Do I really need both a hardware firewall and a software firewall to competently protect my home network?

Or is that like wearing a condom after you've had a vasectomy?

Was using Panda Security Suite for the software side of things, but they've dropped their "IT@Home" program where they provided AV/Firewall s/w free. :pfft:

I like having a software firewall because it (if it is a descent one) will warn you about attempted outbound traffic.

I keep the Windows SP2 firewall on, but I really only rely on the hardware firewall.

I keep the Windows SP2 firewall on, but I really only rely on the hardware firewall.
The XP firewall does not monitor outbound traffic, which makes it next to worthless.

Honestly, without a decent software firewall protecting against outbound traffic, you are basically allowing any resident rogue apps to transmit their data to their home base. These apps can get onto your machine in various sneaky ways that bypass your inbound firewall procedures (you can invite them in by just clicking those stupid pop up banners for an example...)

You gotta protect yourself both ways unless you have the discipline to make sure you don't download any of these rogue apps.

i think that to answer this question properly, one needs to know the variables involved.

if you have a cisco type firewall it's a little different than a d-link. and if you have ipchains set up it's a little different than a norton security suite.

both together could be helpful, or could be redundant.

I should add that I'm behind a hardware firewall (router) in addition to having my software firewall (ZoneAlarm). I like having both working to protect me.

The XP firewall does not monitor outbound traffic, which makes it next to worthless.
It doesn't?

http://www.echolink.org/images/XPSP2Popup.gif

http://www.microsoft.com/library/media/1033/windowsxp/images/sp2/sp2_wfoverv2.jpg

Jesper Johansson (https://mvp.support.microsoft.com/profile/Jesper) is an MVP in Windows Security. He wrote (http://msinfluentials.com/blogs/jesper/archive/2007/07/19/at-least-this-snake-oil-is-free.aspx):


There are several serious flaws in the reasoning that outbound, host-based firewalls will actually stop attacks. The one that seems to elude everyone that claims a piece of software can stop arbitrary other pieces of softare from making outbound connections is that all software running within the same user context can control any other software within the same user context. Put more simply, if you permit any application to communicate out, over any port, then any other piece of software you execute as the same user can communicate out over that same port.

Let's say you run application A, a web browser. The browser runs as you, user Bob, who is a standard user. The browser tries to connect to some server, and the outbound host-based firewall detects that and asks if you wish to permit it. If the administrator has enabled it, you can permit that yourself, otherwise you may need an administrative account to do it. For the sake of argument, let's say you can enable it yourself. More than likely, you would enable it to connect to all web servers, since a web browser is far more useful that way.

Now some distant friend of yours, Paul, e-mails you this cool app he found, and you run it. The application gathers up all your stored passwords, your Microsoft Money file, all your recent e-mail messages, and any documents you have access to. It then needs to send this stuff to the criminals, but, the outbound host-based firewall would stop it, right? No. The malicious application could do a couple of things. First, if you have the ability to open outbound ports the application, running as you, could just open the ports it needs, transfer the data, and close them again.

Let's say, however, that you would have to ask your administrator to open ports (notwithstanding the fact that no administrator, and no user, would ever put up with that in the long run). That would stop the malicious application, right? No. That won't work either. The application would simply look for some other application that can communicate outbound. It would find that the web browser can do so. Cool. The malicious application would launch the web browser, which opens the hole in the firewall, attach to it using standard debugging techniques, and then ask the web browser to take the neatly packaged information it stole and send it to whereever it wants. This would be done by simply injecting code into the running web browser. The web browser, essentially unaware that this was even happening, would go ahead and do it. The host-based outbound firewall would only know that the web browser sent some data out, which it is permitted to do, and would not take any action to stop it.

Since there is no application isolation between applications running within the same user context there is no real way to prevent this from happening.
He also wrote (http://blogs.technet.com/jesper_johansson/archive/2006/05/01/426921.aspx):


I really like Windows Firewall in Windows XP Service Pack 2 (SP2). It is lightweight, centrally manageable, does the job well, is unintrusive, and does something very critical: it protects the system at boot. That last one is crucial; we have seen many systems in the past get infected during boot even with a firewall turned on.
and...


The key problem is that most people think outbound host-based firewall filtering will keep a compromised asset from attacking other assets. This is impossible. Putting protective measures on a compromised asset and asking it not to compromise any other assets simply does not work. Protection belongs on the asset you are trying to protect, not the one you are trying to protect against! Asking the bad guys not to steal stuff after they have already broken into your house is unlikely to be nearly as effective as keeping them from breaking into the house in the first place.
My intent is not to slag anyone here - if you're happy with ZA or any other software firewall, then by all means use it. If you're concerned with security, look at it from all angles. I personally use a router-based NAT firewall plus the Windows Firewall.

yeah, thanks mike, I was questioning that myself.

Also, it's the job of the anti virus in the first place to see if rogue programs are doing things they shouldn't, and a good program will do that in conjunction with windows firewall. Zone alarm doesn't really give you much of an advantage, other than being more intrusive. Same with any firewall program. XP and Vista's firewall offters up a bit of a compromise, on the other hand it works too. If you have a problem with rogue programs accessing the internet, chances are you were doing something on the internet you should not have been doing anyway.

If you have a problem with rogue programs accessing the internet, chances are you were doing something on the internet you should not have been doing anyway.
:shifty:

Whatchu talkin' bout Willis....

:shifty:

Thanks for all the info, I'm going to use my router's firewall plus Windows Firewall for now.

Special thanks to mike for the detailed information.

:shifty:

Whatchu talkin' bout Willis....

:shifty:

no one ever goes to questionable sites around here... I think he's surely mistaken....

It doesn't?

http://www.echolink.org/images/XPSP2Popup.gif

http://www.microsoft.com/library/media/1033/windowsxp/images/sp2/sp2_wfoverv2.jpg
Both of those images show a the firewall preventing inbound connections from the internet (which obviously means that the program has been sending information out).

The XP firewall has never blocked outbound traffic (the Vista firewall does). Here's a reference I found (link (http://windowsxp.mvps.org/firewall.htm)):

Windows XP Internet Connection Firewall blocks incoming attacks only

Windows XP ICF does not monitor the outgoing connections from your computer. This means, the trojans and other malicious programs, data-miners are not detected. Any information can be sent by a malware program from your computer, as you are not alerted about that. Consider using a third-party Application based firewall like ZoneAlarm from www.zonelabs.com . Sygate or Outpost Firewall. ZoneAlarm is truly an application based firewall which alerts you whenever a program accesses the internet. You can configure the rule if you want to allow Internet access to an application permanently or on a case-by-case basis. You can also configure if your application should act as a server or just an application.

Linksys wrt54g NAT and Firestarter on Linux.

My wireless network is encrypted (WPA-TKIP),does not broadcast it's SSID and filters MAC addresses.

I think I'm good to go.

Both of those images show a the firewall preventing inbound connections from the internet (which obviously means that the program has been sending information out).
I had always misinterpreted that as an outbound block (even though it says blocked from accepting connections from the internet) until you pointed it out and I really thought about it. I guess I always looked at it wrong because the Windows Firewall throws that dialog box up in response to opening any program the first time said program accesses the internet.

Another example of what happens when I assume rather than research.

How about Jesper's analysis, though? Do you find his points about the potential for rogue apps stepping around a software firewall or piggybacking upon a "known good" process valid?

This is why I want to get more firsthand experience with HIPS software. I keep hearing and reading about the HIPS capabilities (http://www.wilderssecurity.com/showpost.php?p=1274286&postcount=57) of Rising Antivirus (http://www.freerav.com/). I'm getting ready to nuke and pave an XP laptop for a friend, and I am going to install Rising and get to know it a little better.

So I recently installed a Linksys WRT54GS Wireless Router. I have WPA2 security on and don't broadcast my SSID and use MAC address filters. Is a "hardware firewall" something additional I would need to setup? Is it built in, or some kind of add on?

built in.

How about Jesper's analysis, though? Do you find his points about the potential for rogue apps stepping around a software firewall or piggybacking upon a "known good" process valid?
I think he has some valid points. I certainly don't depend on my software firewall as absolute protection. However, it certainly can't hurt to be able to stop an task from sending outbound traffic if you don't want it to do so. And the XP firewall doesn't give you a chance at that.

IMHO, the ability to block outbound packets is a pretty minor thing. I do rely on a hardware firewall as my primary protection at home, but I don't give it a second thought to go 'into the wild' at airports & hotels with nothing more than the Windows firewall. I figure as long as my virus scanner is up to date & my OS is patched with the latest fixes, the only thing standing between my computer & some intrusion is me, if I click on something stupid. If my computer DOES happen to get infected with something, I'm going to wipe it & start over - it's faster than trying to clean it manually - and it's not going to be connected to any network until I wipe it.

Plus I find most 3rd party software firewalls cause more problems than they solve. Our corporate software firewall is ZoneAlarm, and it causes so many application issues that now one of our first troubleshooting steps on machines with problems is to remove ZA & use only the Windows firewall. And don't even get me started on that McAfee mess.

Honestly, my opinion... use it or don't use it. User choice.

Software firewalls aren't mandatory... however they do have some benefits (if those benefits mean anything to you.)

Personally, I like blocking certain applications from communicating outward, therefore I use them. As always, your mileage may vary... :D

I almost always only rely on hardware. I'll have zone alarm installed, but keep it deactivated, unless I think I may have stumbled on a bad webpage, or feel something funny on my computer. I feel like I'm good enough with keeping track of what I surf and careful enough not to do something stupid to be without a software firewall.

Plus I find most 3rd party software firewalls cause more problems than they solve. Our corporate software firewall is ZoneAlarm, and it causes so many application issues that now one of our first troubleshooting steps on machines with problems is to remove ZA & use only the Windows firewall. And don't even get me started on that McAfee mess.

:stupid: X3 - My issue with 3rd party software firewalls has been just that...