Firewall Needed??

[Q!]

Hi All - a quick question, if you are running behind a router all the time,
and have AV installed and updated, is it really necessary (or desirable) to
have a firewall like ZoneAlarm running as well? I ask this because since
installing the router I notice the ZA log is empty - no instances at all,
but does ZAPro have other benefits that mean you should keep it running even
though you have the router????

 

[Ian Kenefick]

Hi All - a quick question, if you are running behind a router all the time,
and have AV installed and updated, is it really necessary (or desirable) to
have a firewall like ZoneAlarm running as well? I ask this because since
installing the router I notice the ZA log is empty - no instances at all,
but does ZAPro have other benefits that mean you should keep it running even
though you have the router????

My opinion is you should have a personal firewall installed on every
PC on a network, even those behind a router/hardware firewall. The
best protection strategy includes defenses at the application layer as
well as the perimiter layer.

Regards,
Ian Kenefick
http://antivirus.ik-cs.com

 

[kurt wismer]

Hi All - a quick question, if you are running behind a router all the time,
and have AV installed and updated, is it really necessary (or desirable) to
have a firewall like ZoneAlarm running as well? I ask this because since
installing the router I notice the ZA log is empty - no instances at all,
but does ZAPro have other benefits that mean you should keep it running even
though you have the router????

if you know for a fact that your machine will never be connected
directly to the internet (like when your router dies on you and you
need to research what's going on to diagnose the problem) then you can
probably get away with not having a software firewall running in the
situation you describe...

however, there are other benefits to a software firewall... they can,
for example, warn you when a new program is trying to access the
internet, even if it's something too new for your anti-virus to
recognize...

 

[Duane Arnold]

Hi All - a quick question, if you are running behind a router all the
time, and have AV installed and updated, is it really necessary (or
desirable) to have a firewall like ZoneAlarm running as well? I ask
this because since installing the router I notice the ZA log is empty
- no instances at all, but does ZAPro have other benefits that mean
you should keep it running even though you have the router????

The NAT router has no means to stop outbound traffic and some people
supplement the NAT router with a PFW solution that can stop outbound if
needed. In addition, the PFW solution can protect the O/S at the machine
level such as services running on the machine and the NAT router cannot do
that.

On the other hand, some say that if you harden the O/S to attack (shut down
vulnerable services and other things, know how to use safe computing
practices, use a good AV and possibly some other tools like Spybot and Ad-
aware, then all you need is the NAT router.

I always ran a PFW or some other packet filtering software to supplement
the NAT router on outbound if needed and to protect vulnerable services and
applications running on the machine.

If the router has logging, then you should enable it and use a log viewer
to view the inbound and outbound traffic to and from the router.

Duane

 

[Captain Jinks]

Hi All - a quick question, if you are running behind a router all the time,
and have AV installed and updated, is it really necessary (or desirable) to
have a firewall like ZoneAlarm running as well? I ask this because since
installing the router I notice the ZA log is empty - no instances at all,
but does ZAPro have other benefits that mean you should keep it running even
though you have the router????

You absolutely need a software firewall in addition to the router. At
the very least they will prevent programs from connecting to the
Internet without your permission. That is a big deal. You might be eaten
up with Trojans and dialers but a software firewall will make them
useless unless you're silly enough to give permission to everything that
tries to contact someone outside your own computer. ZONE ALARM is an
excellent choice because of its features. On my machines it has caught
several email viruses days or even weeks before the AV programs identify
them. Do not rely on your router, and do not rely on the firewall that
comes with XP, turn that one off and install Zone Alarm.

I first installed Zone Alarm years ago when I was using a dial-up system
and it provided protection even though I did not network my machines.

 

[Roger Wilco]

Hi All - a quick question, if you are running behind a router all the time,
and have AV installed and updated, is it really necessary (or desirable) to
have a firewall like ZoneAlarm running as well?

It may be desirable because of the features the software firewall
offers. If a "new" malware lands on the machine and tries to access the
internet itself, the software firewall may ask you to permit or deny the
access. This does not mean that all outbound "phone home" malware will
be defeated by software firewalls though.

As long as the software firewall doesn't "add" vulnerability to your
system (software flaws), or your best practices regimen (false sense of
security), it can't hurt.

 

[Ian Kenefick]

It may be desirable because of the features the software firewall
offers. If a "new" malware lands on the machine and tries to access the
internet itself, the software firewall may ask you to permit or deny the
access. This does not mean that all outbound "phone home" malware will
be defeated by software firewalls though.

As long as the software firewall doesn't "add" vulnerability to your
system (software flaws), or your best practices regimen (false sense of
security), it can't hurt.

Kerio's up and coming 4.5 will feature HOST based IDS for protection
against buffer overflows, code injection etc all of which add a must
have layer of protection at the application level if you ask me. Tiny
software already have such implementations which prevent malicious
process from injecting their code into benign ones to bypass software
firewalls. All this without having to rely on MD5 database entries
will warn of a process injecting code into another. I had a similar
conversation with a guy who maintained a hardware firewall is all you
need and I completly disagree. A software firewall can help prevent
zero day attacks by filtering out certain types of web traffic and new
Host based IDS in personal firewalls will add depth to an already must
have piece of software.

Regards,
Ian Kenefick
http://antivirus.ik-cs.com

 

[Q!]

Thank you everyone, excellent replies and information. I will continue to
run ZA as well as the other protection, just to help be safe! Thanks again
everyone.

 

[optikl]

My opinion is you should have a personal firewall installed on every
PC on a network, even those behind a router/hardware firewall. The
best protection strategy includes defenses at the application layer as
well as the perimiter layer.

Regards,
Ian Kenefick
http://antivirus.ik-cs.com

How often has application control actually saved your ass from the
presence of malware?

 

[optikl]

You absolutely need a software firewall in addition to the router. At
the very least they will prevent programs from connecting to the
Internet without your permission. That is a big deal. You might be eaten
up with Trojans and dialers

And this happens how, through spontaneous generation? Or do the PC
manufacturers now include malware in lieu of M/S works?


but a software firewall will make them

useless unless you're silly enough to give permission to everything that
tries to contact someone outside your own computer.

Let me get this right. Hypothetically, ones computer is riddled with
trojans and dialers and said person can be trusted to determine which
applcations ought to be permitted internet access? Is that the scenario?

ZONE ALARM is an

excellent choice because of its features. On my machines it has caught
several email viruses days or even weeks before the AV programs identify
them.

Now that is interesting .

 

[Ian Kenefick]

How often has application control actually saved your ass from the
presence of malware?

Me personally, zero. I'm not the type of person that is easily duped
by malware All of the PC's on my network are up to date, all have
antivirus and firewalls on the desktop. I subscribe to F-Prot AVES
with my ISP also so I rarely see email borne viruses or spam for that
matter.

My fathers PC was missing MS03-026 amongst others and Sygate IDS
detected blaster's traffic and blocked it. This is a good example.

Regards,
Ian Kenefick
http://antivirus.ik-cs.com

 

[optikl]

Me personally, zero. I'm not the type of person that is easily duped
by malware All of the PC's on my network are up to date, all have
antivirus and firewalls on the desktop. I subscribe to F-Prot AVES
with my ISP also so I rarely see email borne viruses or spam for that
matter.

My fathers PC was missing MS03-026 amongst others and Sygate IDS
detected blaster's traffic and blocked it. This is a good example.

Regards,
Ian Kenefick
http://antivirus.ik-cs.com

Yeah, I honestly didn't suspect you were that type of person. I would
say the same about me.

The problem I have with this notion that application control is so
necessary is that it's illusory. The very people who really need a PFW
are those who likely have no safe computing regimen as foundation.
Further, those very same people can hardly be relied upon to bother with
knowing which components should be granted permission to execute an
application, let alone whether this is the result of downloading
something, or even a windows update. While I firmly believe that inbound
intrusion prevention is a very good risk abatement, outbound application
control is nothing more than flood insurance for those who live on very
high ground.

People can have as much insurance as they want. I just find the
recommendation that outbound application control is a *necessity* to be
unintentionally dishonest.

 

[Ian Kenefick]

People can have as much insurance as they want. I just find the
recommendation that outbound application control is a *necessity* to be
unintentionally dishonest.

I understand what you say but great grounds have been made in personal
firewalls to help the user make a decision as to what they should and
shouldn't allow to connect to the internet either by pre-configured
firewalls or updatable checksum databases. I sill think it is a
necessity to have outbound protection at the application layer. It
buys the user time to research the component which is trying to
initiate an outbound connection by using Google for example.


Regards,
Ian Kenefick
http://antivirus.ik-cs.com

 

[me]

-snip-
ZONE ALARM is an

Now that is interesting .

[ jk ]
ZA is an excellent choice 'cuz it can be "taken down!"
[ /jk ]

So, one could rely on two simple rules:
- ZA (PFW) is running = = all is well.
- ZA (PFW) is not runnig = = something's wrong.
Hmm, lemme think about this...

J

 

[Captain Jinks]

ZONE ALARM is an

Now that is interesting .

You can make all the smartass comments you want to but this is a fact.
It has happened three or four times. Usually the AV stuff catches up
within a day or two but I held a suspicious attachment on my desktop for
over a month before it was finally recognized by any AV scanner as a
threat.

In over 20 years of working with computers I've only been infected twice
and both times were my own fault because I clicked too quickly and by
the time I was through saying "dammit" I had myself an infection. On the
first occasion I had to manually clean the infection because while the
AV vendors could identify it they hadn't yet come up with a clean up
method. After spending six hours tracing the virus through the registry
I was clean and much more cautious. The second time was when the payload
was hidden behind a bogus icon. Instant realization of my stupidity sent
me directly to the power button to prevent further nastiness.

I say a personal firewall is indispensable, even if someone is as
brilliant as you are.

 

[(Pete Cresswell)]

Per Captain Jinks:

That is a big deal. You might be eaten
up with Trojans and dialers but a software firewall will make them
useless unless you're silly enough to give permission to everything that
tries to contact someone outside your own computer.

I just learned the truth of that a couple days ago.

Re-built a PC, installed virus protection/personal firewall immediately albeit
had not received the router yet.

Somewhere in that process I wound up with a worm in the form of (RSPCS.exe?).

Took a little while for it to dawn on me that something wasn't right as the
firewall was reporting about two attacks per second. Then I looked at the
outgoing and this thing was just spraying traffic here, there, and everywhere.
My assumption is that those outgoings acted as invitations for incoming attacks
because once I got rid of the offending .exe, it quieted down again.