Do I need two firewalls

[Maincat]

I have a four machine network, all machines going through a router that has
a SPI firewall. I also have a software firewall on each machine.

My question is, do I need the software firewall on each machine?

Thanks for any replies.

Steve

 

[Shenan Stanley]

I have a four machine network, all machines going through a router
that has a SPI firewall. I also have a software firewall on each
machine.
My question is, do I need the software firewall on each machine?

No one can answer that for you.
We can make suggestions.

You have four machines now.
All trusted users?
Any of them ever get viruses/trojans?
Any of them have 'questionable' surfing habits?

The internal firewall will serve more to protect you from those already past
the first one. Whether or not you need that - that is up to you.

 

[Jack \(MVP-Networking\).]

Hi
Yes you definitely need since the Router NAT Firewall is a very partial
Firewall.
Basic Protection for Broadband Internet Installation .
http://www.ezlan.net/firewall.html
Jack (MVP-Networking).

 

[Maincat]

Hi
Yes you definitely need since the Router NAT Firewall is a very partial
Firewall.
Basic Protection for Broadband Internet Installation .
http://www.ezlan.net/firewall.html
Jack (MVP-Networking).

 

[Maincat]

Hi
Yes you definitely need since the Router NAT Firewall is a very partial
Firewall.
Basic Protection for Broadband Internet Installation .
http://www.ezlan.net/firewall.html
Jack (MVP-Networking).

Thanks for the replies. I'll keep both firewalls.

 

[Leythos]

Hi
Yes you definitely need since the Router NAT Firewall is a very partial
Firewall.

NAT does not make the device a firewall my any means, it's marketing
hype. NAT does protect, if properly implemented by the device, but it is
not a firewall, it's a routing method.

You can have a NAT device that routes all traffic in a 1:1 manner, so
that no internal blocking is performed - so, NAT is not a firewall
function.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)

 

[Vanguard]

in message

I have a four machine network, all machines going through a router
that has
a SPI firewall. I also have a software firewall on each machine.

My question is, do I need the software firewall on each machine?

The router's firewall cannot specify application rules as to whether or
not you want an application to have network access and, if so, just what
types of access that it gets (TCP, UDP, ports, time of access or denial,
etc.). The router's firewall doesn't know what application is
generating what network traffic. Only the software firewall running on
your host can do that. Do you trust everyone of your "normal"
applications won't connect without your permission or without telling
you they are connecting? Feel lucky if that is true.

Software firewalls are handy for regulating network access for
applications running on that host provided those applications aren't
smart malware programs trying to circumvent or disable the firewall
(your router's firewall can't handle malware, either, that makes
otherwise unauthorized and undeclared outbound connections). If you
want some application-centric regulation over software's OUTBOUND access
then you need a local firewall.

Don't expect your router's firewall to be much more useful that
Microsoft's software firewall. You may get some host-centric control
over Internet/network access but other than that then it won't know what
app is trying to get a connection. Routers have very simplistic
firewalls and are not equivalent to firewall appliances. Look at the
router's firewall like you look at Microsoft's software firewall: some
protection from unsolicited inbound connect attempts but nothing for
regulation of outbound connect attempts by applications (and only some
regulation based on hosts). What you get for protection depends
entirely on how potent a firewall is included in the router. Some
routers let you define rules on which hosts can connect to your
intranetwork, to other hosts and which ones on your intranetwork, which
ones get Internet (external) connects, during what times they can
connect, quotas on bandwidth, QOS, and so on, all of which is outbound
regulation (from a host to other hosts or the Internet).

Some routers' firewalls include inbound protection, like stateful packet
inspection, to protect you against unsolicited inbound connect attempts
and may even provide heuristics or rules to detect certain known type of
attacks, but all in all the router's firewall is pretty basic. It may
end up duplicating the inbound protection that your software firewall
provides but it lacks any outbound protection afforded by a software
firewall running on a local host. The inbound duplication isn't
hurtful. It just means that anything your router's firewall caught
doesn't have to be caught by your software firewall and then take CPU
cycles to handle.