OK, how about the real IP/subnetmask/port firewall built into your DSL/CableModem? It's free, it operates at layer 3, and it is working outside your PC's messy world, inline before the Ethernet frames even reach your PC. Also most of the ones I have seen (cisco/linksys) are capable of doing some filtering for the OSI layers
4-7 (anti-virus/ spyware) again *before*
the encapslated data even reaches the insecure world of your PC. These kind of devices also can do NAT to hide the IP address of your internal private network.
Now, to add something to this tread, what about low cost devices that could look for IP spoofing, man in the middle attacks, port scanning, layer 4 attacks (such as TCP sequence number attacks), etc. See
Has anyone done research on low cost (< $1k, for example) devices for upper layer protection
the data even reaches the insecure world of Windows)?
I'm aware of what's available in UNIX/LINUX, but thinking about low cost devices.
It may be that the best low cost solution is a dual homed computer running snort, iptables, imap, Nessus... but wondering if any devices are being shipped that do all this in firmware?