Isn't a lot of these nat "firewalls" befsx41 etc a pretty good firewall?
you can't attack it because ports are only opened from the inside.
So basically someone has to download something to a pc on the inside and then that software has to "phone home" so to speak to allow a connection through the firewall.
sites like
formatting link
etc have nice tests to test the firewalls.
How is this not a good firewall?
I also run nortons antivirus on all my pc's and occasionally spybot and adaware. I have yet to be hacked or get a virus.
NAT is NOT a natural firewall, a firewall is something that only permits access between networks based on rule sets defined by the user.
The NAT box does little to block outbound, does little to block outbound by service, can't tell the difference between SMTP and HTTP on port 80, and does little more than what NAT was designed for.
NAT is nothing like a firewall, it's only a fake firewall feeling used by marketing / sales types to sell something to the ignorant.
Now, with that being said, a cheap NAT router is the starting point for most users on the Internet, in fact, it's the absolute least I would want anyone to have.
I forgot to mention. The other thing my BEFXS41 has is snmp. I use wall watcher and get logs from the device. Works well for ID (intrusion detection) and it's free. I would contend that looking at what traffic is going in and out of your firewall device is the best way to see if you have been currupted internally in some way. Granted it's closing the barn door after the cows have left but if it is done timely you can shut down traffic.
As I said though I have never had a virus, or lost data. For most home networks of friends I know I recommend.
-a net appliance linksys, netgear, etc ($10 at best buy on sale.)
-Get Nortons antivirus or the free german one if cash strapped and run adware and spy bot .
-Then ditch IE and go with firefox until the hackers learn to prefer it. I don't have microsoft.
-rename messenger to something else That's it. Of the people I have recommdened this to no one has had a virus or been hacked.
Oh, As for people I know that want to post pictures. I tell them put them on thier ISP's web site. Most have a link for customers, and buy a domain for $8 at go-daddy. Then you don't need to leave your pc on.
A "real firewall" is usually a paket filter - it can't really tell wether you use HTTP or SMTP, just that it's TCP/80. Only firewall systems that include forcing users to use proxy servers can do that kind of filtering.
But I don't think a 3-layer firewall is really necessary for home users :-)
Juergen Nieveler wrote in news: snipped-for-privacy@nieveler.org:
But it's these same home users who want to put up a Web server and whatever else they are trying to do thinking that the NAT router is good enough. The NAT router for home usage is good enough if the home user is not doing high risk things. On the other hand, why not get a low-end FW appliance that doesn't need to be supplemented by a PFW or some other packet filtering solution at the machine level like so many home users tend to do with a NAT router for home usage, which I was doing too? But I dumped every last bit of it when I got that low-end FW appliance.
Strange, all the firewall appliances that I purchase can tell the difference. Yes, they have proxy services, but, that's what separates the men from the children. The NAT devices are only good as a first, cheap, layer of defense for home users. If a user has any kids or provides any public services, they need something more. Actually, they need more anyway, but the MINIMUM is a simple NAT device to block unsolicited inbound traffic.
You don't think it's necessary?
I think that's subjective and based on a cost/risk judgement, not on a threat/protection assessment. If the home user were to be compromised by a virus with it's own SMTP engine while using a NAT box, it could spam the world with more copies of the virus, with a firewall the user could limit the outbound SMTP session to port 25 and could limit it to the ISP's mail server. With a real firewall they could also strip malicious attachments from inbound email, something that EVERY home user really needs.
Problem with that is that regardless how many packet filters and "personal firewalls" you put between your webserver and the evil Internet, it will still be reachable on TCP/80. All those filters only check for one thing: Is this packet adressed to the right port on the right machine.
Only IDS systems can check wether the packet still is malicious, and even then only if it's a well known bug that should have been patched ages ago.
If you want to put a server on the Internet, you should know what you're doing, configure it as safely as possible, keep it patched, and if possible put it on a separate machine in a DMZ. Not really possible for most home users, unfortunately, if only because the second PC is lacking the necessary WAF[0].
[0] WAF= Women Acceptence Factor. Inverse proportional to the amount of resistance your wife/girlfriend/mother/SWMBO will put up if you want to put some nice shiny piece of equipment into your house. Additional wiring will increase the resistance dramatically, whereas any cordless technology will make it a lot easier for $woman to accept the new hardware. Now if only somebody could design wireless power supplies...
Just what does a normal home user DO? Normally all his traffic is him connecting to a server - most home users don't need to (and indeed should not) run servers.
And as for protecting against unwanted outbound traffic, the only protection still is not to install malware. A trojan could call up IE DLLs and transfer data via HTTPS, your proxy wouldn't stop it.
Virus writers caught up with you already: Lately, some viruses didn't bring their own SMTP-server but rather read out the SMTP settings of several mail clients and used those settings instead - meaning they'd use the ISP's mail server.
Who's going to maintain the virus detection software? If the home user has enough clue to do that, he doesn't need it (as he wouldn't open the attachment anyway and also would be running a virus scanner on his client). Besides, most ISPs nowadays offer virus scanning of inbound mail for their customers.
Juergen Nieveler wrote in news: snipped-for-privacy@nieveler.org:
Yes, I agree an IDS application could help.
I cannot disagree.
If I could keep the girlfriend off of my cellular phone (the only phone I have) and running up my bill I would be happy. She thinks the phone is hers with no bill she has to pay. I have been on her butt about it lately. It's like it's some kind of addiction. ;-)
If it's worth protecting, isn't it worth doing right? Sure, I understand the Cost/Benefit relationship, but I wasn't talking about cost.
Thinking that there is a Normal users is saying you don't understand the threat base and the user base. I've seen users with no clue setup web- cams, have FTP servers, even SQL database services running on their machines.
No, the protection is to protect against your computers trying to compromise other computers - many ISP's will see a users network spewing crap and disconnect them until corrected.
There is more to protection than just blocking inbound. Think about the virus that scans your drive, find your quick books file, then FTP's it to a server in Russia.... NAT won't stop that.
They didn't catch up, they were doing that a long time ago. And the ISP can protect their own email servers, if they do that. The key point is that outbound traffic can be as much an issue as inbound.
Most ISP's do not filter for spam or viruses, in fact, most don't do it because it gets them in a Legal bind in the USA.
Ahem... I would say that any "real" (sic) firewall should be a "statefull" firewall. This type of firewall can control what service has access (or is filtered) or any given port (i.e. allow http on port 80 but not smtp) by using " "statefull inspection" of the packet.
Of course port 80 will be reachable if you run a web server. That's what you want. However, any web server worth its salt will disallow incoming URLs that are formed with standard known hacking attempt syntax.
If my webserver isn't exploitable by a certain method, why should I configure my webserver to do anything at all (other then return a 404, since the page doesn't exist) when I see a request trying to use that method?
I take your users and will give you our field sales team. We're talking about people who carefully move the mouse with two fingers and need a checklist to get their email...
How about not running the virus in the first place? A good mail client, and knowing not to run any mystery attachments, that's about 95% of the protection you'll ever need.
No. Once upon a time they used your email client to send mails. Then MS plugged that hole, and they used their own SMTP. Now people plug THAT hole (mostly to filter spam, really), and the VXers use their own SMTP client to forward to your ISPs mailserver.
It's pretty much standard over here in Europe, but not enabled by default - instead when you log in for the first time you get asked if you want to enable it, with yes being ticked by default :-)
I even had to duct-tape the various wires behind TV, DVD and SAT-Receiver so that they can't be seen from the front and are hidden behind the furniture.
LOL, most of the people we work with already know they need at least a NAT device, and I always push those at the least, but I make sure and explain the difference between a NAT box and a Firewall to them.
Many exploits don't require the user to do anything, many only require that the user "Open" Outlook or IE. Many users don't know that the email sent from their best friend with an attachment that says vacation_pictures.zip. EXE is really a virus, and they would not know that the email didn't really come from their friend.
I've seen many ISP's take a stance against virus/spam filtering as the law could hold them possible if a virus got in and infected the users computer - since the user might assume they were protected.... Don't you love layers :)
(Leythos, I enjoy reading your insightful comments and have learned a lot from them. Don't reduce your credibility by making broad statements that are incorrect.)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.