Here in the UK, I am on NTL cable and have just one PC attached.
My head is spinning with all the configuration rules and exceptions which need configuring for a software firewall.
I thought I was doing ok with user guides like the section called: "Personal firewall configuration for cable modems"
formatting link
But it turns out that things are still more complicated than that. As an example, I installed Outpost and came across this advice page.
formatting link
wow. It's all too much! :-) I just want protection without becoming an enthusiast or even expert in firewall configuration.
QUESTION ONE: If I buy a hardware firewall then will it completely replace the need for me to have a software firewall? That would save me some headaches!
QUESTION TWO: I might get a second PC and want to attach both PCs to the cable network at the same time. I have heard I can do it with a box which includes a hardware firewall as well as some other functions. But exactly what sort of box is it that I would need? Any suggestions about recommended hardware devices would be welcome.
Nothing is perfect and nothing can protect you from all threats, not even a combination of Appliance and software.
In general, an appliance is a better bet than software, if your computer were to be compromised by some means, with a software based (we call those personal firewalls) the compromiser could disable your personal firewall application. It's much harder to put a hole in an appliance from a compromised machine that it is to put a hole in a PFW.
Most of the devices you are going to be able to purchase under $400 are called NAT Routers, they are not firewalls (even though they are called Firewalls by their vendors), but they do provide what I consider the best first layer of protection and would never setup a network without at least that minimum layer. A NAT router acts to block unsolicited inbound traffice, but in almost every case, it doesn't do anything to block outbound traffic - this means nothing gets in unless your computer requests it (and if you were compromised you don't personally have to request anything, the virus/worm can do it without you).
I installed a NAT Router in a Sorority, 40+ girls in a house, all with different computers and versions of Windows, not one of them has been compromised since we installed it, not one unsolicited packet has made it inbound, and they are able to do all they need.
Units like the Linksys BEFSX41 are nice, as are the DI804HV units from D-Link, but something as cheap as the Linksys BEFSR41 unit will do as well as most SOHO units.
One nice thing about the Linksys units is that you can also run a free program called WallWatcher to monitor all inbound and outbound traffic through the Linksys router - it lets you see what's happening in real-time, so, once you learn to read it, you can see if your computer's been compromised. I don't run a personal firewall on any computer behind a NAT Router or Firewall Appliance, but I also know how to secure the computers so that I don't need one.
1 - Up to you. A hardware firewall is good for protection from all intruders gaining direct access to your PC/network, but no good at detecting things from calling home. It is also much easier to set up. A software firewall gives you the extra protection in detecting things from calling home, but they can be quite easy to configure incorrectly and leave you vulnerable. A hardware firewall is independent of your PC and so uses no PC resources.
2 - You want a Router. This automatically provides firewall protection. Before you get a recommendation, you need to decide if you want a wireless or wired setup (although some routers support both). To complicate things, some routers can act as print servers which can help with sharing printers.
Personally I only run a hardware firewall, but I am looking for a free software one which fits particular criteria as well. Jetico may be the one for me when thay have sorted a blocking bug for me. Kerio 2.1.5 is no good for one of my apps, and 4 does not support WinME. ZoneAlarm did not used to do something I wanted, but it may do now, so I might try it again. I never got to grips with the old Outpost.
Agreed, but all virus are caught by you AV software I would have thought thus not sending out any packets, there is no use sticking a firewall in front of you network if you do not have any AV software running locally
AV software can only catch viruses/tojans it already knows about. So a software firewall can still serve a purpose in stopping outgoing traffic if you get infected by something your AV software doesn't know about yet.
Unfortunately the sort of people who manage to install viruses and trojans are the same people that will probably just click "allow" when the software firewall spots something fishy going on....
They won't have to. The virus needs only to add the ~20 lines of code needed to click the "allow" button itself. There is no way a personal firewall will protect a compromised system as long as it allows user interaction and/or does not run with higher privs than the virus can obtain.
Absolutely correct, and a Firewall is not suppose too. An application monitoring service running on your local computer that monitors APPLICATIONS does that. Some packages, personal firewalls, have application monitors, but not all. Appliances don't monitor the applications on a computer, they monitor traffic to/from the PC - and if you setup your firewall/router correctly, limit the outbound ports (such as limiting SMTP to your ISP's SMTP server only), you can eliminate most of the ways that viruses spread.
You can get yourself a NAT router that's going to stop the inbound threats and ease the complicated rules and provides good protection. The NAT router is a plug it up and go device with little configuration on your part.
Once again the NAT router that has (logging) that you can use with a log viewer so you can watch inbound and outbound traffic to/from the network.
formatting link
However, NAT routers cannot stop outbound and some people supplement the NAT router with a PFW solution that can stop outbound. If you go that route with supplement PFW solution on the machines, then find one that you can disable the complicated bloat ware in it such as Application Control and the other stuff. The PFW solution should be able to stop all outbound period or by port or IP if need be -- simple rules.
Or get yourself a low-end (true) firewall appliance that has router capabilities that can stop inbound and outbound and has logging too. And the FW appliance has the rules already made and all you have to do is enable them if needed along with the ability to make additional more complicated rules yourself for inbound or outbound, but most likely you will not need to make any rules. Here too, the low-end SOHO FW is basically a plug it up and go device with little configuration on your part.
Yes, it is an acute PITA to realize that to do a litttle surfing and emailing in relative security, you must devote untold hours to mastering the arcana of firewalls, virus checkers, spyware eliminators, and on and on.
But such is life on the internet.
The question is: Are you willing to settle for "not bad" or "pretty good" protection, or do you wish to be (nearly) bombproof.
The latter takes enormous effort including educating yourself about endless nooks and crannies of OSs and programs. The former can be done with much less effort but the risks remain considerable.
What can I say? It's up to you to choose.
Regards,
PS Fortunately there are tools that cater to the different mindsets. While, for instance, no firewall will be rock-solid when used "out of the box," those like Zonealarm will provide considerable - but by no means complete - protection for those who don't want to spend a lot of efort.
OTOH you can diddle with, say, Sygate endlessly to get it "just so" and it will provide better - but still not perfect - protection.
That's bullshit. It doesn't cause issues with routing of packets whatsoever. A hardware firewall offers inbound protection. A software firewall offers both inbound and outbound protection. A combination of both is the optimal arrangement.
Ian JP Kenefick wrote in news: snipped-for-privacy@4ax.com:
A NAT router with (no FW) only provides inbound protection with no outbound protection.
You'll notice the part (is not a real FW but good enough).
formatting link
Well, so does a FW appliance with a (true/real) FW that can stop inbound or outbound traffic by port, protocol or IP and is better than a NAT router supplemented with a PFW solution running on a machine, IMHO. If one has a FW appliance, one doesn't need the combination of a NAT (no FW) router and a PFW solution. And one doesn't need a PFW solution.
The vendors, the people that don't know the difference between a NAT box and a firewall, the people that make statements like "Firewalls don't offer any outbound protection/blocking" :)
I would hardly refer to static policies as outbound protection. In order to provide outbound protection you must work from the application layer. A hardware solution does not provide this.
It depends on how you look at it - I see the spreading of Viruses as a means and that an Appliance can stop the spread of viruses. As an example, many commercial appliances can bet set to block outbound ports that enable the spreading, block outbound attachments, block inbound attachments, stop file sharing and even setup secure connections between networks so that you don't have to directly expose a service to the public.
I've seen many routers with NAT, where you can setup personal PORTS, block outbound SMTP engine worms, block outbound MS file sharing worms, and even though they are not firewalls, the ones with blocking do indeed allow users to slow/stop the spread of a virus on infected machines.
I've never said a appliance will remove/clean a virus infected computer, but if you can't see how they can prevent the spread you should read up on firewalls (real ones) a little more.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.