routers and firewalls

[JimL]

I've read that hardware firewalls are found in routers and that they are in
some ways better than software firewalls. I really have no need for a
router, per se, but I wouldn't mind replacing ZoneAlarm if it is the thing
to do.

But I've also read that software and hardware firewalls have completely
different effects!

If someone can offer a nutshell, plain English explanation of this stuff I'd
like to hear it.

Thanks

 

[PeeCee]

I've read that hardware firewalls are found in routers and that they are
in some ways better than software firewalls. I really have no need for a
router, per se, but I wouldn't mind replacing ZoneAlarm if it is the thing
to do.

But I've also read that software and hardware firewalls have completely
different effects!

If someone can offer a nutshell, plain English explanation of this stuff
I'd like to hear it.

Thanks

Jim

The problem with software firewalls is they are a bunch of bits in memory.
Writing data to the right bits of memory can compromise such a software
firewall.
Because a PC is a general purpose machine it has a wide range of vectors
that may make that possible.

Hardware firewalls on the other hand are very specialised and it's kinda
hard to alter bits burnt into ROM.

Properly running firewalls only do one thing : examine packets of data
coming in or out and allow / block them based on a set of rules.
i.e. the 'effect' is exactly the same.

Handing firewall duties over to another device allso means your PC is not
wasting resources running a firewall in the background.

best
Paul.

 

[JimL]

Jim

The problem with software firewalls is they are a bunch of bits in memory.
Writing data to the right bits of memory can compromise such a software
firewall.
Because a PC is a general purpose machine it has a wide range of vectors
that may make that possible.

Hardware firewalls on the other hand are very specialised and it's kinda
hard to alter bits burnt into ROM.

Properly running firewalls only do one thing : examine packets of data
coming in or out and allow / block them based on a set of rules.
i.e. the 'effect' is exactly the same.

Handing firewall duties over to another device allso means your PC is not
wasting resources running a firewall in the background.

best
Paul.

Thanks

 

[JimL]

On Thu, 30 Jul 2009 21:18:06 -0400, "JimL"

Thanks for what looks _to me_ like a good overview of firewalls.

Back to my opening statement, knowing these things has no
point unless you have a specific need that is thus far
unaddressed.

Perhaps you are forgetting one "point" in your search for specifics - the
future. And at my house, "not knowing" about a specific need is definitely
not the same as "not having" a specific need. Having had no "holes" in the
past (if indeed I have not) doesn't seem like much of a guarantee for what
might happen tommorrow.

I've very recently switched from dial-up to cable modem. Seems to me the
very quantity of events inherent in a high-speed internet connection as
compared to dial-up makes firewalls a more important topic.

Since I got the cable modem connection I have thought about and worked on
several things I believe I should think about and work on in an effort to
head off what _might_ happen from here on. Looking ahead seems to me to be
only common sense. But it doesn't seem to set well with many here who
demand that I describe a problem that _IS_ not a problem that _might_ be.
But that won't stop me from thinking about tomorrow's possible issues.

Specifically, as I thought about high speed internet issues, firewalls came
to mind. (Perhaps I'm a worry wort, but I doubt I'll EVER leave myself
connected 24/7, no matter how good I think my protection is.) It looks to
me like inviting trouble when I don't have to. So not knowing much of
anything about hardware firewalls I decided to ask, given the possibility
that more traffic might mean more problems.

Thanks

 

[JimL]

Fair enough, but you hadn't mentioned this yet unless I
overlooked it.


Use a router. Wifi even better. With this option in the
future you can add PCs as you wish, not depending on any one
for the internet connection, allowing for wireless laptop or
distant client use w/o stringing wire, change the operating
system and be online without concern about having installed
the firewall yet.


Most people with cable internet access are likely to be
connected 24/7, and are safe doing so if they have a router
between their PC and the internet. So long as a windows box
with open ports isn't sitting exposed to the internet,
letting it sit online unused isn't much of a risk, the risk
is far moreso that of actively visiting a hostile website or
breached one delivering rogue malware, of opening an
infected email on a vulnerable client, inserting an infected
USB thumbdrive with autoplay enabled, and other actively
undertaken activities.

In other words, either it is something the user initiates
which gets them infected or an external thread is doing a
port scan or wifi survey. For now I will ignore the wifi
since your topic is about firewalls. Since the router is
not offering services other than routing, there is very
little possiblity of exploitation. It is not impossible but
let's face it, windows is targeted far more than any other
OS and any OS is targeted far more than specific router
models among the myriad possible routers and firmwares that
exist in the world.

As mentioned in my prior reply, a software firewall does add
one feature that's great for some, that it allows
per-application denial of wan/internet access. If you feel
that is important to have, I recommend running both a
software firewall that supports it (you mentioned Zonealarm
IIRC, which does support it), and a router with it's
inherant firewalling.

The better question is what does it hurt. They are
inexpensive, an additional layer of security, allow for
expansion. Downside is the ~$20 cost, a few cubic inches of
space it takes up and maybe a half dozen watts of power
consumed on average for consumer models.

A router in it's default configuration is often ready to use
out of the box except if it supports wifi you might want to
unscrew the antenna to eliminate any usable range until
security settings for wifi are set... though some might call
that paranoid but knowing how easy it is to put off doing
things or get busy doing something else, having the antennan
off until wifi is secure from the beginning eliminates that
possibility, assuming the router has only an external
antenna not one internal but again I am drifting into a
different topic than asked about.

Again a good post from my point of view. As for "what does it hurt," I
don't know. You refer to "very little risk." That isn't the same as none.
I noticed that in about a year and a half ZA logged over 140,000 blocked
access attempts on dial-up. Apparently there are "scanners" just searching
for a chance to make trouble. And broadband presents the potential for even
greater numbers of scans.

Plus I put all of my computer stuff on switching control and shut them down
overnight if for no more reason than eliminating vampire electrical
consumption. Using old machines as I do it makes sense to me to cut down on
wear and tear.

Hardware firewall. You're kind of preaching to the choir there. I've been
trying to get a handle on whether to go wireless. (If it turns out it
doesn't even work where I want it, I could, as you suggest, just remove the
antennas.) You mention ~$20 in cost. I'd guess that if one were
concerned about reliability the figure would be somewhat higher.

Thanks

 

[JimL]

I replaced my original DSL modem with one that has a
WiFi function, and that put the WiFi on the modem side
of my existing router. Therefor, the router's firewall protects
my wired LAN from both the internet and WiFi. This means
that my mobile WiFi enabled devices have no access to my
LAN, but they do have access to the internet. With no real
wireless network setup, the mobile devices can't connect to
each other. With no bridge setup the computers on the LAN
have no access to the mobile devices, nor is it open to the
wireless environment. So, I just leave the WiFi open and
anyone or any wifi device, in range can connect to the internet
through my DSL modem. While this could expose me to the
results of any mischief, that a very nearby operator might effect
using my DSL connection, it does not expose my LAN.

Luck;
Ken

Hm, so you sort of have both a WAN and a LAN set up on opposite sides of a
firewall.


With a wireless router ... I'd guess there are different configurations.
Assumedly all routers would have wire ports. I don't know "where" the
wireless would be. "Parallel" with the LAN ports? I guess my lone laptop
would be protected from the internet but open to drive-by access no matter
if I were running wired or wireless as long as the antennas were in place?
Am I confused or diffused?

Thanks