Do I need a firewall?

[MK]

Hi,
I am running Windows XP (Home) edition and have a wireless network at my
home. I use the Netgear Wireless router MRF-814v2.

I have seen reports on Internet which say that Service Pack 2 adds more
security.However I don't want to apply Service Packs which I feel slow the
machine.

Do I need a separate firewall like ZoneAlarm or Norton Firewall installed on
my machine to protect my machine? Will the router firewall itself be enough
for protection?
My other home computer runs Windows ME. Does that also need a separate
firewall software?

Please post your comments.

Regards,
MK

 

[Mike Hall \(MS-MVP\)]

MK

I would go with the third party software firewall and SP2..

 

[Miss Perspicacia Tick]

MK

I would go with the third party software firewall and SP2..

I disagree. I also have a Netgear router and find the hardware firewall to
be more than adequate (and it frees up clock cycles for other things). I
agree with you regarding SP2, though.

A hardware firewall is infinitely preferable to a software one.

 

[Haggis]

I disagree. I also have a Netgear router and find the hardware firewall to
be more than adequate (and it frees up clock cycles for other things). I
agree with you regarding SP2, though.

A hardware firewall is infinitely preferable to a software one.

agreed , hardware is first choice....and i have not seen many discussions
about SP2 "slowing" performance(recommend you defrag after installing SP2)

 

[Al]

I disagree. I also have a Netgear router and find the hardware firewall to
be more than adequate (and it frees up clock cycles for other things). I
agree with you regarding SP2, though.

A hardware firewall is infinitely preferable to a software one.

Which is bad advice on your part. A hardware firewall is only as good as
person that doesn't allow baddies onto their PCs. Since a hardware firewall
will block anything incoming, it will not alert you about anything outgoing
that you may have already installed (or have allowed past the hardware). A
software firewall will alert you to the outgoing. You'd have saved money not
paying for the hardware, and simply just using XP's built-in firewall
software, as it would suffice just as well as the hardware in the terms you
are using it.

 

[Al]

agreed , hardware is first choice....and i have not seen many discussions
about SP2 "slowing" performance(recommend you defrag after installing SP2)

Actually, to add more (as you are wrong also). Just simply using a hardware
firewall only is not good, without the software, since it won't even alert
you to someone trying to get in . It is more than likely that someone making
an attempt at getting past it is possible, but not impossible. So, if one
got past one of the ports, you would never know it, and software would give
an alert, and quick response to take action. Most hardware routers come with
decent software firewalls anyway, I would use it.

 

[Leythos]

Which is bad advice on your part. A hardware firewall is only as good as
person that doesn't allow baddies onto their PCs. Since a hardware
firewall will block anything incoming, it will not alert you about
anything outgoing that you may have already installed (or have allowed
past the hardware). A software firewall will alert you to the outgoing.
You'd have saved money not paying for the hardware, and simply just
using XP's built-in firewall software, as it would suffice just as well
as the hardware in the terms you are using it.

Actually, the appliance is most preferable to the software firewall
running on a users computer. The types of devices talked about in this
thread are only simple NAT/PAT Routers that are not actually firewalls,
they use a NAT method to block unsolicited traffic. At the same time, all
of these routers in that class offer logging and do a very good job of
providing inbound and outbound logs in real time. There is even a freeware
application called WallWatcher that can show you what's hitting your
router and what directions in real time and is real easy to monitor.

The appliance that blocks a connection BEFORE it reaches your computer is
the best method to help maintain a secure internal network. Some of the
appliances even allow the user to block outbound traffic going to certain
destination ports (to block file sharing, some P2P sharing, etc...).

The money you pay for a simple router/NAT box (about $50) is worth much
more than what you would pay for a quality personal firewall application
that runs on any users computer.

The issue you failed to realize is that ANY personal firewall application
running on a computer being used by a person can be compromised by that
same user without their knowledge (or with their knowledge). This is true
for any PFW solution.

This is one of the main reasons that security designers install a boarder
device of some type, it stops access from undesired services BEFORE they
reach the internal network.

Even for a single home computer a NAT router is the best starting method,
and then a PFW is you feel it's need, but the PFW is just eye-candy in
most cases.

 

[Al]

Actually, the appliance is most preferable to the software firewall
running on a users computer. The types of devices talked about in this
thread are only simple NAT/PAT Routers that are not actually firewalls,
they use a NAT method to block unsolicited traffic. At the same time, all
of these routers in that class offer logging and do a very good job of
providing inbound and outbound logs in real time. There is even a freeware
application called WallWatcher that can show you what's hitting your
router and what directions in real time and is real easy to monitor.

The appliance that blocks a connection BEFORE it reaches your computer is
the best method to help maintain a secure internal network. Some of the
appliances even allow the user to block outbound traffic going to certain
destination ports (to block file sharing, some P2P sharing, etc...).

The money you pay for a simple router/NAT box (about $50) is worth much
more than what you would pay for a quality personal firewall application
that runs on any users computer.

The issue you failed to realize is that ANY personal firewall application
running on a computer being used by a person can be compromised by that
same user without their knowledge (or with their knowledge). This is true
for any PFW solution.

This is one of the main reasons that security designers install a boarder
device of some type, it stops access from undesired services BEFORE they
reach the internal network.

Even for a single home computer a NAT router is the best starting method,
and then a PFW is you feel it's need, but the PFW is just eye-candy in
most cases.

You missed the point. I did not say that a PSF (or any software) is
preferable. A hardware is better, but, by itself can be bypassed, and the
fault with thinking it is OK by itself it that, if something does get past
it, which is very possible, there is no alert, and the damage is being done.
At least with the addition of software, you can be warned. In today's world,
it isn't as simple as you say to simply say hardware only is just fine..

 

[Mike Hall \(MS-MVP\)]

S,

Netgear (or any other make) routers are of no value to dialup users..

I have McAfee 8 suite running.. McAfee 8/2005 is one of the new 'smart'
firewalls.. I looked in the list of programs with internet capability, and I
have to tell you that there is way more there than P2P programs.. one or two
entries are simple games that, when installed, gave no indication that they
were internet enabled.. they aren't now because I have blocked them, but I
would not have known had McAfee not warned me..

I think that it is as important to know what is going out, or thinking about
going out, as what is coming in..

When Microsoft were sending out SP1a CDs to those who requested them, they
also sent out a CD that contained CA's EZ Armor LE suite.. I also saw a
statement by Microsoft to the effect that the XP firewall was included such
that when XP was initially loaded, it could be updated without fear until a
full security package could be installed.. neither of these actions suggest
that a software firewall is of little value..

McAfee and Norton have always built a list of internet ready programs as
part of the setup routine, and there has always been the option of blocking
one or more on the list.. I will admit that older versions have not always
been the most intuitive of programs to set up, but many have benefited from
their presence even in 'default' form..

For all of the years I have been involved in computing and outside
connections, I still prefer to have notification of what is happening so
that I don't have to always rely on my wits.. the concept that only newbies
require such notification is plain stupid and elitist..

The argument that companies do not entertain personal firewalls is not valid
either.. companies set a platform that the operator is not allowed to alter
in any way.. they invariably connect to intranets, and the network admin
will ensure that only trusted sites are allowed outside of that.. in many
cases, network admin will get software updates away from the intranet and
then make them available such that each operator can update without having
to connect to www..

Re. SP2 (for the benefit of others as you has it installed and working)..
not installing SP2 is like turning down free aftermarket fitment of side
impact airbags to your old car.. removing SP2 is like asking a car dealer to
remove side impact airbags from your new car because the extra weight
increases fuel consumption..

Arguments that SP2 slows a system to a crawl are only true of machines that
were borderline fast as a result of luck more than judgement.. if XP users
want more speed, TURN OFF THE EYE CANDY.. so XP will look like Windows 2000
or ME.. who cares!!!!!!!!!!!!.. racing cars don't have passenger seats,
electric sunroofs, carpet in the trunk to save weight, thereby increasing
the power to weight ratio.. they replace luxury with roll cages and fire
extinguisher systems.. SAFETY ITEMS..


--
Mike Hall
MVP - Windows Shell/user

 

[Leythos]

You missed the point. I did not say that a PSF (or any software) is
preferable. A hardware is better, but, by itself can be bypassed, and
the fault with thinking it is OK by itself it that, if something does
get past it, which is very possible, there is no alert, and the damage
is being done. At least with the addition of software, you can be
warned. In today's world, it isn't as simple as you say to simply say
hardware only is just fine..

The problem is that people are confused with what a firewall appliance
really is and what the SOHO/Home user marketing types are calling a
firewall.

If you have a decent firewall appliance you can prevent almost everything
except permitted traffic - that means I can block MSN Messenger and Yahoo
messenger while still allowing other HTTP traffic, or strip Active-X out
of HTTP Sessions, force users to only visit sites with content
definitions, block all outbound SMTP access, block all outbound DNS,
etc... I can lock down the network, still provide real business use for
it, and prevent compromised computers from doing external damage - at the
same time I can detect those types of actions without any chance that the
detection method will be disabled by the attack.

With a PFW you don't really gain anything except a false sense of security
- it's not hard for a user running as Root or Administrator to compromise
their own computer and any services running on it, including their PFW,
and they would be just as ignorant about it as they were when deciding to
run as Root or Administrator.

At least with an appliance you have the ability to protect the
network/resources is a manner that a compromised machine can't disable.

A good example of this is my home - I have a WatchGuard Firebox II with 4
subnets behind it. My family network allows users to access filtered HTTP,
filtered FTP, no email external to the home (we have our own email
server) and that's about it. They can't bring anything inbound and nothing
gets outbound that isn't also filtered, including email from the house
server.

In the case of a user and a simple NAT device like the Linksys/D-Link/NG,
there is no filtering of transport methods, just inbound blocking or not.

With a PFW you still don't have any real control, unless you don't use the
computer that the PFW is running on - acting as a gateway. The first time
you use the computer with the PFW, you can compromise it and render the
PFW useless, leaving your network/systems fully exposed.

 

[Miss Perspicacia Tick]

You missed the point. I did not say that a PSF (or any software) is
preferable. A hardware is better, but, by itself can be bypassed, and
the fault with thinking it is OK by itself it that, if something does
get past it, which is very possible, there is no alert, and the
damage is being done. At least with the addition of software, you can
be warned. In today's world, it isn't as simple as you say to simply
say hardware only is just fine..

Er, you're the one missing the point, buddy. I have a $200 router. The
firewall blocks both INCOMING and OUTGOING traffic and reports are sent to
my Outlook inbox every five minutes and I am instantly alerted to any
suspicious activity.

You're outvoted two to one. Now do go away...

 

[Miss Perspicacia Tick]

S,

Netgear (or any other make) routers are of no value to dialup users..

Who said anything about dial-up? The OP didn't and I have a 2MB DSL
connection.

I have McAfee 8 suite running.. McAfee 8/2005 is one of the new
'smart' firewalls.. I looked in the list of programs with internet
capability, and I have to tell you that there is way more there than
P2P programs.. one or two entries are simple games that, when
installed, gave no indication that they were internet enabled.. they
aren't now because I have blocked them, but I would not have known
had McAfee not warned me..

I wouldn't put McAfee (or Norton IS) on any system of mine if I was given
it.

I think that it is as important to know what is going out, or
thinking about going out, as what is coming in..

Oh I agree, that's why my router sends me email every five minutes and
alerts me instantly to any threats.

When Microsoft were sending out SP1a CDs to those who requested them,
they also sent out a CD that contained CA's EZ Armor LE suite.. I
also saw a statement by Microsoft to the effect that the XP firewall
was included such that when XP was initially loaded, it could be
updated without fear until a full security package could be
installed.. neither of these actions suggest that a software firewall
is of little value..

I disagree. A software firewall is paper, a hardware one, reinforced
concrete.

McAfee and Norton have always built a list of internet ready programs
as part of the setup routine, and there has always been the option of
blocking one or more on the list.. I will admit that older versions
have not always been the most intuitive of programs to set up, but
many have benefited from their presence even in 'default' form..

Michael, I had you down as an intelligent guy - if you're saying you like
Norton, I'm going to have to rethink my opinion of you....

For all of the years I have been involved in computing and outside
connections, I still prefer to have notification of what is happening
so that I don't have to always rely on my wits.. the concept that
only newbies require such notification is plain stupid and elitist..

I never said that - that's what the email alerts are for, you brain dead
idiot. ;o)

The argument that companies do not entertain personal firewalls is
not valid either.. companies set a platform that the operator is not
allowed to alter in any way.. they invariably connect to intranets,
and the network admin will ensure that only trusted sites are allowed
outside of that.. in many cases, network admin will get software
updates away from the intranet and then make them available such that
each operator can update without having to connect to www..

You are talking to a former network administrator. Before I became ill, I
was one for nearly a decade. In all that time I *NEVER* implemented a
software firewall and I was responsible for four servers which served 100
workstations.

Re. SP2 (for the benefit of others as you has it installed and
working).. not installing SP2 is like turning down free aftermarket
fitment of side impact airbags to your old car.. removing SP2 is like
asking a car dealer to remove side impact airbags from your new car
because the extra weight increases fuel consumption..

I am not arguing about SP2, SP2 is not this issue. I am arguing software vs
hardware firewalls and I know that, as a former network admin, which side I
fall on.

Arguments that SP2 slows a system to a crawl are only true of
machines that were borderline fast as a result of luck more than
judgement.. if XP users want more speed, TURN OFF THE EYE CANDY.. so
XP will look like Windows 2000 or ME.. who cares!!!!!!!!!!!!.. racing
cars don't have passenger seats, electric sunroofs, carpet in the
trunk to save weight, thereby increasing the power to weight ratio..
they replace luxury with roll cages and fire extinguisher systems..
SAFETY ITEMS..

You're preaching to the converted....

I really don't want to fall out with you, but most of what you've said is
unadulterated drivel...

 

[Tom]

The problem is that people are confused with what a firewall appliance
really is and what the SOHO/Home user marketing types are calling a
firewall.

If you have a decent firewall appliance you can prevent almost everything
except permitted traffic - that means I can block MSN Messenger and Yahoo
messenger while still allowing other HTTP traffic, or strip Active-X out
of HTTP Sessions, force users to only visit sites with content
definitions, block all outbound SMTP access, block all outbound DNS,
etc... I can lock down the network, still provide real business use for
it, and prevent compromised computers from doing external damage - at the
same time I can detect those types of actions without any chance that the
detection method will be disabled by the attack.

With a PFW you don't really gain anything except a false sense of security
- it's not hard for a user running as Root or Administrator to compromise
their own computer and any services running on it, including their PFW,
and they would be just as ignorant about it as they were when deciding to
run as Root or Administrator.

At least with an appliance you have the ability to protect the
network/resources is a manner that a compromised machine can't disable.

A good example of this is my home - I have a WatchGuard Firebox II with 4
subnets behind it. My family network allows users to access filtered HTTP,
filtered FTP, no email external to the home (we have our own email
server) and that's about it. They can't bring anything inbound and nothing
gets outbound that isn't also filtered, including email from the house
server.

In the case of a user and a simple NAT device like the Linksys/D-Link/NG,
there is no filtering of transport methods, just inbound blocking or not.

With a PFW you still don't have any real control, unless you don't use the
computer that the PFW is running on - acting as a gateway. The first time
you use the computer with the PFW, you can compromise it and render the
PFW useless, leaving your network/systems fully exposed.

Let's disagree totally about your assertion that PSWs really serve no
purpose. Trust me, the setup you decribe in its detail, can be bypassed,
with no bells to tell you that a compromise has happened.In the meantime,
you're relying on your "wit" of the moment to kick in, to check for an
incident; it then may be too late. Regardless of what you say, getting an
alert at the first hint, is added security. DOS attacks happen a great deal
through systems setup just the way you describe. If what you say (as you
imply) is 100% secure, then why would there be a need for any of the PSWs,
and there never will be(or would have been recently) attracks on networks,
servers, etc..

By the way, my PSW, let's me control every aspect of programs not only
sending receiving, but actaullly having any ability to run as it makes a
connection, as it won;t run on my system, if not allowed. This way, I know
what I am trying to accomlished. Added security is never shortfall.

 

[Al]

The problem is that people are confused with what a firewall appliance
really is and what the SOHO/Home user marketing types are calling a
firewall.

If you have a decent firewall appliance you can prevent almost everything
except permitted traffic - that means I can block MSN Messenger and Yahoo
messenger while still allowing other HTTP traffic, or strip Active-X out
of HTTP Sessions, force users to only visit sites with content
definitions, block all outbound SMTP access, block all outbound DNS,
etc... I can lock down the network, still provide real business use for
it, and prevent compromised computers from doing external damage - at the
same time I can detect those types of actions without any chance that the
detection method will be disabled by the attack.

With a PFW you don't really gain anything except a false sense of security
- it's not hard for a user running as Root or Administrator to compromise
their own computer and any services running on it, including their PFW,
and they would be just as ignorant about it as they were when deciding to
run as Root or Administrator.

At least with an appliance you have the ability to protect the
network/resources is a manner that a compromised machine can't disable.

A good example of this is my home - I have a WatchGuard Firebox II with 4
subnets behind it. My family network allows users to access filtered HTTP,
filtered FTP, no email external to the home (we have our own email
server) and that's about it. They can't bring anything inbound and nothing
gets outbound that isn't also filtered, including email from the house
server.

In the case of a user and a simple NAT device like the Linksys/D-Link/NG,
there is no filtering of transport methods, just inbound blocking or not.

With a PFW you still don't have any real control, unless you don't use the
computer that the PFW is running on - acting as a gateway. The first time
you use the computer with the PFW, you can compromise it and render the
PFW useless, leaving your network/systems fully exposed.

I guess we'll just have to disagree with each other on what suffices for you
in general PC security .

 

[Al]

Er, you're the one missing the point, buddy. I have a $200 router. The
firewall blocks both INCOMING and OUTGOING traffic and reports are sent to
my Outlook inbox every five minutes and I am instantly alerted to any
suspicious activity.

You're outvoted two to one. Now do go away...

Wow, you omitted the fact that you're using the software FW that comes with
your router (otherwise, you wouldn't get alerts), and if you had read what I
stated regarding such (as usually comes with routers) you would have caught
that, but that is expected from someone who needs to sod off from time to
time. Next you make such a claim, be sure to include all of your setup, and
not make a blanket statement that a hardware firewall (just itself only) as
you implied is good enough. Another has called you on this before, someone
you revere from time to time (until they disagree with you of course).

 

[Mike Hall \(MS-MVP\)]

Sarah

There are still a considerable amount of computer users in North America
relying on Dixie cups and string as their primary internet connection..
until last week, my village was still wholly reliant on dialup.. I have
lived in other places where ADSL/DSL was present, and I have had a tough
time getting used to the old way for the past three years.. Bell Sympatico
were inserting fliers for high speed in our mail boxes for the longest time
which served only to upset.. I had sent a few e-mails to them and the local
cable TV company, all of them 'heated', and until recently have had little
response other than to say it is not company policy to install high speed
unless there are more than 5000 people living in the area.. 96% of all
Canadian places have 1500 or less people living in them.. lol.. the
prospects for some are still not good..

In order of installation over the years, Black ICE, Zonealarm, Neowatch, and
McAfee have always worked well for me, and all of the people I have
supported over the years.. those of us that still require dialup have little
choice but to use a software firewall.. in the last three years, I have had
no problems with trojans, virus infection or any other incoming nasties, so
something must be working well enough..

I DON'T LIKE NORTON.. but some of the people I get to see have paid nearly
CDN$100 for the... the.. and they don't want to waste their money so insist
that it is used.. and while we are on the subject of what some stuff
costs.....

..... Now, lets see.. your DSL router cost UK£200.00 which equates to
CDN$430.00 approx not including taxes.. lol.. you would have a tough time
selling a DSL modem costing that much to a Canadian redneck, trust me..
lololololol.. getting some of them to part with $30 dollars is hard enough,
and $30 DSL modems don't send s%$t to anybody..

Re. network admin, I did make the point that companies do NOT use software
firewalls.. I also remembered you stating that you were a network
administrator at some point in time, and we must not annoy the net admin or
they will reduce our resources.. and to think that I always felt sorry for
net admins.. pax pax pax..

The SP2 part was not for you.. it was for the benefit of the OP, 'ere the OP
should still be lurking in the shadows.. I did state that at the begining of
the section, and will make allowances for you on the basis that you were
probably tired due to staying up late..

OT: I haven't seen you around much lately.. at first, I thought that you
might be vacationing somewhere nice for the Easter break, and then it
crossed my mind that you may be unwell.. hoping that it was the former, and
that all is well with you and yours..

 

[Bruce Chambers]

Hi,
I am running Windows XP (Home) edition and have a wireless network at my
home. I use the Netgear Wireless router MRF-814v2.

I have seen reports on Internet which say that Service Pack 2 adds more
security.However I don't want to apply Service Packs which I feel slow the
machine.

Do I need a separate firewall like ZoneAlarm or Norton Firewall installed on
my machine to protect my machine? Will the router firewall itself be enough
for protection?
My other home computer runs Windows ME. Does that also need a separate
firewall software?

I don't mean to sound harsh, but given today's widely-publicized
and well-known hostile Internet environment, only a fool or a masochist
would go on-line without both a firewall and antivirus protection.

If you use a router with NAT, it's still a very good idea to use a
3rd party software firewall. Like WinXP's built-in firewall,
NAT-capable routers do nothing to protect the user from him/herself (or
any "curious," over-confident teenagers in the home). Again -- and I
*cannot* emphasize this enough -- almost all spyware and many Trojans
and worms are downloaded and installed deliberately (albeit unknowingly)
by the user. So a software firewall, such as Sygate or ZoneAlarm, that
can detect and warn the user of unauthorized out-going traffic is an
important element of protecting one's privacy and security. (Remember:
Most antivirus applications do not even scan for or protect you from
adware/spyware, because, after all, you've installed them yourself, so
you must want them there, right?)

I use both a router with NAT and Sygate Personal Firewall, even
though I generally know better than to install scumware. When it comes
to computer security and protecting my privacy, I prefer the old "belt
and suspenders" approach. In the professional IT community, this is
also known as a "layered defense." Basically, it comes down to never,
ever "putting all of your eggs in one basket."


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Bruce Chambers]

I disagree. I also have a Netgear router and find the hardware firewall to
be more than adequate (and it frees up clock cycles for other things). I
agree with you regarding SP2, though.

A hardware firewall is infinitely preferable to a software one.

A true hardware firewall might be sufficient, but you don't have one.
All you have is a router with NAT capabilities. You're no better
protected than you would be if you were to depend solely upon WinXP's
built-in firewall.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Leythos]

Let's disagree totally about your assertion that PSWs really serve no
purpose. Trust me, the setup you decribe in its detail, can be bypassed,
with no bells to tell you that a compromise has happened.In the
meantime, you're relying on your "wit" of the moment to kick in, to
check for an incident; it then may be too late. Regardless of what you
say, getting an alert at the first hint, is added security. DOS attacks
happen a great deal through systems setup just the way you describe. If
what you say (as you imply) is 100% secure, then why would there be a
need for any of the PSWs, and there never will be(or would have been
recently) attracks on networks, servers, etc..

Without going into all of the details, I can say that our solutions pass
homeland defense testing for Utilities, that we've never had a customer
with a virus/compromised system, and we've never had a compromised public
facing server. Now, I've not talked about that level of solution here, but
a personal firewall is not considered any part of those solution methods.
Sure, a firewall application, running on a dedicated box, is a great
solution, but not on one where the user could compromise it.

Yea, they also MAY alert you to many threats/actions, but they can also be
compromised WITHOUT YOU KNOWING IT - which means you would no longer have
that protection.

By the way, my PSW, let's me control every aspect of programs not only
sending receiving, but actaullly having any ability to run as it makes a
connection, as it won;t run on my system, if not allowed. This way, I
know what I am trying to accomlished. Added security is never shortfall.

Added security is good, but only if you can trust it - and since many of
the people that are new to security may read your posting and think that a
PFW is going to secure their computers, well, it's important that they
know that it's just not true - it's false sense of security, and in the
wrong settings, it's easy to compromise.

 

[Steve Winograd [MVP]]

MK

I would go with the third party software firewall and SP2..

If you have a third party software firewall, disable SP2's Windows
Firewall. Running more than one firewall can cause problems.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com