Firewall yes, but where?

The PC-firewall is far more likely to leak for various reasons. It may be interfered with or shut down completely by malware on the PC. It may also be that the user does not understand the personal software firewall they installed and misconfigures it. Users often think that a personal firewall is making them secure when really all it's doing is notifying them of things which would not be important even if they didn't have the personal software firewall.

The most basic type of router-firewall is a NAT router, which is not a real firewall but they are in the price range of any home user and simple to configure. If you can afford a better external firewall and are happy to learn how to configure it then get one. You should use an external box even if you have only one PC.

In my view it is better to use an external firewall and learn how to find out exactly what is in your PC and what Internet connections it is making than it is to install a software firewall. If you know what outbound connections are being made and what they are for then why do you want to block them? If you have specific blocking requirements that a software firewall can handle and you understand how to achieve it then ok use one. The average home user does not have a clue what a software firewall does but for some reason they still insist on installing one. In many cases they will install a software firewall but no virus scanner.

Jason

The home user routers that you are talking about don't have firewalls, they use routing and NAT to protect you, which does not make the device a firewall no matter what the marketing hype calls it.

There is a big difference between the two solutions:

1) A NAT Router will not allow (by default config) an unsolicited external connection to your internal systems - there is just no means for it to make it inbound (unless you open a port and direct it inbound in the routers configuration - and this is not done by default). In general, unless you open ports (and you have to manually set this up on the device) there is no real way for unsolicited traffic to reach your computers inside the private network. Additionally, misconfiguring your personal computer will not have any impact on the inbound protection features of the router. 2) Personal firewalls are very susceptible to misconfiguration at all levels by the user running the computer. Since most users also run as an Administrator level account they run the risk of allowing malware to reconfigure or disable the firewall application. A firewall application methods means that your computer is still reachable by unsolicited external connections, but the firewall will drop/reject the connection if properly configured. With this method, unless you follow proper steps, you run a serious risk of improperly configuring the firewall and rendering it useless. 3) Personal Firewalls have an added benefit of being able to detect what applications on your computer are listening and sending information outside your computer and may alert you to such activity. In most cases the user blindly allows things like IE to access the internet silently and renders this detection useless. 4) Most of the routers, the good home user ones, have logging ability - this means you can run a logging program on your computer and watch the inbound traffic and outbound traffic in real-time, you can see the source IP, port, destination IP and port. This is a after-method of securing your network in that if something were to compromise your computer and you didn't know about it, you might be able to see it in the router logs - such as a rogue SMTP engine installed on your machine spamming the world.

If you get a router with NAT and SPI you will not see any "leaks" inbound.

Hello,

I have an understanding problem. There are different meanings concerning to use firewalls or not. But generell I heard, that a firewall in a _router_ in connection with a DSL-PC is better than a firewall integrated in the same PC, connected to the net by a _modem_. (Firewall means personal firewall). My understandig ist, that there is no differenz between this both configurations. If the router firewall leaks, the attack will reach the PC. The same happens, if the PC-firewall will leak. I see only one advantage in a router-firewall, if you have a local net with different PCs. In this case you need only one firewall for all connected PCs.

Please correct me (or agree ;-) ), if my understanding is wrong.

Thanks and greetings

Klaus

On Sun, 20 Feb 2005 16:12:12 +0100, Klaus Haber wrote: [snip]

Since your ISP provides a DSL modem, you don't need to buy a modem/router device, it's more expense. If your IP address is something like 10.0.0.x or 192.168.0.x then your DSL Modem is already setup to do NAT and it may already be protecting you. Some ISP's use NAT, but they do a 1:1 and forward all ports INBOUND - which makes no sense to me.

If you purchase your own router with NAT and SPI you would have easier/better control over what you allow in/out of your network. In most cases, since you're not in the US (I'm assuming based on your statement) you need to make sure that the router supports your DSL connection method, most support PPOE, some support PPOA, you need to make sure it uses the same method as your ISP.

I would always suggest that the user get at least a router with NAT and use a private IP inside their network, even with just one computer, as the first layer of protection. Typical D-Link, Netgear and Linksys units do a fine job for home user protection.

There are no stupid questions only stupid answers :-) Never be afraid to ask a question.

Hello,

thanks for your comment.

Am Sun, 20 Feb 2005 14:22:06 GMT schrieb MyndPhlyp:

At first my apologize for not correct expressions, english is not my motherlanguage. So it is a little bit difficult for me, to follow your exact explanations.

Let me simple ask again: I have only _one_ PC which is connected to a DSL-Net. In reference of safer function of the firewall, would it be better

a) to use a router with integrated Firewall and modem or b) would it be safer to use a single modem and the firewall is integrated in the PC?

Which case is the "better" solution?

I don't know, if my questions are stupid or can be answered at all, but please, try it ;-)

Regards Klaus

Hello Leytos,

I thank you and Jason for the reply.

Am Sun, 20 Feb 2005 14:47:27 GMT schrieb Leythos:

If I understand well, chapter 1 belongs to "router with firewall".

Chapter 2 and 3 are valid for firewalls in PCs.

^^^^^^^^^^^ Well, NAT is included in the router, but something about SPI I did not find.

To have a better understanding what I will do (did), some informations.

Since 2 month I have a new PC with WIN XP home. My old one was running with Windows 98 SE. Both machines are equipped with Antivir. The new one is running for 2 month. At both machines I installed a PFW, Zone Labs. During the last 1,5 years with the old one, I had no problems with hackers, worms a.s.o. The old one is not longer connected to the net. But one week ago, I got trouble with the new one. I could not read one own posting into a newsgroup. All words in a line get connected together. I got the information, that this could happen, if I would use Zone Labs. And indeed, after deinstallation of ZA, the problem was done. My following question, which other PFW I should use, was unexpected for me: No other PFW! Then I got a lot of posting, what I should do: To make sure, that my ports are closed, to close most of the XP services, to use f.e. firefox (what I already did) a. s. o. And in case of PFW, to use, if, the XP PFW. I followed all this recommendations. One of these was also to use a router with integrated modem and firewall and close the XP-firewall.

This ist the point, where I do stand now. I habe the possibility, to get for some Euros an original new router by the german Tele Com, typ Sinus

1045 DSL. In the written manuel is very clear expressed, that in this router is a "firewall integrated". May be, that is incorrect in your eyes, but it is written there for different times.

Now what should I do. My idea was, to use the router with the "integrated firewall" and close the XP-firewall, regarding all other obove mentioned safty adjustments at the PC. Is this a correct solution? On the other hand, a router would give me the possibility, to connect back the old PC to the Internet.

Sorry again for my bad English, but I hope, you do understand me. Let me state, that I am already rather old, so it is not easy for me to follow the "new technology", but I do my best ;-)

Thanks again, Klaus

No. They are very different things. A personal firewall it's just a software that controls the internet access of other programs. It can be easily fooled like it's explained in the last Phrack Magazine.

And if you are running your operating system as administrator or root any program, malware, spyware or things like that can change the behaviour of the software firewall. So this programs are useful, but they are what they are, programs that controls other programs.

Having the firewall in a router or a *real* software firewall in another machine (Checkpoint Firewall, Linux firewall, xBSD firewalll, etc) works with packets and connections. So it's much more difficult to fool one of this firewalls. And if we are talking about a hardware firewall integrated into a router it's even more difficult to bypass it.

And have in mind that if you have a box with a bastion firewall, even a software one like Linux, if your box have a bug that can be remotely exploted then *that* machine it's compromised, but if you have your firewall in your production machine then *the production* machine it's compromised.

Regards.

Where are you coming up with that? The PFW solutions do have a feature called App. Control that can be fooled. However, the PFW is a software FW solution geared to protect the O/S and its services and programs along with other non O/S programs from attack just like any other FW solution in the traditional sense of stopping unsolicited inbound traffic to the machine and some have the ability to stop outbound like any other FW. It's just that some PFW solutions have extra features incorporated in them trying to protect the user from themselves, which is useless in a lot of cases.

There would be no way I would take my laptop and connect it to another network other than my own without out a PFW solution enabled on the machine

- a wired or wireless network at that.

Duane :)

Many vendors call NAT/SPI packaged with routers/modem firewalls, but they are just not really firewalls, they are simple routers with firewall LIKE features. They are still good devices for home users and I would strongly suggest that you at least have that type of device between your computer and the internet.

If you use the router with NAT and disable the Windows Firewall you won't be missing anything, in fact you could leave the Windows Firewall enabled and you would not notice any real difference.

The router provides the ability to connect more than one machine to a ISP's network where they only provide 1 external IP address - your machines can share that single IP connection - even the W98 machine.

You are doing fine and the english is fine too - at least you know enough to question your security and seek a solution that you can understand - Bravo to you.

OK, here goes.

I finally got my wife her own separate computer and need to hook it up to the Road Runner cable modem. I'm not sure yet if I want the two computers to be networked to each other as well or just act like stand-alone machines each capable of accessing the Internet. I don't think it matters at this point anyhow, but thought I'd mention it. My machine is a running WinMe and she has WinXP Home Edition.

I'm considering two different routers, a Linksys BEFSR41 or a Linksys BEFSX41. At a later date I might like to add something like a Linksys PSUS4 PrintServer. Which router would you recommend and briefly why? My level of expertise with networking is that I understand the basic terms and concepts, but have zero practical hands-on experience.

As for personal firewalls... my machine runs ZoneAlarm's free firewall ver 4.5.594 (last 4.5 version) and hers is still as it came from Dell. I never upgraded from ZA 4.5 because the 5.X series upgrade notices were too full of the word "fixed." I'm inclined to just put ZA 4.5 on the XP machine unless the XP firewall is adequate. Is it? I'm as concerned with being a good net citizen and keeping bad things in if they do get in as I am with keeping them out in the first place. Does ZA seem to be a reasonable plan or is the XP firewall adequate?

Thank you.

Jim Higgins

Both routers offer the same means of protection (NAT), but the SX also acts as a two connection VPN end-point. The FSR41 unit runs about $50 while the SX runs about $100.

I like the SX, but I have need for VPN endpoint connections to my local network, you may not. Either one will protect you as well as the other in real world use.

I would only run ZA or other PFW until you are secure in your ability to manage security on your network. I run no PFW on any of our computers and not on any clients computers, but we monitor the logs daily (import them and run custom scripts to pull out interesting points) to determine if there as been a new threat or a compromise.

The BEFSR41 unit does logging, meaning you can download WallWatcher and let it monitor your IN/OUT bound traffic through the router. I don't know if the SX in its latest firmware still has logging or not.

First: Did you read the Phrack Magazine article I was talking about? Maybe it make you see the PFW in another manner. Second: PFW are no real firewalls. They usually don't stop packets by their caracteristics or are stateful, they only control which programs can send or receive packets. That can be called anything but a firewall. Third: A real firewall has some specific characteristics that make it more secure than a PFW. They are stateful. They have control over the connections made and the ones received that are corresponding to them. They can change characteristics of the packets and connections. I could be talking about this ad-finitum.

Conclusion: A Personal Firewall it's a *Personal* Firewall, and a Real Firewall it's a *Real* Firewall. They are different things, they work in a different way and they serve for different things.

Of course. And I use a Personal Firewall, Sygate Personal Firewall with my XP, but if you need a firewall for a production system with a LAN of computers it's far better to have a firewall box, software or hardware, than having Personal Firewalls on the desktop computers.

And for the OP case, best solution it's having both, a firewall in the router and a free personal firewall as the Sygate one in the computer.

Regards.

I will also apologize for my English; I speak American.

Appliance firewall versus personal firewall is a difficult one to answer without getting flamed. I could argue in either direction using a variety of rationale.

My preference is to use a good appliance firewall. Most every appliance firewall targeting the home user comes with a "Block WAN" setting that rejects all unsolicited traffic from the WAN. I think it is safe to say they all use at least NAT. This is considered "basic" protection. They are relatively simple to install and configure. Costs are a bit more than what you would pay for a personal firewall. It is not going to take away any of your computer's resources. Throughput differences should be close to negligible. It is not subject to corruption due to vulnerabilities elsewhere in your system.

Jose Maria Lopez Hernandez wrote in news: snipped-for-privacy@individual.net:

You mean everything that's being explained in the link and the other information about as to what a FW does?

You got a link to this article you're talking about?

I cannot disagree with you there on a large scale operation. On the other hand, one can use a gateway computer with a PFW in a situation for a small network such as the home. In some situations, a router is not a viable solution such as with an AD-hock all wireless network solution using ICS and a gateway computer, or the last time I looked, one couldn't use a router with a satellite connection and one can use a gateway computer with a PFW that can be used to protect a small LAN. So some people do use a PFW solution on a gateway computer as well, and in those situations, they are not controlling what programs are communicating on a single machine. Some PFW(s) do have the capabilities to do it.

If you're talking about a NAT router, then it has no FW period. And if the router had a true FW, then the OP wouldn't need Sygste to supplement it, if that's what you're talking about, because it would meet the specs for *What does a Network FW do* (in the link above) and PFW solution cannot meet that spec for a network FW, but in some cases, they will do just fine.

Duane :)

You can say that about a Win 9'X O/S. But you cannot say that about a NT based O/S as everything gets their own address space and processing thread, even a 16 bit DOS app will get its own address space and processing thread due to NTVDM. On the other hand, if the machine has been compromised by a malware program it has been compromised and a PFW, NAT router, FW appliance or whatever else kind of a FW is not going to stop anything.

Duane :)

I heavily snipped the following and reordered it a bit.

Thanks for the router advice. I'll download the manuals for both the BEFSR41 and BEFSX41 and check out the details you hinted might have changed in the SX41 before buying.

Here's where the rubber really meets the road... I'm not sure when I'll be "secure in my ability." I guess if I want to sleep well I better keep a PFW in place on each machine. For sure the one I have now logs quite a bit of seemingly nasty stuff and maybe 20 - 50 times more "pings and dings" of no real consequence. It was "fun" seeing it work via the alerts it gave for the first few minutes, but when it comes time to actually use the machine for something there was just no alternative to turning the alerts off. ;-) If I understand things correctly, with the router in place all that stuff - at least all incoming - will disappear as far as the firewall is concerned. Right?

The only outgoing stuff caught by the firewall are programs I choose to give access selectively... like I don't see any reason Windows Media Player should have access every time it finishes playing... as one example.

I'm assuming that inherent to your statement above that you don't run a PFW on each machine is your statement in earlier advice to others that you run a "real" firewall on a separate machine. That's not likely to happen here.

I run one machine with print and file shares disabled, and when I add the wife's machine and the router I guess I'll disable print and file shares on her machine also... if for no other reason than to keep one machine from infecting the other should one get infected. (I consider that possibility very remote based on past history, my refusal to open unexpected attachments even if from snipped-for-privacy@Heaven.org, fairly tight browser settings, and other safe hex practices my wife also follows.) Not sure how disabling shares and local networking between the two local PCs might impact a possible future printer shared thru a Linksys Printserver such as the PSUS4. It strikes me I'll need local networking activated to do that. True?

Thanks again for your advice. I feel confident enough to go ahead safely - or at least no more unsafely than at present - even if my setup isn't optimum.

The PFW running on your computers will have very little to deal with as most of the things that you want to block will already be blocked by the router.

Now, I run a $4000 firewall appliance in my home and in my business. In the early days I only had a router that provided NAT and didn't have SPI, it was more than enough at the time. When I started managing my business out of my home I moved to a real firewall and many IP's on the external connection as well as many public services that are now offered. I would never consider running a email/ftp/web/other public server behind just a router, it would have to be a firewall class machine/appliance.

As long as you patch both machines and don't share any accounts that have administrator user/password combinations and run quality AV software they can't infect each other (generally).

The print service through a print server device is different - you can actually set it up on both machines (to it's IP) without having to share it from a computer - meaning that it's independent to each computer. This means you can still enable file/printer sharing and not have matching accounts/password and both can use the printer as it's accessed by IP not a computer share.

Anytime, let us know how it works.

Are you sure it is a 1045 DSL? I don't find anything about that one. The T-Com Sinus 1054 DSL is a pretty average WLAN-DSL router. The "firewall" is also about the same as in other low-cost DSL routers. The terminology is not standardized that is why everyone can use the terms the way they want to. It does have some firewall capabilites but for you as standard user it is all you need. From the manual I browsed through it seems to have everything I have on my Linksys WRT router. The Sinus is just adjusted to deal with T-DSL. I did not really check whether the router is fully T-Com branded, i.e. it will not work with any other T-DSL connection.

Unless you plan to provide servers to the internet this thing will give you all the protection you need and you can get. And it is nicely extendable and you have WLAN. Just make sure to configure the WLAN even in case you won't use it at first. Do not use WEP but use WPA. Configure it with a random pre-shared key. Again, I just quickly browsed the manual so I don't know this: but most low-cost WLAN routers are wide-open in the default configuration. If you don't configure the WLAN basically anyone can use your DSL-connection, can access your computer connected to the LAN and can configure the router in anyway they want. First thing to do is to close the WLAN down and use WPA for protection. (WEP is insufficient and can be broken in a few hours. Depending on your neighborhood and how many teenage hackers you have around...)

Gerald

Hello Gerald,

Am Mon, 21 Feb 2005 09:34:38 +0900 schrieb Gerald Vogt:

sorry... of course sinus 10*54* DSL.

Hm..., correct, T-Com branded. And I use *T*-DSL, even my provider is not T-Com. But I think, there would be no trouble because I use now the T-Com branded modem Teledat 430 LAN with success. When Teledat 430 will work properly, I assume, Sinus 1054 will do the same.

Is there a reason to do so? In the moment I would not use *W*Lan. I will be connect to the router via cable.

Yes, that was already my intension.

Thanks for your advices, I know this and I will do so.

Last question: You are german? May I contact you in "german" if I have trouble or need some help? It would be more easy for me.

Regards Klaus