Completely replace software firewall with hardware firewall?

Here in the UK, I am on NTL cable and have just one PC attached.

My head is spinning with all the configuration rules and exceptions
which need configuring for a software firewall.

I thought I was doing ok with user guides like the section called:
"Personal firewall configuration for cable modems"
http://homepage.ntlworld.com/robin.d.../security.html

But it turns out that things are still more complicated than that.
As an example, I installed Outpost and came across this advice page.
http://www.outpostfirewall.com/forum...ead.php?t=9858
Oh wow. It's all too much! I just want protection without
becoming an enthusiast or even expert in firewall configuration.

QUESTION ONE: If I buy a hardware firewall then will it completely
replace the need for me to have a software firewall? That would save
me some headaches!

QUESTION TWO: I might get a second PC and want to attach both PCs to
the cable network at the same time. I have heard I can do it with a
box which includes a hardware firewall as well as some other
functions. But exactly what sort of box is it that I would need?
Any suggestions about recommended hardware devices would be welcome.

Sandi

Sandi

On Mon, 21 Mar 2005 21:43:04 +0000, Sandi wrote:
>
> Here in the UK, I am on NTL cable and have just one PC attached.
>
> My head is spinning with all the configuration rules and exceptions
> which need configuring for a software firewall.
>
> I thought I was doing ok with user guides like the section called:
> "Personal firewall configuration for cable modems"
> http://homepage.ntlworld.com/robin.d.../security.html
>
> But it turns out that things are still more complicated than that.
> As an example, I installed Outpost and came across this advice page.
> http://www.outpostfirewall.com/forum...ead.php?t=9858
> Oh wow. It's all too much! I just want protection without
> becoming an enthusiast or even expert in firewall configuration.
>
> QUESTION ONE: If I buy a hardware firewall then will it completely
> replace the need for me to have a software firewall? That would save
> me some headaches!

Nothing is perfect and nothing can protect you from all threats, not even
a combination of Appliance and software.

In general, an appliance is a better bet than software, if your computer
were to be compromised by some means, with a software based (we call those
personal firewalls) the compromiser could disable your personal firewall
application. It's much harder to put a hole in an appliance from a
compromised machine that it is to put a hole in a PFW.

> QUESTION TWO: I might get a second PC and want to attach both PCs to
> the cable network at the same time. I have heard I can do it with a box
> which includes a hardware firewall as well as some other functions. But
> exactly what sort of box is it that I would need? Any suggestions about
> recommended hardware devices would be welcome.

Most of the devices you are going to be able to purchase under $400 are
called NAT Routers, they are not firewalls (even though they are called
Firewalls by their vendors), but they do provide what I consider the best
first layer of protection and would never setup a network without at least
that minimum layer. A NAT router acts to block unsolicited inbound
traffice, but in almost every case, it doesn't do anything to block
outbound traffic - this means nothing gets in unless your computer
requests it (and if you were compromised you don't personally have to
request anything, the virus/worm can do it without you).

I installed a NAT Router in a Sorority, 40+ girls in a house, all with
different computers and versions of Windows, not one of them has been
compromised since we installed it, not one unsolicited packet has made it
inbound, and they are able to do all they need.

Units like the Linksys BEFSX41 are nice, as are the DI804HV units from
D-Link, but something as cheap as the Linksys BEFSR41 unit will do as well
as most SOHO units.

One nice thing about the Linksys units is that you can also run a free
program called WallWatcher to monitor all inbound and outbound traffic
through the Linksys router - it lets you see what's happening in
real-time, so, once you learn to read it, you can see if your computer's
been compromised. I don't run a personal firewall on any computer behind a
NAT Router or Firewall Appliance, but I also know how to secure the
computers so that I don't need one.

--

remove 999 in order to email me

Leythos

"Sandi" <> wrote in message
news:9620DCEBA136074C1H4@194.168.222.120...
> Here in the UK, I am on NTL cable and have just one PC attached.

> QUESTION ONE: If I buy a hardware firewall then will it completely
> replace the need for me to have a software firewall? That would save
> me some headaches!
>

If you have an hardware firewall then there is no need for a second software
firewall, this only causes issues with some routing packets


> QUESTION TWO: I might get a second PC and want to attach both PCs to
> the cable network at the same time. I have heard I can do it with a
> box which includes a hardware firewall as well as some other
> functions. But exactly what sort of box is it that I would need?
> Any suggestions about recommended hardware devices would be welcome.


Personally I would recommend one of the Edimax Routers, but I'm sure others
will also point out the Linksys and Netgear broadband ranges too

Chet

> > QUESTION ONE: If I buy a hardware firewall then will it completely
> > replace the need for me to have a software firewall? That would save
> > me some headaches!
> >
>
> If you have an hardware firewall then there is no need for a second
software
> firewall, this only causes issues with some routing packets
>

But a hardware firewall can't distinguish between packets you've requested,
and packets a virus has requested.

Nat Stott

In article <9620DCEBA136074C1H4@194.168.222.120>, se
says...
> Here in the UK, I am on NTL cable and have just one PC attached.
>
> My head is spinning with all the configuration rules and exceptions
> which need configuring for a software firewall.
>
> I thought I was doing ok with user guides like the section called:
> "Personal firewall configuration for cable modems"
> http://homepage.ntlworld.com/robin.d.../security.html
>
> But it turns out that things are still more complicated than that.
> As an example, I installed Outpost and came across this advice page.
> http://www.outpostfirewall.com/forum...ead.php?t=9858
> Oh wow. It's all too much! I just want protection without
> becoming an enthusiast or even expert in firewall configuration.
>
> QUESTION ONE: If I buy a hardware firewall then will it completely
> replace the need for me to have a software firewall? That would save
> me some headaches!
>
> QUESTION TWO: I might get a second PC and want to attach both PCs to
> the cable network at the same time. I have heard I can do it with a
> box which includes a hardware firewall as well as some other
> functions. But exactly what sort of box is it that I would need?
> Any suggestions about recommended hardware devices would be welcome.
>
> Sandi
>
1 - Up to you. A hardware firewall is good for protection from all
intruders gaining direct access to your PC/network, but no good at
detecting things from calling home. It is also much easier to set up. A
software firewall gives you the extra protection in detecting things from
calling home, but they can be quite easy to configure incorrectly and
leave you vulnerable. A hardware firewall is independent of your PC and
so uses no PC resources.

2 - You want a Router. This automatically provides firewall protection.
Before you get a recommendation, you need to decide if you want a
wireless or wired setup (although some routers support both). To
complicate things, some routers can act as print servers which can help
with sharing printers.

Personally I only run a hardware firewall, but I am looking for a free
software one which fits particular criteria as well. Jetico may be the
one for me when thay have sorted a blocking bug for me. Kerio 2.1.5 is no
good for one of my apps, and 4 does not support WinME. ZoneAlarm did not
used to do something I wanted, but it may do now, so I might try it
again. I never got to grips with the old Outpost.

Nick H

"Nat Stott" <> wrote in message
news:423f4537$0$29304$...
> > > QUESTION ONE: If I buy a hardware firewall then will it completely
> > > replace the need for me to have a software firewall? That would save
> > > me some headaches!
> > >
> >
> > If you have an hardware firewall then there is no need for a second
> software
> > firewall, this only causes issues with some routing packets
> >
>
> But a hardware firewall can't distinguish between packets you've
requested,
> and packets a virus has requested.
>
Agreed, but all virus are caught by you AV software I would have thought
thus not sending out any packets, there is no use sticking a firewall in
front of you network if you do not have any AV software running locally

Chet

On Mon, 21 Mar 2005 22:15:12 GMT, "Chet" <> wrote:

>"Nat Stott" <> wrote in message
>news:423f4537$0$29304$...
>> > > QUESTION ONE: If I buy a hardware firewall then will it completely
>> > > replace the need for me to have a software firewall? That would save
>> > > me some headaches!
>> >
>> > If you have an hardware firewall then there is no need for a second
>> software
>> > firewall, this only causes issues with some routing packets
>> >
>>
>> But a hardware firewall can't distinguish between packets you've
>requested,
>> and packets a virus has requested.
>>
>Agreed, but all virus are caught by you AV software I would have thought

AV software can only catch viruses/tojans it already knows about. So a
software firewall can still serve a purpose in stopping outgoing
traffic if you get infected by something your AV software doesn't know
about yet.

Unfortunately the sort of people who manage to install viruses and
trojans are the same people that will probably just click "allow" when
the software firewall spots something fishy going on....

>thus not sending out any packets, there is no use sticking a firewall in
>front of you network if you do not have any AV software running locally
--
Andy Norman
http://www.norman.cx/
Replace the fish with my first name to reply

Andrew Norman

On Mon, 21 Mar 2005 22:32:08 +0000, Andrew Norman wrote:
> On Mon, 21 Mar 2005 22:15:12 GMT, "Chet" <> wrote:
>
> >"Nat Stott" <> wrote in message
> >news:423f4537$0$29304$...
> >> > > QUESTION ONE: If I buy a hardware firewall then will it completely
> >> > > replace the need for me to have a software firewall? That would save
> >> > > me some headaches!
> >> >
> >> > If you have an hardware firewall then there is no need for a second
> >> > software
> >> > firewall, this only causes issues with some routing packets
> >> >
> >>
> >> But a hardware firewall can't distinguish between packets you've
> >> requested,
> >> and packets a virus has requested.
> >>
> >Agreed, but all virus are caught by you AV software I would have thought
>
> AV software can only catch viruses/tojans it already knows about. So a
> software firewall can still serve a purpose in stopping outgoing
> traffic if you get infected by something your AV software doesn't know
> about yet.
>
> Unfortunately the sort of people who manage to install viruses and
> trojans are the same people that will probably just click "allow" when
> the software firewall spots something fishy going on....

They won't have to. The virus needs only to add the ~20 lines of
code needed to click the "allow" button itself. There is no way
a personal firewall will protect a compromised system as long as
it allows user interaction and/or does not run with higher privs
than the virus can obtain.


- Eirik
--
New and exciting signature!

Eirik Seim

On Mon, 21 Mar 2005 22:05:40 +0000, Nat Stott wrote:
>
> But a hardware firewall can't distinguish between packets you've
> requested, and packets a virus has requested.

Absolutely correct, and a Firewall is not suppose too. An application
monitoring service running on your local computer that monitors
APPLICATIONS does that. Some packages, personal firewalls, have
application monitors, but not all. Appliances don't monitor the
applications on a computer, they monitor traffic to/from the PC - and if
you setup your firewall/router correctly, limit the outbound ports (such
as limiting SMTP to your ISP's SMTP server only), you can eliminate most
of the ways that viruses spread.

--

remove 999 in order to email me

Leythos

Sandi <> wrote in news:9620DCEBA136074C1H4@
194.168.222.120:

> Here in the UK, I am on NTL cable and have just one PC attached.
>
> My head is spinning with all the configuration rules and exceptions
> which need configuring for a software firewall.
>
> I thought I was doing ok with user guides like the section called:
> "Personal firewall configuration for cable modems"
> http://homepage.ntlworld.com/robin.d.../security.html
>
> But it turns out that things are still more complicated than that.
> As an example, I installed Outpost and came across this advice page.
> http://www.outpostfirewall.com/forum...ead.php?t=9858
> Oh wow. It's all too much! I just want protection without
> becoming an enthusiast or even expert in firewall configuration.

>
> QUESTION ONE: If I buy a hardware firewall then will it completely
> replace the need for me to have a software firewall? That would save
> me some headaches!

You can get yourself a NAT router that's going to stop the inbound
threats and ease the complicated rules and provides good protection. The
NAT router is a plug it up and go device with little configuration on
your part.

>
> QUESTION TWO: I might get a second PC and want to attach both PCs to
> the cable network at the same time. I have heard I can do it with a
> box which includes a hardware firewall as well as some other
> functions. But exactly what sort of box is it that I would need?
> Any suggestions about recommended hardware devices would be welcome.

Once again the NAT router that has (logging) that you can use with a log
viewer so you can watch inbound and outbound traffic to/from the network.

http://www.homenethelp.com/web/explain/about-NAT.asp

However, NAT routers cannot stop outbound and some people supplement the
NAT router with a PFW solution that can stop outbound. If you go that
route with supplement PFW solution on the machines, then find one that
you can disable the complicated bloat ware in it such as Application
Control and the other stuff. The PFW solution should be able to stop all
outbound period or by port or IP if need be -- simple rules.

Or get yourself a low-end (true) firewall appliance that has router
capabilities that can stop inbound and outbound and has logging too. And
the FW appliance has the rules already made and all you have to do is
enable them if needed along with the ability to make additional more
complicated rules yourself for inbound or outbound, but most likely you
will not need to make any rules. Here too, the low-end SOHO FW is
basically a plug it up and go device with little configuration on your
part.

Duane

Duane Arnold