Hardware vs Software firewall question

[Joe Schmoe]

I hear all the time that hardware firewall via a router is better than
say, ZA. But ZA pretty much autoconfigures everything and then pops up
with options when I go somewhere or a piece of software wants access or
something/someone tries to access me. I find this very convenient.

A friend has a router and as far as I can tell all of the config has to
be done manually via a utility and it doesn't have any auto features.
Does the hardware firewall somehow "know" to take care of all these
things? How could it, for example? Please enlighten me if you can,
thanks.

Joe

 

[Danny Slye - [MSFT}]

There is a lot of discussion about superiority of one type of firewall over
another; hardware vs. software. The truth is that both have their place.
Most SOHO routers like your friends add security by not allowing traffic
into the LAN except what is explicitly enabled through the device interface
and using NAT (or PAT) to obscure the IP addresses of the private network.
Host-based firewalls like Zone Alarm and ICF perform packet-filtering at
the host to secure the host itself at the cost of increased complexity.
Many people use both with success.
--------------------

I hear all the time that hardware firewall via a router is better than
say, ZA. But ZA pretty much autoconfigures everything and then pops up
with options when I go somewhere or a piece of software wants access or
something/someone tries to access me. I find this very convenient.

A friend has a router and as far as I can tell all of the config has to
be done manually via a utility and it doesn't have any auto features.
Does the hardware firewall somehow "know" to take care of all these
things? How could it, for example? Please enlighten me if you can,
thanks.

Joe

__
Danny Slye
Microsoft Support Professional
MCSE

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!

 

[Chuck]

There is a lot of discussion about superiority of one type of firewall over
another; hardware vs. software. The truth is that both have their place.
Most SOHO routers like your friends add security by not allowing traffic
into the LAN except what is explicitly enabled through the device interface
and using NAT (or PAT) to obscure the IP addresses of the private network.
Host-based firewalls like Zone Alarm and ICF perform packet-filtering at
the host to secure the host itself at the cost of increased complexity.
Many people use both with success.
--------------------

Using both is a good compromise. A hardware NAT / PAT router filters
the background noise, which cuts down significantly on the alerts
issued by a software firewall, reducing its load on your cpu. Also, a
router is not vulnerable to worms that are known to disable software
processes like the firewall.

A software firewall provides application level filtering of outbound
traffic, and helps detect outgoing traffic from software clandestinely
installed on your system. Keyloggers, and other spyware that is not
detected by real time virus protection, presents a real threat.
Application level filtering, or reporting by a port logger, is
increasingly essential in your layered protection strategy.

Port loggers, such as Port Explorer (free) from
<http://www.diamondcs.com.au/portexplorer/index.php?page=home>,
provide auditing of outbound traffic without the annoying constant
questions "Do you want to allow outbound traffic by this
application?", and may be a good compromise when protected by a
router.

The router, and firewall, are only the outermost layers of defense.
Equally important are:
3) Spyware and virus scanning and realtime protection.
4) Carefully updated operating system and applications.
5) Hardened browser. The right browser, carefully configured.
6) Common sense. Yours. And constant education about current
threats. Whats effective this year won't be enough next year.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.