunnel.

With VPN, you can use software firewalls. Alternatively you can use an external VPN capable firewall. With an external VPN firewall, the VPN tunnel can be configured to end on the external VPN firewall. This means the external firewall is decrypting the VPN traffic, and it can then examine the traffic and protect your computers.

Be sure to test that your external firewall is configured correctly to protect against unauthorized traffic from outside and inside the tunnel.

If you have to turn on port forwarding or the DMZ to run servers or other applications you should consider either a software firewall or a more expensive SPI firewall.

Turning on port forwarding means traffic for the forwarded ports is forwarded to the specified computer automatically, without the protection of NAT. (Most NAT routers do at least basic packet filtering, in addition to NAT. So there is some protection, but not specifically against unsolicited traffic.)

In this circumstance you can add a software firewall, or run a more complex and expensive hardware firewall or firewall appliance.

The safer methods of "port triggering" or UPnP can be used instead of port forwarding or the DMZ, and this avoids this vulnerability. (See below.)

However, if you are running a publicly available server you will probably have to use port forwarding.

Generally software firewalls provide valuable additional protection that supplements the protection provided by NAT routers and SPI firewalls.

They can inexpensively provide good protection for individual computers on your network in the event that one of the computers gets infected.

Software firewalls can also watch for trojans, viruses, or unauthorized legitimate software, trying to connect out. Software firewalls have the advantage that they know what is going on inside your computer, they can see which program is trying to get out, and whether that program has changed since the last time it tried to get out. External firewalls and NAT routers can't do that.

The downside of software firewalls is that they can be shutdown by users, stalled or terminated by other software on the PC malfunctioning, and certain viruses and trojans disable them or shut them down.

On the other hand, while external firewalls and NAT routers don't know exactly what is going on inside your computer, they are simple devices that are much less likely to have problems that cause them to fail dangerously.

Ideally a software firewall should be an additional layer of protection behind an NAT router or external firewall. For homes a free version of a software firewall or the built in Windows firewall is normally adequate for this additional layer of protection.
 

ssampier

First Post
As a support person I absolutely despise software firewalls because they are a pain to support. I often get calls from customers where their Internet doesn't work. I double check all settings; they receive an IP address, but cannot browse. Invariably it is their software firewall causing the problem. They turn it off, it works fine. Since we didn't provide the firewall, we cannot provide any specific support for adding that particular program.

Second, software firewalls make the assumption that you are familiar with your computer and the programs installed (iexplore.exe is Internet Explorer, how many people *really* know that?). The automatic detect tends to foul-up in my experience, so it works great for awhile, and then blocks everything (usually inadvertently from user error).

Granted NAT routers are not the alpha and omega. You need a good set of anti-virus and anti-spyware utilities as well. If you run regular scans on your computer, I find them unnecessary in many respects. They needed in two instances: dialup Internet, and laptop computers (open WI-FI access point).

I have considered adding a Linux firewall to my system for extra protection, but I haven’t made that step yet.
 

jcfiala

Explorer
I've got Zonealarm on my home computer, and it hasn't caused any trouble with connecting to anything. It seems to have fits when I'm using Azereus with it, but it's a fit I can put up with.

Are there any other free firewalls that are worth looking into as an alternitive?
 



Split the Hoard


Split the Hoard
Negotiate, demand, or steal the loot you desire!

A competitive card game for 2-5 players
Remove ads

Top