Is Both HW & SW Firewall Necessary?

SKinAZ · 08-04-2008, 03:37 PM

Do I really need both a hardware firewall and a software firewall to competently protect my home network?

Or is that like wearing a condom after you've had a vasectomy?

Was using Panda Security Suite for the software side of things, but they've dropped their "IT@Home" program where they provided AV/Firewall s/w free.

Markel · 08-04-2008, 04:52 PM

I like having a software firewall because it (if it is a descent one) will warn you about attempted outbound traffic.

Jeffbx · 08-05-2008, 05:56 AM

I keep the Windows SP2 firewall on, but I really only rely on the hardware firewall.

Markel · 08-05-2008, 07:00 AM

Quote:

Originally Posted by Jeffbx

I keep the Windows SP2 firewall on, but I really only rely on the hardware firewall.

The XP firewall does not monitor outbound traffic, which makes it next to worthless.

DarkFury · 08-05-2008, 07:23 AM

Honestly, without a decent software firewall protecting against outbound traffic, you are basically allowing any resident rogue apps to transmit their data to their home base. These apps can get onto your machine in various sneaky ways that bypass your inbound firewall procedures (you can invite them in by just clicking those stupid pop up banners for an example...)

You gotta protect yourself both ways unless you have the discipline to make sure you don't download any of these rogue apps.

mojo · 08-05-2008, 10:10 AM

i think that to answer this question properly, one needs to know the variables involved.

if you have a cisco type firewall it's a little different than a d-link. and if you have ipchains set up it's a little different than a norton security suite.

both together could be helpful, or could be redundant.

Markel · 08-05-2008, 12:05 PM

I should add that I'm behind a hardware firewall (router) in addition to having my software firewall (ZoneAlarm). I like having both working to protect me.

mechmike0034 · 08-05-2008, 04:08 PM

Quote:

Originally Posted by Markel

The XP firewall does not monitor outbound traffic, which makes it next to worthless.

It doesn't?

Jesper Johansson is an MVP in Windows Security. He wrote:

Quote:

There are several serious flaws in the reasoning that outbound, host-based firewalls will actually stop attacks. The one that seems to elude everyone that claims a piece of software can stop arbitrary other pieces of softare from making outbound connections is that all software running within the same user context can control any other software within the same user context. Put more simply, if you permit any application to communicate out, over any port, then any other piece of software you execute as the same user can communicate out over that same port.

Let's say you run application A, a web browser. The browser runs as you, user Bob, who is a standard user. The browser tries to connect to some server, and the outbound host-based firewall detects that and asks if you wish to permit it. If the administrator has enabled it, you can permit that yourself, otherwise you may need an administrative account to do it. For the sake of argument, let's say you can enable it yourself. More than likely, you would enable it to connect to all web servers, since a web browser is far more useful that way.

Now some distant friend of yours, Paul, e-mails you this cool app he found, and you run it. The application gathers up all your stored passwords, your Microsoft Money file, all your recent e-mail messages, and any documents you have access to. It then needs to send this stuff to the criminals, but, the outbound host-based firewall would stop it, right? No. The malicious application could do a couple of things. First, if you have the ability to open outbound ports the application, running as you, could just open the ports it needs, transfer the data, and close them again.

Let's say, however, that you would have to ask your administrator to open ports (notwithstanding the fact that no administrator, and no user, would ever put up with that in the long run). That would stop the malicious application, right? No. That won't work either. The application would simply look for some other application that can communicate outbound. It would find that the web browser can do so. Cool. The malicious application would launch the web browser, which opens the hole in the firewall, attach to it using standard debugging techniques, and then ask the web browser to take the neatly packaged information it stole and send it to whereever it wants. This would be done by simply injecting code into the running web browser. The web browser, essentially unaware that this was even happening, would go ahead and do it. The host-based outbound firewall would only know that the web browser sent some data out, which it is permitted to do, and would not take any action to stop it.

Since there is no application isolation between applications running within the same user context there is no real way to prevent this from happening.

He also wrote:

Quote:

I really like Windows Firewall in Windows XP Service Pack 2 (SP2). It is lightweight, centrally manageable, does the job well, is unintrusive, and does something very critical: it protects the system at boot. That last one is crucial; we have seen many systems in the past get infected during boot even with a firewall turned on.

and...

Quote:

The key problem is that most people think outbound host-based firewall filtering will keep a compromised asset from attacking other assets. This is impossible. Putting protective measures on a compromised asset and asking it not to compromise any other assets simply does not work. Protection belongs on the asset you are trying to protect, not the one you are trying to protect against! Asking the bad guys not to steal stuff after they have already broken into your house is unlikely to be nearly as effective as keeping them from breaking into the house in the first place.

My intent is not to slag anyone here - if you're happy with ZA or any other software firewall, then by all means use it. If you're concerned with security, look at it from all angles. I personally use a router-based NAT firewall plus the Windows Firewall.

LPMiller · 08-05-2008, 05:22 PM

yeah, thanks mike, I was questioning that myself.

Also, it's the job of the anti virus in the first place to see if rogue programs are doing things they shouldn't, and a good program will do that in conjunction with windows firewall. Zone alarm doesn't really give you much of an advantage, other than being more intrusive. Same with any firewall program. XP and Vista's firewall offters up a bit of a compromise, on the other hand it works too. If you have a problem with rogue programs accessing the internet, chances are you were doing something on the internet you should not have been doing anyway.

DarkFury · 08-05-2008, 10:04 PM

Quote:

Originally Posted by LPMiller

If you have a problem with rogue programs accessing the internet, chances are you were doing something on the internet you should not have been doing anyway.

Whatchu talkin' bout Willis....

SKinAZ · 08-06-2008, 09:46 AM

Thanks for all the info, I'm going to use my router's firewall plus Windows Firewall for now.

Special thanks to mike for the detailed information.

Maarchk · 08-06-2008, 10:37 AM

Quote:

Originally Posted by DarkFury

Whatchu talkin' bout Willis....

no one ever goes to questionable sites around here... I think he's surely mistaken....

Markel · 08-06-2008, 04:02 PM

Quote:

Originally Posted by mechmike0034

It doesn't?

Both of those images show a the firewall preventing inbound connections from the internet (which obviously means that the program has been sending information out).

The XP firewall has never blocked outbound traffic (the Vista firewall does). Here's a reference I found (link):

Quote:

Windows XP Internet Connection Firewall blocks incoming attacks only

Windows XP ICF does not monitor the outgoing connections from your computer. This means, the trojans and other malicious programs, data-miners are not detected. Any information can be sent by a malware program from your computer, as you are not alerted about that. Consider using a third-party Application based firewall like ZoneAlarm from www.zonelabs.com . Sygate or Outpost Firewall. ZoneAlarm is truly an application based firewall which alerts you whenever a program accesses the internet. You can configure the rule if you want to allow Internet access to an application permanently or on a case-by-case basis. You can also configure if your application should act as a server or just an application.

Airencracken · 08-06-2008, 04:07 PM

Linksys wrt54g NAT and Firestarter on Linux.

My wireless network is encrypted (WPA-TKIP),does not broadcast it's SSID and filters MAC addresses.

I think I'm good to go.

mechmike0034 · 08-06-2008, 08:56 PM

Quote:

Originally Posted by Markel

Both of those images show a the firewall preventing inbound connections from the internet (which obviously means that the program has been sending information out).

I had always misinterpreted that as an outbound block (even though it says blocked from accepting connections from the internet) until you pointed it out and I really thought about it. I guess I always looked at it wrong because the Windows Firewall throws that dialog box up in response to opening any program the first time said program accesses the internet.

Another example of what happens when I assume rather than research.

How about Jesper's analysis, though? Do you find his points about the potential for rogue apps stepping around a software firewall or piggybacking upon a "known good" process valid?

This is why I want to get more firsthand experience with HIPS software. I keep hearing and reading about the HIPS capabilities of Rising Antivirus. I'm getting ready to nuke and pave an XP laptop for a friend, and I am going to install Rising and get to know it a little better.

ArkiStan · 08-07-2008, 12:41 AM

So I recently installed a Linksys WRT54GS Wireless Router. I have WPA2 security on and don't broadcast my SSID and use MAC address filters. Is a "hardware firewall" something additional I would need to setup? Is it built in, or some kind of add on?

LPMiller · 08-07-2008, 05:28 AM

built in.

Markel · 08-07-2008, 08:31 PM

Quote:

Originally Posted by mechmike0034

How about Jesper's analysis, though? Do you find his points about the potential for rogue apps stepping around a software firewall or piggybacking upon a "known good" process valid?

I think he has some valid points. I certainly don't depend on my software firewall as absolute protection. However, it certainly can't hurt to be able to stop an task from sending outbound traffic if you don't want it to do so. And the XP firewall doesn't give you a chance at that.

Jeffbx · 08-08-2008, 05:37 AM

IMHO, the ability to block outbound packets is a pretty minor thing. I do rely on a hardware firewall as my primary protection at home, but I don't give it a second thought to go 'into the wild' at airports & hotels with nothing more than the Windows firewall. I figure as long as my virus scanner is up to date & my OS is patched with the latest fixes, the only thing standing between my computer & some intrusion is me, if I click on something stupid. If my computer DOES happen to get infected with something, I'm going to wipe it & start over - it's faster than trying to clean it manually - and it's not going to be connected to any network until I wipe it.

Plus I find most 3rd party software firewalls cause more problems than they solve. Our corporate software firewall is ZoneAlarm, and it causes so many application issues that now one of our first troubleshooting steps on machines with problems is to remove ZA & use only the Windows firewall. And don't even get me started on that McAfee mess.

DarkFury · 08-08-2008, 08:55 AM

Honestly, my opinion... use it or don't use it. User choice.

Software firewalls aren't mandatory... however they do have some benefits (if those benefits mean anything to you.)

Personally, I like blocking certain applications from communicating outward, therefore I use them. As always, your mileage may vary...

attgig · 08-08-2008, 01:01 PM

I almost always only rely on hardware. I'll have zone alarm installed, but keep it deactivated, unless I think I may have stumbled on a bad webpage, or feel something funny on my computer. I feel like I'm good enough with keeping track of what I surf and careful enough not to do something stupid to be without a software firewall.

mechmike0034 · 08-09-2008, 11:08 AM

Quote:

Originally Posted by Jeffbx

Plus I find most 3rd party software firewalls cause more problems than they solve. Our corporate software firewall is ZoneAlarm, and it causes so many application issues that now one of our first troubleshooting steps on machines with problems is to remove ZA & use only the Windows firewall. And don't even get me started on that McAfee mess.

X3 - My issue with 3rd party software firewalls has been just that...

08-04-2008, 03:37 PM	#1
SKinAZ Lieutenant Join Date: Mar 2006 Posts: 245	Is Both HW & SW Firewall Necessary? Do I really need both a hardware firewall and a software firewall to competently protect my home network? Or is that like wearing a condom after you've had a vasectomy? Was using Panda Security Suite for the software side of things, but they've dropped their "IT@Home" program where they provided AV/Firewall s/w free.

08-04-2008, 04:52 PM	#2
Markel Chief of Naval Operations Join Date: Feb 2001 Posts: 11,733	I like having a software firewall because it (if it is a descent one) will warn you about attempted outbound traffic. __________________ stay low... keep moving...

08-05-2008, 07:23 AM	#5
DarkFury Secretary of the Navy Join Date: Feb 2001 Location: Chillin' N Da 'Hood Posts: 34,997	Honestly, without a decent software firewall protecting against outbound traffic, you are basically allowing any resident rogue apps to transmit their data to their home base. These apps can get onto your machine in various sneaky ways that bypass your inbound firewall procedures (you can invite them in by just clicking those stupid pop up banners for an example...) You gotta protect yourself both ways unless you have the discipline to make sure you don't download any of these rogue apps. __________________ DarkFury's Pimptopia - Don't Hate the Playa, Hate the Game! Home of the Original OG Pimp (accept NO imitations)

08-05-2008, 10:10 AM	#6
mojo Fleet Admiral Join Date: Jun 2001 Location: about 15 min away Posts: 8,165	i think that to answer this question properly, one needs to know the variables involved. if you have a cisco type firewall it's a little different than a d-link. and if you have ipchains set up it's a little different than a norton security suite. both together could be helpful, or could be redundant. __________________ say "hi" to lumbergh for me

08-05-2008, 05:22 PM	#9
LPMiller Chief News Editor & Master of His Domain Join Date: Aug 2000 Location: Minnesota Posts: 8,161	yeah, thanks mike, I was questioning that myself. Also, it's the job of the anti virus in the first place to see if rogue programs are doing things they shouldn't, and a good program will do that in conjunction with windows firewall. Zone alarm doesn't really give you much of an advantage, other than being more intrusive. Same with any firewall program. XP and Vista's firewall offters up a bit of a compromise, on the other hand it works too. If you have a problem with rogue programs accessing the internet, chances are you were doing something on the internet you should not have been doing anyway. __________________ lpmiller Chief News Editor Nobel Prize Nominee Reverend in the Universal Life Church Once Shot A Man For Snoring Too Loud Way Too Lazy To Change His Signature "The strength to change what I can, the inability to accept what I can't, and the incapacity to tell the difference." - Calvin and Hobbes

08-05-2008, 05:56 AM	#3
Jeffbx Fleet Admiral Join Date: Mar 2000 Location: Michigan Posts: 9,390	I keep the Windows SP2 firewall on, but I really only rely on the hardware firewall.

08-05-2008, 12:05 PM	#7
Markel Chief of Naval Operations Join Date: Feb 2001 Posts: 11,733	I should add that I'm behind a hardware firewall (router) in addition to having my software firewall (ZoneAlarm). I like having both working to protect me.

08-06-2008, 09:46 AM	#11
SKinAZ Lieutenant Join Date: Mar 2006 Posts: 245	Thanks for all the info, I'm going to use my router's firewall plus Windows Firewall for now. Special thanks to mike for the detailed information.

08-06-2008, 04:07 PM	#14
Airencracken Admiral Join Date: Jul 2003 Location: California Posts: 6,681	Linksys wrt54g NAT and Firestarter on Linux. My wireless network is encrypted (WPA-TKIP),does not broadcast it's SSID and filters MAC addresses. I think I'm good to go. __________________ "I remember my first orgasm, I just wish someone was there to share it with me..."11-05-2003 05:33 AM - Topane They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin Religion is the sigh of the oppressed creature, the heart of a heartless world, & the soul of soulless conditions. It is the opiate of the masses. - Karl Marx Hell is other people - Jean-Paul Sartre

08-07-2008, 12:41 AM	#16
ArkiStan Admiral Join Date: May 2000 Location: Recession Central Posts: 5,898	So I recently installed a Linksys WRT54GS Wireless Router. I have WPA2 security on and don't broadcast my SSID and use MAC address filters. Is a "hardware firewall" something additional I would need to setup? Is it built in, or some kind of add on?

08-07-2008, 05:28 AM	#17
LPMiller Chief News Editor & Master of His Domain Join Date: Aug 2000 Location: Minnesota Posts: 8,161	built in.

08-08-2008, 05:37 AM	#19
Jeffbx Fleet Admiral Join Date: Mar 2000 Location: Michigan Posts: 9,390	IMHO, the ability to block outbound packets is a pretty minor thing. I do rely on a hardware firewall as my primary protection at home, but I don't give it a second thought to go 'into the wild' at airports & hotels with nothing more than the Windows firewall. I figure as long as my virus scanner is up to date & my OS is patched with the latest fixes, the only thing standing between my computer & some intrusion is me, if I click on something stupid. If my computer DOES happen to get infected with something, I'm going to wipe it & start over - it's faster than trying to clean it manually - and it's not going to be connected to any network until I wipe it. Plus I find most 3rd party software firewalls cause more problems than they solve. Our corporate software firewall is ZoneAlarm, and it causes so many application issues that now one of our first troubleshooting steps on machines with problems is to remove ZA & use only the Windows firewall. And don't even get me started on that McAfee mess.

08-08-2008, 08:55 AM	#20
DarkFury Secretary of the Navy Join Date: Feb 2001 Location: Chillin' N Da 'Hood Posts: 34,997	Honestly, my opinion... use it or don't use it. User choice. Software firewalls aren't mandatory... however they do have some benefits (if those benefits mean anything to you.) Personally, I like blocking certain applications from communicating outward, therefore I use them. As always, your mileage may vary...

08-08-2008, 01:01 PM	#21
attgig Chief of Naval Operations Join Date: Jun 2000 Location: the burbs of baltimore Posts: 11,924	I almost always only rely on hardware. I'll have zone alarm installed, but keep it deactivated, unless I think I may have stumbled on a bad webpage, or feel something funny on my computer. I feel like I'm good enough with keeping track of what I surf and careful enough not to do something stupid to be without a software firewall. __________________

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

User Name
Password
Remember Me?