Firewall needed behind router?

If you and your family are doing just normal everyday Internet stuff, then I would say no you don't need a PFW solution behind a NAT router.

The link explains the protection the NAT router provides from the Internet.

formatting link
However, some people do run a PFW on the machines as a security blanket.

Does the modem/router have traffic logging?

Duane :)

Reply to
Duane Arnold
Loading thread data ...

Peter,

This isn't a silly question. This question gets asked almost daily, and should be asked more.

If you have multiple computers on a LAN, and any one of them is used for Internet access of any type, you should have a personal firewall on each one of them. If any one of them should get infected, it could be with a combined threat that enters the LAN as browser data, and then attacks other computers on the LAN. Having a PFW on each one could save the others, and could alert you to the infection.

The broadband tech needs to educate himself a bit more. Why do you think that there's no requirement for inter-PC protection?

Reply to
Chuck

Peter,

Thanks for the update, and for the encouragement.

Reply to
Chuck

I have three PCs on a LAN which is connected to the Internet via the modem/router unit. Is there any advantage in having a software firewall (in this case McAfee) on these machines, or would the router be sufficient protection? There's no requirement for inter-PC protection - just from the Internet. We just recently upgraded to broadband after a decade of dialup, so it is all a bit new to me. The tech told me the router is configured to prevent DOS and hacker attacks, and I understand a little of the theory, but not a lot, so I apologise if this is a silly question. Thank heaps for helping.

Reply to
Peter in New Zealand

I'm with you when it comes to advocating defense in depth - however PFWs have a well deserved reputation for causing functionality and performance problems while frequently crying wolf, and IMHO are of very limited value given current malware capable of disabling and/or reconfiguring them.

As the administrator of a home network similar to the OP's, configured and maintained in accordance with generally accepted best practices, my biggest concern is the possibility of systems being conscripted via a careless click and/or a zero-day exploit. Modern botnets are highly sophisticated and modular, and there is significant financial incentive for continued development:

formatting link
In today's environment, I no longer feel comfortable on a home network that relies entirely on PFWs to intercept malicious outbound traffic - so I replaced the NAT router with a firewall. It provides significantly improved outbound control - e.g. IM is now blocked after children's bedtime :-) - but it won't protect me if the botnet owner's ircD is listening on a permitted port...

My firewall appliance was cheap - it only cost 8x the price of a NAT router - and IMHO is easy to configure, but the average home broadband user would probably disagree on both counts. No silver bullets here, but I suspect there's a huge market for an appliance with the functionality of (e.g) a Netscreen 5GT, but sporting an exception-based user interface like the PFWs and a price competitive with the NAT routers.

Unfortunately the bad guys are currently way ahead of usable and affordable defenses available to the average home broadband user, so large botnets proliferate and grow.

Triffid

Reply to
Triffid
Reply to
Peter in New Zealand

questions. They're a sort of walking robot FAQ I suppose. It's really funny

What do you expect at $56NZ for the whole setup, 3 hours of work from a skilled security Consultant?

Wolfgang

Reply to
Wolfgang Kueter

X-No-Archive: Yes

"Peter in New Zealand" wrote in message news:TOSpe.6157$ snipped-for-privacy@news.xtra.co.nz...

Get another PC and use that as your network controller, instead of your router. Next, get a program such as Tiny Personal Firewall, and use that to protect your PCs. Because of the way that Tiny works, you will need to be running proxies on the gateway machines in order your your client machines to be able to get out. Programs such as AllegroSurf or ProxyPro are even better then ICS. They are much more secure, I find that when I use one of these program, I am not receiving a lot of the scans that I would with ICS. The way that AllegroSurf and ProxuyPro work, using one of these two programs instead of your hardware router will work well. In fact, AllegroSurf is a LOT better than ANY hardware appliance out there. Allegrosurf will ONLY allow outbound connections to either proxies configured under allegrosurf (or with another proxy server). This combined with TPF can create a secure system Also, AllegroSurf, combined with Tiny Personal Firewall is the ONLY way that will successfully block Kazaa. If you should ever find a need to block Kazaa, using AllegroSurf, combined with Tiny Personal Firewall is the ONLY way you can stop it. AllegroSurf and Tiny Personal Firewall, on a gateway machine, can stop things that hardware firewall appliances just CANNOT DO. A few people may say otherwise, but AllegroSurf, combined with Tiny Personal Firewall, on a gateway machine, makes hardware appliances obsolete. You should do this, if you are SERIOUS about system security.

Reply to
Charles Newman

X-No-Archive: Yes

One more note, if you do this, be sure to turn System Restore on the gateway machine OFF, or else you might get some weird things happen, if the system tries to roll back, so be sure and turn System Restore off, if you use AllegroSurf.

Reply to
Charles Newman

X-No-Archive: Yes

Well, AllegroSurf, combined with TPF, is pretty secure. AllegroSurf only permits direct connections to the gateway machine, anything onto the Net must be by a proxy server installed on the gateway machine. It can stop Kazaa, where hardware appliances and Microsoft ICS cannot. Because AllegroSurf only allows connections through the proxy servers on the gateway machine, it is the only thing on the market that can shut down Kazaa completely. If I were a company network admin, the hardware firewalls would be replaced by a machine using AllegroSurf, combined with a software firewall, such as Tiny, and it would be better at stopping things like Kazaa, than any hardware firewall. It can also stop the IM services that the hardware firewalls cannot completely shut down. The design of AllegroSurf can keep users from going where you dont want them too. Combine that with Tiny on the gateway machine, and you have a system of controlling where users can go that is better than any hardware appliance out there.

Reply to
Charles Newman

If you think that some personal FW solution is some kind of a stops all and ends all solution, then you have a long way to go. You need to find out if the router has logging and use a logviewer like Wallwatcher, Kiwi Syslog Daemon or some other kind of logviewer and watch inbound and outbound connections to/from the network to possible dubious remote IP(s) as malware can circumvent and defeat all of it once it has compromised a machine.

formatting link
Duane :)

Reply to
Duane Arnold

No one cares about Kazza so why you keep bringing it up is a mystery.

One can set a rule with an FW appliance that can stop inbound or outbound for any site for the entire network of machines. No admin in their right mind is going to use a PFW solution on a gateway machine.

As for a host based solution on a gateway machine, they would use something like a Linux solution like IPcop, Smoothwall, or something like the Vicomsoft solution that requires a MS server. And of course for a MS solution, the O/S would be stripped down.

I am not a Top Gun in this NG and don't make a living at it. However, others who do make a living at it have explained to you what would be done and something like Tiny would not be in the picture.

Tiny is a fine PFW solution to protect a single machine that's what it's for but no company admin is going to use something like Tiny on a gateway to protect a company network, unless the admin has a mindset of G. A. Custard at the Little Big Horn.

Duane :)

Reply to
Duane Arnold

So, you know that's not happening so you use a border device such as a NAT router to protect the machines on the network.

So if you don't know what connections are being made by machines on the network by reviewing logs, you wouldn't know if malware had defeated all of it.

If it did happen that your bank account was ripped off, you or someone on your network contributed to it in someway. It just doesn't happen by itself.

The bottom line is one looks for themself from time to time using proper tools and not depend upon some solution to tell you everything is A-OK, because it's not sounding off.

Duane :)

Reply to
Duane Arnold

X-No-Archive: Yes

Becuase Kazaa can be a liability, if the RIAA detects anyone offering music outbound through your network.

With ICS, I can see. But AllegroSurf only allows network machines to connect directly with the gateway machine. Anything beyond that has to be through a proxy server, either on AllegroSurf, or through another proxy server on the gateway machine. Combine that with any software firewall, and you have a tightly controlled network that can stop things that the hardware appliances cannot.

Well, any software firewall, whether it be Vicomsoft, Tiny, McAfee, or whatever, combined with AllegroSurf, will more than do the job. I simply recommend Tiny, becuase the program is easy to learn and use, and can also block by application. I can tell Tiny, for example, to let the HTTP server use port 80, while denying the Socks server access to port 80 (p2p and IM services uses port 80, when all other ports have been exhausted). I also deny the Socks server access to ports 1000 through 5300, 6346 through 6352 and

6667 through 7000, that stops virtually every IM, p2p, and chat program on the market.

Well you have to know what you are doing to make it work on a gateway machine to protect a network. The first thing is to use AllegroSurf, or something other than Microsoft ICS. I find that when I turn ICS off, I dont get hit with as much stuff. For example, I find that I am not getting hit on Meseenger ports 1026 to

1029. Messenger only works on ICS. If any other gateway service is being used, you will not be affected by "messenger spam"
Reply to
Charles Newman

Believe it or not some are reported to have received it. Telecom NZ are really really keen to meet their deadline. Nevertheless your point is a good one. It does seem a good time to get onto broadband in NZ at the moment. My neighbour just signed up after watching me surfing and he got everything almost free!! (Darn! Knew I shoulda waited a few weeks more.)

Reply to
Peter in New Zealand

Many thanks to you all for taking the time to help me. I really appreciate it. Your ideas and suggestions are taken on board, and I will look at the options. Thanks again.

Reply to
Peter in New Zealand

Heck no! I completely understand what you are saying. I personally hold the view that anything man invents man can get around sooner or later. I believe the only perfect security solution as far as the Internet is concerned is the good old "ptpo," or "pull the plug out." I guess it's a matter of deciding how much security one needs and setting up accordingly. I run McAfee antivirus and firewall on all machines, check for updates daily, never open anything I shouldn't, and that is adequate for my setup, at least IMHO. With confidential sensitive data, financial records, etc, I would probably want more security, but all that stuff is on a completely isolated machine. In the end, if anyone really deeply wants to rip off my bank account I guess they could, but for all that's in there they are welcome to it.

Good comments though, and I value your point, particularly as I suspect from your post you know more about this than I do. Thanks.

Reply to
Peter in New Zealand

If you are using a solution, such as Vicomsoft, or AllegroSurf, or any third-party gateway program, just be sure that Microsoft ICS is turned off, otherwise you might get some weird things happening. Also, turn System Restore off on the gateway machine as well. I find that when System Restore tries to roll back the gateway machine, things start going haywire. So whether be Vicomsoft, AllegroSurf, or whatever, you need to turn System Restore on the gateway machine off.

Reply to
Charles Newman

"Charles Newman" wrote in news: snipped-for-privacy@comcast.com:

If it needs to be stopped, than FW appliance can stop the oubound or inbound traffic -- period.

I want to make this clear to you. I am not talking about a NAT router that some vendor is calling a hardware FW. I am talking about a FW appliance. There is a difference.

Tell this to someone else that doesn't know better.

The PFW solution couldn't handle the work load of big corporate network

-- period. Even the Vicomsoft FW solution took over my entire network and had its own DHCP server when the Win 2K server became the gateway device with two nics in the machine one facing the WAN and the other facing the LAN. Tiny or another PFW solution is no match to Vicomsoft's FW solution.

And you're a network Admin for some corporation trying to protect the corporate network and you're going to do it with Tiny right? You continue down this path all you want.

Please *C* -- you're making no sense here. If you post back I won't be responding.

Duane :)

Reply to
Duane Arnold

Absolutley!

Reply to
Peter in New Zealand

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.