"What is the Truth about Firewalls? " Even under a router?

[Guest]

[carioca]

 
 
 
Hi comodo fan club and support team,

I read those threads at the Wilders Security Forum which I pasted down there below
Is that true? As regards hardware router firewall (nat) . Are they much  better and They have less vulnerabilites?
What about the hardware firewal (router) stealthed ports ?
Is It possible to bypass it? Enough is enough?
I'm using a router (hardware firewall) - Do I need some security surplus?
Like hips, sandbox, System Safety Monitor, Antispyware or Am I overdoing if I'm under a nat?
Do I need hardening my system like that?
I'd like to share your experience and opinion about it. I'd appreciate your hints and suggestions.
Best Regards.






Quotation:

"What is the Truth about Firewalls?
 
I hope this is the right forum for this question. If not, feel free to move it. Besides spending a lot of time here at Wilders, I also frequent many of the newsgroups, some of which have some very knowledgeable people when it comes to networking and firewalls. The one comment I keep hearing over and over from some of the more technical people is that a software firewall is essentially useless. Some of the people actually ridicule those of use who use software firewalls. Personally, I find it hard to believe that they are useless. I realize that firewalls can be compromised, but with the multitude of users on the net, I would think the chances of a hacker targeting one particular computer is slim. I would also think that they would be going after the many users who use no firewall whatsoever, do not have their systems patched, have no security software, and are much easier targets. I just find it hard to believe that software firewalls don't provide at least some measure of security. So I guess my question is, Who is right? Am I right to believe that my firewall, while not keeping my invincible by any means, does add some measure of protection? Or, is it like the techies say... that my firewall basically provides nothing but a false sense of security? Perhaps some of you more advanced than myself in networking technology could shed a little light on the subject.

Another subthread:

“Well, I was refering to stealthed ports by a software firewall, I am not aware of any bypass, that would allow this to be done on a router.
Hardware router itself is so much more better, because it has no software vulnerabilities, it just do, what it is supposed to do and that is it.
Though, there were some vulnerabilites, but they applied to software, like routers could by comprised, when a default password was used, ect.

So-called stealthed ports, I just can not explained it well, but Google helped me a bit, a little info.”


End of the quotation".


 

 

[grampa]

Hey carioca,
although I'm not the most technical person (far from it to tell you the truth), I'd still like to give my 2 pence:
1) I've never heard of anyone using a software firewall and whose computer got infected by malware, who wouldn't have been infected had he not used a software firewall. So it does no harm to have one. By design it does, on the contrary, certainly add some extra security. As for the false sense of security: Of course you should not go to every bad site there is and click 'yes' for every popup you get. But that's common sense.
2) From what I've read, most people who are behind a router use a software firewall to monitor the outgoing traffic. This is, afaik,  something that a harware fw cannot do, respectively, it cannot block any unwanted and potentially malicious outgoing connections. At leat I've never seen any alert from my nat. So again, I think a swfw makes sense.
A good nat is a good security measure for sure. However, a software firewall certainly adds quite some extra security, provided it is configured correctly and you don't go clicking anything and everything.
Those 'brain.exe', anti-swfw people sometimes really reckon me head in. If you are an expert, know how to harden your system, have a good nat and know how to properly configure it and are a very safe surfer and .... you might not necessarily need a swfw. However, it cannot hurt to have one and certainly adds some extra security.
Just my 2 pence.
Hope that helps.
Cheers,
grampa.
P.S. I'm sorry, but I'm not savvy enough to answer your more technical questions. Not sure if what I wrote above is correct. It seems logic though.
 

[panic]

Hardware router itself is so much more better, because it has no software vulnerabilities

IMHO, that's a load of doo-doo. The perfect piece of software (whether it's running inside a hardware router or on a PC) has not been written, and absolute statements like the one above are just asking for it.

Never say "Never".

HW routers can only ever act as an inbound filter and can only filter traffic based on the rules in existence on the router. If malware manages to get inside the router, it will do nothing about the outbound attempts that may originate with the malware. This is where a personal, software firewall comes into play.

They are both needed, IMHO.

Cheers,
Ewen :-)

[Triplejolt]

Hi carioca. I'll try to shead some light on this as I've worked a lot on all the systems mentioned. Be aware that this will highly reflect my personal opinion. But I'll throw in some facts too just for good measures

As regards hardware router firewall (nat) . Are they much  better and They have less vulnerabilites?

I'm not sure if you mean routers with SPI (Stateful Packet Inspection) or firewalls with routing capability. If you mean routers, they usually don't employ firewall modules. This is because it will bog down and slow the routers performance greatly. A routers primary function is to route packets, calculate quickest way to send packets and check it's connectivity with neighboring routers so that its routing table is up-to-speed at all times. The hardware based routers excel at these three functions and some routers throw in SPI and access-list capability to increase their security slightly and filter out unwanted traffic. But it will never be even remotely as smart or strong as a firewall at security functions and shouldn't be considered as a replacement for one either. Even software firewalls are quickly becoming both intelligent and highly complex these days (not including Windows xp/vista firewalls here). But the bottom line is that nothing is absolute. They all have vulnerabilities, but these are harder and harder to exploit. So getting a software based firewall on your personal computer is important. I would actually go as far and say its rather reckless not to have one installed. And besides... a hardware based firewall isn't really an option for home LANs. Just a quick note about NAT. FYI: It's not a security feature, and I'm still amazed to see people mistake it as one. Even today with Google and Wikipedia readily available. NAT is a mechanism to make further use of the rather scarce amount of IPv4 addresses out there. Which makes me believe IPv6 will have a tough time making it's appearance into the general public.

What about the hardware firewal (router) stealthed ports ?
Is It possible to bypass it?

Well... that depends on if there was a slight possibility to bypass it in the first place. Even though ports are being stealthed doesn't mean it can't be bypassed if an exploit exist. A stealthed port won't answer connection attempts on that given port because it's "stealthed". But a hardware firewall (which isn't a router per definition mind you), who's told to drop inbound/outbound packets destined for certain ports, will infact drop those packets indiscriminately. But if stealthed, can be told to drop the packet and _not_ respond back that it's refusing connections at those ports. The debate for closed vs. stealthed ports are long and distinguished. I'm sure you'll find those against and in favor for either method. It all boils down to personal opinion anyway

I'm using a router (hardware firewall) - Do I need some security surplus?
Like hips, sandbox, System Safety Monitor, Antispyware or Am I overdoing if I'm under a nat?
Do I need hardening my system like that?

Again, a router is _not_ a hardware firewall. Nor is it a software firewall. They are two separate devices with their own distinct function and operational mode.
A router with SPI and access-list (or with either of the two) will cover the basics. Which is to connect you to the Internet and route your data back and forth. A personal software based firewall installed on your computer will provide you with enough security. Adding anti-spyware software will top it of and give you a well defended platform to boot. Using common sense in addition to this what really makes a difference in keeping your computer safe or full of backdoors and trojans loaded with malware. Keep your anti-malware/spyware and anti-virus software up-to-date and scan regularly. And if you feel your IP address is being hammered, request a new one and change your computername (hostname). Or better yet, shut down your computer and go out and grab a beer with your friends

I hope this clears things up a bit. If not, I failed miserably.. lol

[MorphOS REBOL]

So something again about the firewall cult and religion.

If you do have a Software FW that's really working and have configured it correctly, by all means of security, then a software solution might be the best for you. If you don't know how to configure a firewall at all, buy a HW router.

It will give you a certain amount of security.

Contrary to the obviously official opinion a software FW can indeed be way more secure than simply having a router FW.

Depends on your interest in config, I guess.

I recommend, again, the following procedure:

Castrating Windows by NliteOS.

Killing the unnecessary services that are open to some types of connection attempts.

Getting a fine firewall, i.e. Comodo

[carioca]

 
Greeting about your post, but fortunately I realized the best firewall it's my debian linux. As regarding I'm still using both operational systems, I do have to agree with you. I hope in the near future I will say farewell to the windows system for ever. You should know what the the linux members think about it. Best Regards.
 

So something again about the firewall cult and religion.

If you do have a Software FW that's really working and have configured it correctly, by all means of security, then a software solution might be the best for you. If you don't know how to configure a firewall at all, buy a HW router.

It will give you a certain amount of security.

Contrary to the obviously official opinion a software FW can indeed be way more secure than simply having a router FW.

Depends on your interest in config, I guess.

I recommend, again, the following procedure:

Castrating Windows by NliteOS.

Killing the unnecessary services that are open to some types of connection attempts.

Getting a fine firewall, i.e. Comodo

[rickyg73]

there is an old saying.. "hardware beats software everytime" while that is semi true, hardware does not usually have the learning ability of software, or ease of adjustment of software, my opinion of the matter is if you have both, use both.

[Triplejolt]

Hardware will undoubtly outperform software in most instances, but that performance are never cheap to implement. If it were, I'd suggest staying clear of it

[panic]

Inbound, hardware AND software firewalls is the best combo. Outbound, you simply must have a software firewall 'cause a hardware firewall simply can't know what is valid outbound traffic from your PC.

Regardless of the firewall type, an ounce of intelligence and a pinch of distrust is the best security add-on to any system.

Ewen :-)

[Triplejolt]

......Outbound, you simply must have a software firewall 'cause a hardware firewall simply can't know what is valid outbound traffic from your PC.

Thats an odd statement. Care to explain what you mean, Ewen? 

[venom_zx]

the main problem for me about routers(nat) is that you usually can't monitor whats happening inbound as well as a firewall can. i think that's a big shame.
can't tell if people outside are trying funny stuff. 

[Burillo]

Thats an odd statement. Care to explain what you mean, Ewen? 

that's rather simple - FW does see the source of the network traffic ((W)LAN IP), but that's about it - FW can't see what application is generating that traffic - firefox.exe or trojan.exe.

[Triplejolt]

That depends on the firewall, my friend

[Burillo]

i'm sorry but how can a HWFW outside the computer know what application is trying to connect? yes, it can identify some generic stuff like HTTP traffic, IM traffic... but how can it know whether it's valid or not?! a trojan can send HTTP traffic too!

[Triplejolt]

Most hardware based firewalls today comes equipped with some type of packet inspection, anti-spoofing mechanism, granular forensic analysis to mention a few. Some even include antivirus modules to prevent malware and malicious code insertion as well as preventing virus and trojans. Hardware firewalls have come a long way since the basic layer 3 port-based accept/deny rulesets. But these things comes with a hefty price tag too...

[Tags:]