Hardware firewall vs. Comodo's firewall

Here at home, on our little, wired, house-wide, private LAN, we have a D-Link brand wired router with a built-in switch and firewall hardware appliance as the very first thing connected to the DSL modem… then all computers and printers are connected to said D-Link router/switch/firewall. And, of course, I have the firewall component of the home D-Link router/switch/firewall appliance turned on and fully functional. (The firewall component of the D-Link device is an actual firewall component, in addition to the device’s built-in NAT capability, which even in the absence of an actual built-in firewall component many consider to be almost as good as a firewall because of how NAT prevents direct addressability of any LAN device from the outside world.)

So, then, whenever either my wife or I are at home with our notebooks, connected to our little private rired LAN, we are safely behind the D-Link’s built-in hardware firewall (and NAT).

Now, we have both just installed COMODO INTERNET SECURITY version 3.8.64263.468 onto our respective notebooks… today (13 Feb 2009). And we know, of course, that whenever we’re away from the house and using our notebooks in a public WIFI hotspot (or pretty much anywhere where we can’t be assured that there’s a good firewall running… which, as far as I’m concerned, is any WAN or LAN other than my own, here at home), then, of course, we need to have the firewall component of the COMODO INTERNET SECURITY product turned on and running. We get that. No problem there.

However, in the wisdom of those here assembled, am I correct in assuming that as long as we’re at home, and our Internet connection is through that fully-functional, fully-up-to-date D-Link router/switch/firewall/NAT device, then the firewall component of the COMODO INTERNET SECURITY product may safely be turned off (disabled)?

I was always trained (and conventional wisdom has always been) that hardware firewalls are always generally better than software ones; and if a reliable, verifiable (and verified) hardware firewall appliance is in place and working on any given wired LAN, then all devices connected to said LAN on the protected side of said hardware firewall needn’t have any sort of software firewall (such as Comodo’s firewall) up and running on any of them.

Therefore, whenever our notebooks are at home, on our own private LAN, behind its hardware firewall, augmented by NAT, couldn’t we both just right-single-click on the COMODO INTERNET SECURITY system tray icon and select “Disabled” under “Firewall Security Level”?

Yes, of course, we must set it back to an enabled state if we take the notebook out into the world. But here at home, behind our little D-Link firewall, can’t we just disable the firewall component (and only the firewall component) of COMODO INTERNET SECURITY?

And remember: I’m only talking about the firewall portion of the INTERNET SECURITY product. The Antivirus and Defense+ components would still be working, no matter where we were. I’m just talking about disabling the firewall and nothing else.

If your answer is “no,” then why? (And please don’t make your answer something like “better safe than sorry” or something like that.) If my D-Link firewall appliance is as good as D-Link says it is (and it is), then is not the COMODO firewall just unnecessarily redundant? Does the firewall component (and only the firewall component) of the COMODO INTERNET SECURITY product do anything essentially or differently or inherently better than a good hardware firewall appliance would do?

And, yes, I know that the risk we run is forgetting to turn the firewall back on when we leave the house… but don’t worry about that for our purposes here. Let us worry about that. I simply want to know, by golly, if there’s any reason why we can’t disable our Comodo firewalls whenever we’re connected to our private wired LAN here, at home, protected by said LAN’s hardware firewall.

If the answer is still “no,” and if we shouldn’t turn off our software (Comodo) firewalls even when we’re at home, behind our hardware firewall, then will there be any conflicts between the Comodo firewall and the hardware firewall? Won’t it be too much filtering? Overkill? Might something fail to work properly because of it that anyone can think of?

I use a D-Link DIR-825 wireless router here on my home network (wired desktop and a wireless laptop), firewall enabled, full security measures in place, port forwarding, and anything not listed as authorized is redirected to nothing (essentially blocked).
CIS is also installed (proactive), and the firewall is also turned on. I find the software firewall to be more flexable in its settings than the hardware one (also it can stop anything outgoing that isn’t authorized).
The following links will help you decide:

There was a thread somewhere on here about some country suggesting not needing a
software firewall if you have a hardware firewall, but I couldn’t find the link.

Don’t get me wrong, in that I personally prefer both on for protection.
A short story if you please: I had a virus last fall that was dormant and passive until it activated (some 6-8 months later). CIS stopped it from leaving my system to the Internet. I don’t believe a hardware firewall would have done that.

It basically boils down to personal choice. If you wish to turn off the software firewall when behind your router, go for it. But, you will feel safer if you leave it on, and it won’t add to the drain on system resources. You will also have greater control over what goes in and out.

I hope this helps you in your decision.

John touched on what I feel to be the biggie as far as I’m concerned. Does your hardware firewall block any unwanted outgoing traffic?

I personally run both hardware and software firewalls. Granted, the software firewall isn’t working very hard, but I feel the outgoing protection is well worth running it. And Comodo is so resource friendly that it doesn’t bog anything down.

Thanks, guys!

You’re right… the outgoing is a big deal. I guess I didn’t think so much about it because I’m so aggressive about viruses and spyware and other exploits that I usually catch them before they can even get to the point of communicating back out to the Internet. But your point about it is nevertheless well taken. Thank you.

And the thing about the software firewall not being very busy as long as the hardware firewall is in the system is I guess what made me think of it. If I happen not to take the notebook anywhere for prolonged periods, my Comodo logs have almost nothing in them… no activity… nothing blocked… it’s as if I’m invisible to the Internet. And, of course, with the hardware firewall, I kind of am. So then, whenever I think about how slow my Vista machine has become, I start thinking about what I can disable or stop from running on startup to maybe speed things up a little… and my nearly inactive Comodo firewall comes to mind. But your point about it being surprisingly light on resources considering what it does is also something I keep forgetting.

So, then, maybe I should just turn it on and leave it on and forget about it. I think that’s what we’ll do.

Good points, you guys. Thanks again!

Glad to help!

Comodo is so resource friendly that it doesn’t bog anything down.

Can anyone point us to testing or data supporting this? How does it
work in that it doesn’t slow down networking, etc?

Also, when you have added ZONES, RULES, POLICIES, and have
lots of apps, how much slower does COMODO make things?

What about just copying a lot of data or files accross a local LAN. How much does it slow
things down?

unwanted outgoing traffic

Primary reason I run COMODO. You might be amazed one day at what tries to get out.

I only have my personal observations to go by. So I guess it could be considered anecdotal.

Physical resources are easy to check. Look at your task manager.

Slowdowns are subjective. I have experienced no difference in disabling Comodo and running the Windows firewall, or running with Comodo enabled. Yet I have no concrete data to back this up.

The thought that comes to my mind would be to do an operation such as a database sort, timed. Compare the results of both with CIS and without CIS running.
This would give you some indicator as to the performance level of CIS.

I’m in a similar position - have a strong home firewall on the internet connection, and CIS on each of the PCs. The PC firewall doesn’t really have any work to do regarding incoming connections (of course it does for my notebook when connected elsewhere).

But for controlling outgoing connections there will always be more power in a firewall on the PC than in an external firewall - the external firewall can only see IP addresses and port numbers (and connection state and protocol state inside the IP packets, for some firewalls) - it has no visibility to what program or process attempted the connection. That can only be done on the PC itself.

Don’t ever assume that you don’t need outgoing protection because you have good incoming protection! :wink: Remember the firewall will allow downloads of zip files that may contain malware. And email attachments. And there are USB sticks too, which will never touch your external firewall.

I guess most of this can be done by Defense+ even if the CIS Firewall is disabled, but I’m not 100% sure on that. What I can say is that leaving the firewall enabled doesn’t hurt anything. It’s not a resource drain and is unlikely to conflict with the external firewall (both issues that can apply when running more than one realtime antivirus tool, for example).