Firewalls and Wireless Routers

[Guest]

If I have a wireless router installed and working and configured with a WEP
firewall.

The question is - can I safely stop using the built in firewall with Windows
XP Pro SP2 and rely on the one in the router?

Seems a bit silly having a firewall in the router and on both the desktop
and laptop!

But - just checking to be on the safe side.

Thanks for any advice.

 

[Leythos]

If I have a wireless router installed and working and configured with a WEP
firewall.

The question is - can I safely stop using the built in firewall with Windows
XP Pro SP2 and rely on the one in the router?

Seems a bit silly having a firewall in the router and on both the desktop
and laptop!

If you have a wireless router I would guess that it's not actually got a
firewall, just NAT, so you don't really have a firewall - none of the
home user units are really firewalls, just nice little NAT systems.

Since the XP SP2 firewall is really open to being improperly configured
you're not doing much with it that isn't already being handled by the
NAT box. If you want to have a firewall, either purchase something like
the WatchGuard Firebox SOHO unit or install something like ZoneAlarm.

 

[Guest]

Sorry - Lost me there - What is a NAT system?

Thanks

 

[John Doue]

If you have a wireless router I would guess that it's not actually got a
firewall, just NAT, so you don't really have a firewall - none of the
home user units are really firewalls, just nice little NAT systems.

Since the XP SP2 firewall is really open to being improperly configured
you're not doing much with it that isn't already being handled by the
NAT box. If you want to have a firewall, either purchase something like
the WatchGuard Firebox SOHO unit or install something like ZoneAlarm.

One other point in support of this is that SP2 firewall will not control
in any way Internet trafic going OUT of your computer. Your NAT protects
you nicely from incoming unwanted access but does not control what goes
out. There are many reasons you want to keep a very strict control on
what goes out since it is a way to detect trojans and other pests
activity and to keep a lid on those programs that surreptitiously try to
access Internet for various but seldom valid reasons. I see no reason
not to Choose Zonealarm but I would suggest you go for the SE version
that includes AD-Watch even if it costs a few bucks because it does a
good job at detecting attempts to make changes to the various start
sections of the registry.

Regards

 

[Guest]

So - Install ZONE ALARM, disable the XP Pro SP2 Firewall and leave the
router WEP as is?

Have I got that right?

 

[Guest]

Forgot to ask - Is Norton Firewall OK or is Zone Alarm that much better?

Thanks for any advice

 

[Guest]

And should I install Zone Alarm (or Norton) Firewall on BOTH machines.
i.e. - The desktop which is hard wired to the router and hence the DSL Modem
and the laptop, which the one connected by the wireless bits.

Thanks again

 

[Marko]

If you have a wireless router I would guess that it's not actually got a
firewall, just NAT, so you don't really have a firewall - none of the
home user units are really firewalls, just nice little NAT systems.

Since the XP SP2 firewall is really open to being improperly configured
you're not doing much with it that isn't already being handled by the
NAT box. If you want to have a firewall, either purchase something like
the WatchGuard Firebox SOHO unit or install something like ZoneAlarm.

I would like to add something:

if you have a router's "nice little NAT system" then you effectively
don't exist to probes, its very good, but that is only half of it.

zonealarm allows you to block/control outgoing stuff and XP's firewall
doesn't do that.

--
Marko Jotic
"Common sense is anything but common".
From the notebooks of Lazarus Long. Robert A. Heinlein.
Handmade knives, antique designs, exotic materials at
http://www.knifeforging.com/

 

[JW]

ZoneAlarm is way better. When you run the LeakTest program from www.grc.com
and read the Help file, you will see some unflattering remarks about
Norton's firewall. Also, in PC World's tests/evaluations of firewalls,
anti-virus and anti-spyware programs, PC World experts recommended 2
firewalls. Norton was Not one of them. The PC World article has an
excellent overview and some revealing details of specific problems with
Norton and McAfee products. You can find it at
http://www.pcworld.com/reviews/article/0,aid,115939,pg,1,00.asp


Forgot to ask - Is Norton Firewall OK or is Zone Alarm that much better?

Thanks for any advice

 

[Leythos]

I would like to add something:

if you have a router's "nice little NAT system" then you effectively
don't exist to probes, its very good, but that is only half of it.

zonealarm allows you to block/control outgoing stuff and XP's firewall
doesn't do that.

I agree and support the above notions. One think people using JUST a
personal firewall, like SP2 or ZA or any other, is that it requires the
user to make decisions based on information that the user may not have
or understand. In addition to user error, a virus could disable a
personal firewall and break out into the internet or local network.

 

[Steve N.]

If you have a wireless router I would guess that it's not actually got a
firewall, just NAT, so you don't really have a firewall - none of the
home user units are really firewalls, just nice little NAT systems.

Since the XP SP2 firewall is really open to being improperly configured
you're not doing much with it that isn't already being handled by the
NAT box. If you want to have a firewall, either purchase something like
the WatchGuard Firebox SOHO unit or install something like ZoneAlarm.

Quite a few home routers include SPI (stateful packet inspection)
nowdays, which is an improvement over NAT alone, still I agree that a
software firewall such as Zone Alarm or Kerio is much better protection.

With wireless routers I'd also be concerned about wireless security;
without proper configuration (if even available in the wireless router)
anyone with a wireless adaptor within radio range can piggyback on your
LAN and steal your ISP bandwidth (I have met people who claim to do
this) or worse, hack into your workstations, if unprotected. Even with
adequate security available for wireless routers I'd stay away from
wireless unless it is really needed for reason of LAN overhead/bandwidth
considerations.

Steve

 

[NobodyMan]

Sorry - Lost me there - What is a NAT system?

Thanks

Network Address Translation. One IP exists from your ISP and it is on
the Modem side of your router. Several non-routable IPs can exist on
the LAN side (your computers' side) of the router. The NAT routine on
your router deciphers which computer the inbound data packet is for,
then repacks it with the correct internal address and sends it out to
that computer.

Basically it lets you to hook up several computers to the internet,
using the router, while only having to pay your ISP for one IP
address.

 

[Gary]

I found this definition of SPI at
http://www.webopedia.com/TERM/S/stateful_inspection.html. If a router has
this feature, it should block traffic going both ways that doesn't match
this definition and therefore a software firewall is not required?

What's annoying about most software firewalls is that a user can
accidentally allow a Trojan through, because benign applications blocking
requests appear too frequently and are a pain. If a hardware device can
perform the same function, then why use a software firewall? How does the
software firewall work differently.....does it have a database like Virus
definitions, or does it use SPI as well to stop Trojans? A lot of virus
definitions trap Trojans as well.

For example, we purchased a Netgear FVS318 router for our VPN traffic
interstate, and use SCS firewall with AV on servers and workstations. This
is now operating for 18 months on ADSL. I have seen threads which say
Norton firewall is not all that great, however, we have NEVER triggered SCS
Firewall with a Trojan/spyware when machines were connected on the LAN. The
rest AV picks up with real time scans. There has never been an attack that
has got through, although the log is full of attempts, be assured of that.


Stateful inspection
Last modified: Monday, August 18, 2003

Also referred to as dynamic packet filtering. Stateful inspection is a
firewall architecture that works at the network layer. Unlike static packet
filtering, which examines a packet based on the information in its header,
stateful inspection tracks each connection traversing all interfaces of the
firewall and makes sure they are valid. An example of a stateful firewall
may examine not just the header information but also the contents of the
packet up through the application layer in order to determine more about the
packet than just information about its source and destination. A stateful
inspection firewall also monitors the state of the connection and compiles
the information in a state table. Because of this, filtering decisions are
based not only on administrator-defined rules (as in static packet
filtering) but also on context that has been established by prior packets
that have passed through the firewall.

As an added security measure against port scanning, stateful inspection
firewalls close off ports until connection to the specific port is
requested.

Check Point Software is credited with coining the term stateful inspection
in the use of its FireWall-1 in 1993.

 

[Leythos]

I found this definition of SPI at
http://www.webopedia.com/TERM/S/stateful_inspection.html. If a router has
this feature, it should block traffic going both ways that doesn't match
this definition and therefore a software firewall is not required?

Ah, but, if you actually use a router/NAT that has SPI would would see
that anything INSIDE the network can get out without the user doing
anything with the router - meaning that all traffic originating inside
the network can get out at anytime.

SPI means that a conversation started from a system inside the network
will only take place with the designated system and not another system
that might try and hijack the session through the same port that the two
systems are using (very crude definition, but it works).

I use the FV318, the BEFVP41, and the BEFSX41 on small, less than 4
user, dedicated VPN's between offices and have not had any problems with
the VPN's or unwanted traffic getting into the networks. On that same
note, I'm also aware that neither of those vendors are providing a
firewall, just basic NAT services with added IPSec tunnel end-point
services built-into the routers.

Firewalls do more than block inbound, they inspect the inbound traffic
that you allow into the network, and they also block outbound traffic
based on any number of rules.

 

[Gary]

I agree and support the above notions. One think people using JUST a
personal firewall, like SP2 or ZA or any other, is that it requires the
user to make decisions based on information that the user may not have
or understand. In addition to user error, a virus could disable a
personal firewall and break out into the Internet or local network.

I have this happen on computers I have worked on. The virus disabled the
software firewall. Some people have no idea what to allow or disallow access
to the Internet.

 

[Gary]

Ahh,k .

Even worms, trojans and the like will pass through the routers, because
their traffic came from within the protected network. In this case, a
software firewall would pick up a signature of suspicious activity and alert
the user. OK.

 

[Leythos]

Ahh,k .

Even worms, trojans and the like will pass through the routers, because
their traffic came from within the protected network. In this case, a
software firewall would pick up a signature of suspicious activity and alert
the user. OK.

In your explanation, I'll assume that you're talking about outbound from
an internal computer. And you are 100% correct in that they will pass
outbound without the router/NAT stopping them - that's the nature of
these simple NAT devices.

The idea that your personal firewall will stop this is a hope at best,
since many viruses are able to disable a personal firewall. You also
have to consider that the users are also 99% of the threat issue and may
just blindly click ALLOW or PERMIT and never even consider what their
action is doing.

In most cases, for home users, if they are running good antivirus
software, Norton AV or Symantec AV (and there is a difference) along
with a router that provides NAT, then they are better protected than
using a personal firewall solution.

 

[JW]

Since a combination of superb anti-virus software and a superb router would
still allow unauthorized outbound communication to go on unimpeded, and
since a superb router would also allow undesirable inbound communication if
it is in direct response to any unauthorized outbound communication
originating from within the network (which the router would think the user
really authorized), i would think that a software firewall that stops
unauthorized outbound communication would be an essential element of a home
network.

Yes, there is the possibility of human error, but while some new users might
be clueless at first, maybe 90-99% of us deserve the benefit of the doubt,
that when asked by ZoneAlarm "Do you want XYZ program to access the
internet ?", then we will actually say No, if we neither launched XYZ
program just now, nor have ever of XYZ program. If a virus/Trojan
introduced to the network internally (e.g. on a USB flash drive, bypassing
the router) were to use even a familiar program (e.g. Explorer) to access
the internet, at least ZoneAlarm would stop it and ask me "Do you want to
allow Explorer to access the internet ?" A router would probably not even
ask, and just assume i authorized it.

I certainly don't presume to know it all. Obviously the presumption i am
making now is that there are no routers that stop long enough to ask "Do you
want to allow XYZ program to access the internet ?"

Ahh,k .

Even worms, trojans and the like will pass through the routers, because
their traffic came from within the protected network. In this case, a
software firewall would pick up a signature of suspicious activity and
alert
the user. OK.

In your explanation, I'll assume that you're talking about outbound from
an internal computer. And you are 100% correct in that they will pass
outbound without the router/NAT stopping them - that's the nature of
these simple NAT devices.

The idea that your personal firewall will stop this is a hope at best,
since many viruses are able to disable a personal firewall. You also
have to consider that the users are also 99% of the threat issue and may
just blindly click ALLOW or PERMIT and never even consider what their
action is doing.

In most cases, for home users, if they are running good antivirus
software, Norton AV or Symantec AV (and there is a difference) along
with a router that provides NAT, then they are better protected than
using a personal firewall solution.

 

[JW]

Although I have learned now how to answer ZoneAlarm in 99% of the time,
there were times when i was a new user, that i did not know how to answer.
Especially in response to the question "Do you want to allow Generic Host
Process to access the internet ?', because i had no clue what "Generic Host
Process" was or does.

Later on, i got a feel for server permissions in ZoneAlarm, and grew to
appreciate ZoneAlarm stopping to ask me, "Do you want to allow IIS to accept
a connection from 123.345.567.789 ?" Then i would say Yes, if i had just
invited my brother to access my FTP site, and knew his IP address matched
the one requesting access. I presume a router could do that too, but would
take much longer to do and later undo, than simply clicking a button in a
ZoneAlarm dialog box labeled "Yes".


Since a combination of superb anti-virus software and a superb router would
still allow unauthorized outbound communication to go on unimpeded, and
since a superb router would also allow undesirable inbound communication if
it is in direct response to any unauthorized outbound communication
originating from within the network (which the router would think the user
really authorized), i would think that a software firewall that stops
unauthorized outbound communication would be an essential element of a home
network.

Yes, there is the possibility of human error, but while some new users might
be clueless at first, maybe 90-99% of us deserve the benefit of the doubt,
that when asked by ZoneAlarm "Do you want XYZ program to access the
internet ?", then we will actually say No, if we neither launched XYZ
program just now, nor have ever of XYZ program. If a virus/Trojan
introduced to the network internally (e.g. on a USB flash drive, bypassing
the router) were to use even a familiar program (e.g. Explorer) to access
the internet, at least ZoneAlarm would stop it and ask me "Do you want to
allow Explorer to access the internet ?" A router would probably not even
ask, and just assume i authorized it.

I certainly don't presume to know it all. Obviously the presumption i am
making now is that there are no routers that stop long enough to ask "Do you
want to allow XYZ program to access the internet ?"

Ahh,k .

Even worms, trojans and the like will pass through the routers, because
their traffic came from within the protected network. In this case, a
software firewall would pick up a signature of suspicious activity and
alert
the user. OK.

In your explanation, I'll assume that you're talking about outbound from
an internal computer. And you are 100% correct in that they will pass
outbound without the router/NAT stopping them - that's the nature of
these simple NAT devices.

The idea that your personal firewall will stop this is a hope at best,
since many viruses are able to disable a personal firewall. You also
have to consider that the users are also 99% of the threat issue and may
just blindly click ALLOW or PERMIT and never even consider what their
action is doing.

In most cases, for home users, if they are running good antivirus
software, Norton AV or Symantec AV (and there is a difference) along
with a router that provides NAT, then they are better protected than
using a personal firewall solution.

 

[Leythos]

news.ops.worldnet.att.net>, (e-mail address removed)
says...

Since a combination of superb anti-virus software and a superb router would
still allow unauthorized outbound communication to go on unimpeded, and
since a superb router would also allow undesirable inbound communication if
it is in direct response to any unauthorized outbound communication
originating from within the network (which the router would think the user
really authorized), i would think that a software firewall that stops
unauthorized outbound communication would be an essential element of a home
network.

Yes, there is the possibility of human error, but while some new users might
be clueless at first, maybe 90-99% of us deserve the benefit of the doubt,
that when asked by ZoneAlarm

And there lies the crux of the problem - 90% of people using computers
are just doing that - using the computer. They have not clue. I've found
many people running ZA and others that just happily click Accept or
Allow to every request. I'm always amazed at how they install it and
never learn anything past the install.