Do I really need firewall? A newbie's question

I would have to say a big maybe on that...

If your worried about network security I would hope that you would not have systems that were saturated with malware.

But for a newbie (like myself as well) a good software firewall on the box, a good virus scanner, regular spyware scans, common sense and a properly configured router will keep people away from my ip.

Now if you want to get technical, yes...people can walk through one of those little routers easily, and probably do it on a regular basis. But why would someone who can blow through a router and comprimise a box want to go through a regular computer users box? They would get bored after their second "adventure" and want to move on to bigger things or do something else.

I say no on the router firewall... mainly because it will give one more hoop for the information to jump through on its way out and back in... Not to mention something that the firewall a router is sporting is probably not the best thing that was ever done...

Block the unused ports, NAT properly, take care of the specific systems (computers, boxes, etc) and hope you dont attract a hacker that can blow through security easily and you will be just fine.

Demon

"Lei Hu" wrote in news:d51l7j$7to$ snipped-for-privacy@nnrp.waia.asn.au:

But it doesn't mean that someone couldn't launch an attack against the public IP the adsl/router is using. And they can come past the NAT router. In addition to that, if a machine on the LAN is compromised by malware such as a Trojan, the NAT router usually has no means to stop traffic to the compromising site for either inbound to the machine or outbound form the machine.

If you have any sense, you'll enable whaterver else that NAT router has for protection.

Duane :)

"Demon77" wrote in news:1114932831.801571.59210 @f14g2000cwb.googlegroups.com:

That's a given.

Any software running at the machine level in the so called protection can be circumvented and defeated and the machine compromised, if the malware can make it to the machine, the malware is executed and the conditions are right. It can go around every last bit of it. And I have seen posts not only in the NG but in other NG(s) where the malware has done just that.

The newbie hacker has to practice on someone to sharpen their skills before going for bigger game.

I would say not. There are thieves out there that know how to execute computer crimes as well looking for identity information, bank information, tax information etc. etc. And more and more home users are keeping that information on their computers that can barely turn on a computer let alone know how to protect a computer or a network of computers and they are connecting to the Internet. And these same users want to put up a home website and the whole nine yards and don't really know about the protection that is required in order to do it, yet they do it and I would suspect some are being taken to the cleaner.

I have to say that you don't know what you're taking about. The NAT router if nothing else is a standalone device that's not running on the computer with the O/S and cannot be taken down exposing the entire machine to the Internet. And the more layers someone would have to come through is a deterrent.

The NAT router blocks all inbound ports by default. As long as you're not doing high risks things like port forwarding, then the NAT router sitting in front of the machine(s) is good at what it does to protect from unsolicited inbound scans and attacks along with some supplementation on the machines whether that be a PFW or some other packet filter software active on the machine, IMHO. One can run all that other junk on the machines too if it will ease his or her mind.

I'll assume you bottom posted me for a reason. ;-)

Duane :)

There would be no way that I would do a direct connection of a machine to the Internet with just a host based or PFW solution as the sole protection for the machine. There is no way that I'll ever do that.

Duane :)

There is no such thing.

Yes, no, maybe.

OK.

If you trust the NAT implementation ...

Unfortunately among all the snakeoil you recommended you forgot the most important thing: Strict user and access rights.

Pure speculation.

The average home user machine, that today is often permanently connected to the net make quite an interesting target, that can be remotely controlled by installed malware. These boxes form botnets that are for example used to send out a lot of spam. Professional spamming has become quite a big buisiness today.

How woulf you do that? What tools to use for that?

Nothing more to be done than 'trust the implemtation'.

What does that mean?

Hope? What will you recommend next, daily prayers?

Here comes my list:

1. Set user and acces rights as strict as possible.
2. Install only the absolue minimum of software that is required to get the work with a certain box done.
3. Install security patches as soon as possible.
4. Do not use bloated software, better do not even install it.
5. Lock down the box, shut down all unwanted services.
6. Delete any attachments you recieve via email from anybody.
7. Do not use insecure client software like IE and Outlook(Express)
8. Keep totally off from IRC and P2P networks.
9. Filter incoming and outgoing traffic with a suitable perimeter device.
10. Learn to understand log files.
11. Read security lists regularely.

Wolfgang

Ypu are right as long

- as the NAT implementaion functions properly

- as an attacker cannot get acces to the router

- as the non routable adresses are really not routed on the internet.

Wolfgang

"Lei Hu" wrote in news:d52itj$fh$ snipped-for-privacy@nnrp.waia.asn.au:

Attacks can be run against a NAT device. I don't have the article anymore but it was explained how attacks are run against a NAT router, which is basically what you're talking about without enabling the router's FW like features. Attacks came past my Linksys NAT router like it wasn't even there, which forced me to get an appliance that had a real FW. But the NAT router at the time was supplemented by a PFW that was protecting at the machine level.

In the Link, it talks about the NAT device and its short comings.

Well your understanding is wrong. First of all, the NAT router doesn't have a FW. However some do have the ability to stop outbound by setting a rule to stop it. But a appliance that is running true FW software or a host based software FW on a gateway computer for a network does has the means to stop outbound traffic by port, protocol, or IP if the rule has been created. So in that case, a FW could stop all outbound coming from the LAN IP/machine or outbound going to the remote Internet IP.

What does a FW do? That's being explined in the link.

Duane :)

Let me take that back. For the most part, you're right. But you can still block a local IP from sending outbound to the remote IP and you can block all inbound from the remote IP even if the machine behind the FW initiated the contact, if you were working with a real FW. ;-)

Duane :)

Dear Experts,

I have a newbie question about firewall, and hope you can explain to me. Thanks beforehand.

My home network has three computers, and uses ADSL for Internet connection. I just use a normal ADSL modem/router, and use 192.168.x.x addresses in LAN. These addresses are non-routable, which means that other people cannot access my computers from outside using these IP addresses. So, why should I enable firewall in my modem/router settings?

Any reply is appreciated. Thanks!

Lei

In article , Lei Hu wrote: :The reason I ask this is that because I'm using non-routable IPs in my local :machines, there's no way for hackers to see or access my machines from :outside of my LAN. That is what I think. Any explanation?

False.

Well...

I guess I am clearly out of my league... (as it seems quite obvious from the replys to my post)...

Lei good luck...

I have enjoyed the articles that were posted, definitely a learning experience.

-In reponse to specific messages aimed at me-

Hope? What will you recommend next, daily prayers?

lol, thats a funny response...

I respect what you say when you talk about setting permissions and running a VERY tight ship when it comes to computing and box access and so forth...

There are a lot of people that:

A) will have difficulty setting Tight user and access priviledges B) Enjoy having a large, copious, amounts of software on their computers that they can use - home users dont worry about having a barebones system that only does exactly what they need because they dont have anything extra added on to it. C) The term "bloated software products" I believe is in the eye of the beholder and also what they want on their system. D) yes P2P and chat programs are fun... but a HUGE security threat E) Email attachments can be Incredibly important for certian groups of people, refusing all email attachments may make you more secure but I feel that is almost in the same ideal of - the only real way to secure a computer is to disconnect it from the outside world, and only allow 1 person to ever access it... if even that.. Data integrity = 100% other than hardware degredation ( I am only joking, I dont know what the real number would be) F) What suitable perimeter device would you suggest to filter inbound/outbound traffic? A hardware firewall other than a router? G) The logs I presume are from the previously noted device? H) I am interested to know where security lists are posted - please post a link.

You have a very sound way of protecting a work computer/network.. as a SysAdmin/NetAdmin your practices are sound... home users most often than not do not practice the things you laid out for a number of reasons - as I have just posted some very vague examples of above - but mainly complexity and convience.

Anyhow... practice safe computing... don't become part of a bot network...

And with any suggestions - read most of the stuff filter the stuff out thats Way over your head and use the things that you know you are able to and if you dont know it already you know you can learn in a short amount of time.

Laterz

-Demon

Demon,

Thanks for your kind reply. I'm afraid I didn't put my question clearly.

With my LAN described in my previous email, I don't have any firewall installed or enabled on individual machines. I don't care any access from the other computers within the LAN. If I also disable the firewall in the ADSL modem/router, is it possible for other people from the Internet to access any of my machines? If yes, how? Give me a scenario?

The reason I ask this is that because I'm using non-routable IPs in my local machines, there's no way for hackers to see or access my machines from outside of my LAN. That is what I think. Any explanation?

Thanks once again.

Lei

But why does it matter, if I haven't set any IP forwarding to a local machine? If no IP forwarding is set, attack against the public IP of the router only affect the modem/router, which can also happen even though you have the firewall enabled. Well, that's only my understanding. Please explain to me if I'm wrong.

Well, it's my understanding again. A firewall doesn't block any traffic if it's initialized by a local machine. For example, if a computer in LAN goes to a website (whether it's good or bad), a firewall will allow IP packets from that website to get through. How do you explain that?

Thanks and regards,

Lei

Wrong, a NAT Router doesn't block that type of traffic, that's how NAT works. In a firewall you have explicit outbound and explicit inbound rules, just because something inside can get out doesn't mean the contacted device can get back in to talk to the sender.

Sure there is:

A exploit could allow them to send a packet/attack to your router and compromise it and then reprogram it to allow inbound.

Another is you visiting a malicious website and running something designed to attack your router and compromise it - allowing inbound without you knowing.

You getting an email, download, some other malicious application that phones home and ask for instructions.

Your IP routes from your PUBLIC IP to your LOCAL network through any path that you map in FORWARDING or when any machine in your networks makes an outbound connection.

"Lei Hu" wrote in news:d53tjn$rjh$ snipped-for-privacy@nnrp.waia.asn.au:

I can suggest that you search Google or Dogpile.com for links. I am sure you'll find something.

Two of the Top Guns in the NG that have a heck of a lot more expertise than I do in the above areas and in FW and security in general have replied to you. Maybe, you should respond to them. ;-)

Duane :)

"Demon77" wrote in news:1114999058.267388.14920 @f14g2000cwb.googlegroups.com:

They came past the NAT router a couple of times. But it was more than enough for me to find something better due to what I have running on the machines and program development work, training and what not.

I got a low-end Watchguard FireBox III SOHO 6 FW appliance. There a new WG unit that is replacing the SOHO 6 and you may be able to get one for a real good price. There are other low-end ones too line Sonicwall, Snapgear, Netscreen just to name a few.

Duane :)

Hi Duane,

Yes, I'm learning. That's why I'm asking these newbie questions. I'll read the links in your email, and if you have any good documents explaining how NAT, PAT, ICS, firewall, etc. work, that'd be great.

Thanks for your time and effort.

Lei

Guys,

I think it's time to finish this topic, and I'll go to do some homework, and maybe get back to you later. Thanks Guys for all your kind reply!

Lei