Need Firewall with Router?

[Wind]

I am running a Compaq Presario 53100US with Windows XP. I have 3 computers
on my network via a Linksys BEFSR41 router. Do I still need the firwall? I
heard that the router makes you pretty safe in this area.
Thanks
Wind

 

[Russell Spicer]

it is always a good idea to have some sort of firewall, whatever your
connection to the internet.

 

[djs]

x-no-archive: yes

I am running a Compaq Presario 53100US with Windows XP. I have 3
computers on my network via a Linksys BEFSR41 router. Do I still
need the firwall? I heard that the router makes you pretty safe in
this area.

A well-configured router is a huge security advantage. But personal
firewall software can add another layer of security. In particular, it
can catch outbound access attempts. All of this assumes, of course,
that the personal firewall software doesn't cause more problems than it
solves--which is often the case.

 

[KG]

In my opinion, no you don't need the built in XP firewall. I have the same
router as you, am on a 3 PC network and have not enabled the built in
firewall. If you do enable it on a PC in your network, you will be limiting
access to that computer's shared resources (printer, files) by the others on
the network.

KG

| I am running a Compaq Presario 53100US with Windows XP. I have 3
computers
| on my network via a Linksys BEFSR41 router. Do I still need the firwall?
I
| heard that the router makes you pretty safe in this area.
| Thanks
| Wind
|
|
| --
| -----
| Come Visit Wind's Haven!
| http://www.geocities.com/windntn//
|
|
| ---
| AVG says I'm bug-free!
| Checked by AVG anti-virus system (http://www.grisoft.com).
| Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
|
|

 

[purplehaz]

A router is "some sort of firewall". It acts and works just like a software
firewall and is sometimes more secure than software.

 

[purplehaz]

The only reason you would need a software firewall in your setup, would be
if the firewall software blocked outgoing requests as well. If it blocks
outgoing it would be good to have cause a router doesn't usually block
outgoing, or is limited in this ability.

 

[Rob Schneider]

I am running a Compaq Presario 53100US with Windows XP. I have 3 computers
on my network via a Linksys BEFSR41 router. Do I still need the firwall? I
heard that the router makes you pretty safe in this area.
Thanks
Wind

I have the same Linksys firewall, and in my opinon that is good enough.
I don't run the internal XP firewall on my XP machines to keep things
simple.

I monitor (out of curiousity more than anything else) and I can tell
it's repelling the inbound "attacks" and I also watch all the outbound
requests with an automated process on one of the machines inside the
network to ensure nothing that squeeked through is now trying to "phone
home".

Knock on wood, seems to be good enough.

 

[Russell Spicer]

a router is no sort of firewall at all, it simply routes network traffic to
the correct location. Some routers do have a *very* simple firewall
imbedded, but it is no where near good enough to use alone.

 

[NoNoBadDog!]

I use the same router with 4 computers. The BEFSR41 uses NAT, so you are
fairly safe. You need a good firewall to protect each computer for outgoing
traffic. You have two choices;

1. Later firmware versions for the BEFSR41 allow the purchase and
installation of ZoneALarm Pro on the router. This is the best solution.

2. Download and install the free ZoneAlarm on each of your computers. You
must do this on ALL computers that connect through your router.

Bobby

 

[CZ]

A router is "some sort of firewall". It acts and works just like a
software firewall and is sometimes more secure than software.

purplehaze:

Not exactly.

The term router is used for different items in today's world.
Technically, it means a device that forwards packets between two subnets per
a routing table.
IMO, what end users call a firewall is basically a packet filtering device.
And then there are NATs (network address translators).

My Netgear "router" has the following features:
Routing
NAT
Firewall (packet filtering rules on both LAN and WAN ports)
DHCP service
DNS proxy service

My Orinoco AP/router for wireless adds the following to the feature set.
AP with MAC address control and WEP

Both products are often referred to as "routers".

 

[purplehaz]

A router that does nat(and most/many do) is fine to use alone. The router
the op talks about does do nat. A router that doesn't do nat, is basicly the
same as a hub or switch. Here is what linksys says:


The Linksys EtherFast® Cable/DSL Router with 4-Port Switch is the perfect
option to connect multiple PCs to a high-speed Broadband Internet connection
or to an Ethernet back-bone. Allowing up to 253 users, the built-in NAT
technology acts as a firewall protecting your internal network.

 

[purplehaz]

I know that a router technically routes packets, but most/many, if not all
do nat. I wouldn't buy a router for home or small business use that didn't
do nat. The one the op talks about does do nat and therefore works fine as
hardware firewall. As you noticed I put some sort of firewall in quotes,
cause a router that does nat has firewall capabilites. It may not
technically be called a hardware firewall, but it is "some sort of
firewall", it has firewall capabilities.

 

[CZ]

Re: router with NAT:
sort of
firewall", it has firewall capabilities.

purplehaze:

I agree, but a purist would disagree.

 

[purplehaz]

I don't need to check mine. Been there done that. I use a Netgear FVS311
Firewall/router. All stealth at shields up.

 

[Steve Nielsen]

b) blocking 'bad stuff' coming from other PCs on your LAN (as opposed to
from the Internet). Of course if those have (outgoing) firewalls and
virus scanners too, then that shouldn't happen, but there's nothing
wrong with 'belt AND braces (suspenders)'.

Excellent info to which I will add...

In a large organization this threat becomes VERY pronounced. I work for
a school district that's on a rather large WAN with internet service
provided by another entity who has very good firewalls in place on their
end. However, all it took was ONE person bringing in an infected laptop
(in a different school district that has the same ISP) and blaster worm
was ALL OVER the WAN in a mater of minutes. Just because a network is
small doesn't mean it's safe either, all it takes is ONE screwup.

LOTS of good reasons to have firewall running on local machines.

Steve

 

[Torgeir Bakken (MVP)]

In a large organization this threat becomes VERY pronounced. I work for
a school district that's on a rather large WAN with internet service
provided by another entity who has very good firewalls in place on their
end. However, all it took was ONE person bringing in an infected laptop
(in a different school district that has the same ISP) and blaster worm
was ALL OVER the WAN in a mater of minutes. Just because a network is
small doesn't mean it's safe either, all it takes is ONE screwup.

LOTS of good reasons to have firewall running on local machines.

If you are running an Active Directory or NT4 domain, blocking e.g. port 135 on
the local computers/servers is not an option. For a wan/lan setting, being up
to date with security updates and antivirus sw/signature files should be good
enough for the local computers/servers, with this rules as well:

No split tunneling on VPN connections.
All external computers that connects through VPN must have updated antivirus
sw/signature files as well as a local firewall.
All laptops that is to be used outside and inside of the lan/wan must have a
firewall that is configured to be open when connected to an IP range that
belongs to the wan/lan, and hardened when connected to a non-authorized IP
range.

 

[purplehaz]

Purplehaze:


I would not use that setup, as there is no stated protection for the
router's WAN ports, and there is not any outbound control within the LAN
period.

My Netgear router is fully stealth on the WAN side, and the Netgear supports
SysLog for logging hits to the WAN port address.
It shows about 300 hits per 24 hr period.

I wouldn't do it that way either, but you could and have a good chance of
being ok.

Not correct.
Functionality at one OSI layer is not used on another OSI layer.
A hub is an OSI layer 1 device that basically distributes a signal among the
remaining ports.
A switch is an OSI layer 2 device that can setup an exclusive connection
between two ports.
A router is an OSI layer 3 device that connects two subnets per a routing
table.
A NAT works at OSI layer 3 (IP addresses) and OSI layer 4 (ports).

So, a router at OSI layer 3 understands IP addresses, a hub (or a switch)
does not.

I guess I worded it wrong. I know that a router is not the same as a hub or
a switch, I was just trying to say that a router that doesn't do nat, has as
much security as a hub. To me, what would the point be, it's gotta have nat.

with
4-Port Switch is the perfect
option to connect multiple PCs to a high-speed Broadband Internet connection
or to an Ethernet back-bone. Allowing up to 253 users, the built-in NAT
technology acts as a firewall protecting your internal network.

Depends on how you define "firewall". Purists would not call a NAT a
firewall.

True, good point. Some people on dslreports.com would agree with you. I'm
certainly not a hacker, but I know a thing or two. My friend has a linksys
router and I can't get in or even get a trojan to load. Maybe someone else
could get right thru it or exploit it, I don't know.

IMO, the term firewall can be used to mean a product that controls inbound
and outbound packet flow.
So, my Netgear router could be said to have the following firewall features:
NAT:
Provides address isolation (private subnet is translated into a public
address).
Blocks outside initiated inbound packets by failure to have a match in a
port table.

Packet filtering:
Has very strong rules for controlling packet flow in both directions on both
interfaces.

And my netgear vpn firewall does all that and a bit more and is a 8 port
router. It is a true firewall, so your explaination is right on. Some
routers have firewall features, but technically are not firewalls. I'll
agree.

 

[purplehaz]

Re: router with NAT:

sort of
firewall", it has firewall capabilities.

purplehaze:

I agree, but a purist would disagree.

Ya your right about that, I used to hang on dslreports alot. Some purists in
there for sure.

 

[Bruce Chambers]

Greetings --

You're correct in thinking that a NAT router is often better than
a software product, at least to block unwanted incoming traffic.

However, even good hardware firewalls and antivirus applications
do nothing to protect the user from him/herself. Almost all spyware
and many Trojans and worms are downloaded and installed deliberately
(albeit unknowingly) by the user. Antivirus software is only as good
as its latest definitions file, which will always lag a little behind
the development of new threats. Further, adware and spyware aren't
generally detected by antivirus software as a threat, because the
programs aren't viruses, they were downloaded and installed willingly
by the inattentive or uninformed user. So a firewall that can detect
unauthorized out-going traffic is an important element of protecting
one's privacy and security.


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[djs]

x-no-archive: yes

You're correct in thinking that a NAT router is often better than
a software product, at least to block unwanted incoming traffic.

However, even good hardware firewalls and antivirus applications
do nothing to protect the user from him/herself. Almost all spyware
and many Trojans and worms are downloaded and installed deliberately
(albeit unknowingly) by the user.

I think hardware firewalls can help protect you from yourself. What if
you have a remote-access trojan (RAT), and it's listening on a given
port, but your NAT router is blocking all the scans that are being done
to detect that listener? You're protected from anyone contacting that
RAT. Just like you said yourself.