router and firewall

[SPIDERMAN]

Hi guys,

with the advent of the coming SP2 update, and the new firewall,
i'm wondering if that, because I'm behind a solid router (SMC Barricade) off
my cable modem, will I need to turn it on? I've never had a problem with
this router, and generally any internet 'tests' have been unable to detect
my ports because of my router (i have two comps on the network).

thanks
f

 

[Phil]

No, you do not need the windows xp firewall on if you have a router(that
does nat) or a hardware firewall.
You may however want to consider a software firewall that does outbound
monitoring as well, like zone alarm. Your router will not protect you from
programs trying to "phone home". A outbound monitoring capable firewall
will.

 

[SPIDERMAN]

No, you do not need the windows xp firewall on if you have a router(that
does nat) or a hardware firewall.
You may however want to consider a software firewall that does outbound
monitoring as well, like zone alarm. Your router will not protect you from
programs trying to "phone home". A outbound monitoring capable firewall
will.

thank you very kindly

 

[PA Bear]

While WinXP SP2's firewall probably won't affect performance as an added
layer of protection, Spidey, it's not necessary with a router. (I have it
enabled even though I'm using a router.)
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

Are You Ready for WinXP SP2?
http://www.microsoft.com/athome/security/protect/default.aspx

WinXP SP2 Release Notes
http://support.microsoft.com/default.aspx?scid=kb;en-us;835935

AumHa Forums
http://forum.aumha.org

 

[NobodyMan]

No, you do not need the windows xp firewall on if you have a router(that
does nat) or a hardware firewall.
You may however want to consider a software firewall that does outbound
monitoring as well, like zone alarm. Your router will not protect you from
programs trying to "phone home". A outbound monitoring capable firewall
will.

I disagree. Calling NAT a firewall is like calling a car with no
engine reliable transport on the Beltway in DC (for those with no idea
what I'm referring to, the DC Betway is also known as the Washington
DC international speedway).

NAT is decent, but it is NOT and was never meant to provide firewall
services. I would never recommend to anybody with broadband to rely
solely on NAT. A hardware or software firewall is a must.

 

[Leer]

I disagree. Calling NAT a firewall is like calling a car with no
engine reliable transport on the Beltway in DC (for those with no idea
what I'm referring to, the DC Betway is also known as the Washington
DC international speedway).

NAT is decent, but it is NOT and was never meant to provide firewall
services. I would never recommend to anybody with broadband to rely
solely on NAT. A hardware or software firewall is a must.

Nobody,

I am just curious and would like to know.

Would you please explain to me what NAT is. Also, would you please explain
and clarify some of the reasons that you would not recommend NAT to anybody.

Thanks in advance for your help and insight.

Leer

 

[Bruce Chambers]

Greetings --

NAT = Network Address Translation. When you use a NAT-capable
router, the only IP address that is presented to the outside world
(Internet) is the IP address of the router itself. The router acts as
a switchboard to ensure that the necessary data gets routed back to
the computer that requested it, allowing multiple computers to use a
single broadband Internet connection. The IP addresses of any
computers behind the router, on the network, are hidden from
outsiders. One side affect of this is improved security: would-be
hackers cannot readily find the IP addresses of the computers on which
to execute any exploits, nor can broadcast worms such as Blaster,
Welchia, or Sasser find the computers to infect them. To the
uninitiated, this makes a router with NAT seem like a firewall, but it
really isn't - real hardware firewalls can do much more.

If you use a router with NAT, it's still a very good idea to use a
3rd party software firewall. Like WinXP's built-in firewall,
NAT-capable routers do nothing to protect the user from him/herself
(or any "curious," over-confident teenagers in the home). Again --
and I _cannot_ emphasize this enough -- almost all spyware and many
Trojans and worms are downloaded and installed deliberately (albeit
unknowingly) by the user. So a software firewall, such as Sygate or
ZoneAlarm, that can detect and warn the user of unauthorized out-going
traffic is an important element of protecting one's privacy and
security. Most antivirus applications do not even scan for or protect
you from adware/spyware, because, after all, you've installed them
yourself, so you must want them there, right?

I use both a router with NAT and Sygate Personal Firewall, even
though I generally know better than to install scumware. When it
comes to computer security and protecting my privacy, I prefer the old
"belt and suspenders" approach. In the professional IT community,
this is also known as a "layered defense." Basically, it comes down
to never, ever "putting all of your eggs in one basket."


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. - RAH

 

[Leer]

Bruce,

Thanks for your reply. I appreciate your help and support. I have learned a
great deal of information from your posts on this newsgroup.

Thanks again for your help.

Leer

 

[NobodyMan]

Leer,

I would only add that I never said I wouldn't recommend NAT to
anybody. I said I wouldn't recommend NAT instead of a firewall. NAT
has it's place in networking, to be sure, but it does not replace, or
provide the functionality of, a properly operating hardware of
software firewall.

 

[Phil]

I disagree. Calling NAT a firewall is like calling a car with no
engine reliable transport on the Beltway in DC (for those with no idea
what I'm referring to, the DC Betway is also known as the Washington
DC international speedway).

NAT is decent, but it is NOT and was never meant to provide firewall
services. I would never recommend to anybody with broadband to rely
solely on NAT. A hardware or software firewall is a must.

Isn't that what I just said.
1) I never said a router doing nat is a firewall.
2) I said to consider a better software firewall than the xp firewall, like
ZA, that does outbound.
3) I said a router OR a hardware firewall.
4) The router the op has is a router that does nat and is a full hardware
firewall that does stateful packet inspection(spi) as well, so no inbound
monitoring only software firewall is needed.(check smc website)
5) I never said to solely trust a router that does nat only.

 

[Phil]

The SMC Barricade does stateful packet inspection AND network address
translation. It is a router/firewall.

 

[CZ]

The router the op has is a router that does nat and is a full hardware
firewall that does stateful packet inspection(spi) as well

Phil:

Generally, I would not call a router with SPI a full hardware firewall.
IMO, re: SPI in routers, the term is often used to describe DoS protection
on the router's WAN port, which is not exactly full hardware firewall
protection.

My Netgear RT 314 router does not have SPI, but offers strong ingress and
egress packet filtering rules on both interfaces. Still, I would not refer
to it as a full hardware firewall product.

On the other hand, MS's ISA product could be consider to be a full
"hardware" firewall product as it does:
Packet filtering:
Stateless
Stateful (including SPI)
Circuit level filtering
Application level filtering of protocols and data
Proxy server service

 

[Bruce Chambers]

Greetings --

You're welcome.

Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. - RAH

 

[Phil]

firewall that does stateful packet inspection(spi) as well

Phil:

Generally, I would not call a router with SPI a full hardware
firewall. IMO, re: SPI in routers, the term is often used to describe
DoS protection on the router's WAN port, which is not exactly full
hardware firewall protection.

My Netgear RT 314 router does not have SPI, but offers strong ingress
and egress packet filtering rules on both interfaces. Still, I would
not refer to it as a full hardware firewall product.

On the other hand, MS's ISA product could be consider to be a full
"hardware" firewall product as it does:
Packet filtering:
Stateless
Stateful (including SPI)
Circuit level filtering
Application level filtering of protocols and data
Proxy server service

A little late getting back to ya here, but ok, I'll give you that. It isn't
technically a full blown hardware firewall, but with the nat and spi it
should provide more than enough protection for the home user.