Is a software firewall needed if you have a hardware router?.

Hello Guys and Gals.I have a British telecom hardware router, and have heard recently that some people reckon security wise, you dont need to use a software firewall such as the one in Cis. I am interested in the views of forum members on any pros or cons in using a software firewall when behind a router and whether security is affected if i were to disable it ?.

Regards
Dave1234.

You can probably do well with a hardware firewall, but the question is, do you know enough? What risks are you willing to take, what are you trying to protect/prevent etc…

A security expert can tell you, you don’t need an antivirus… And that is probably accurate, if you are an advanced user then a antivirus will probably add nothing to your security… However, for a normal user that don’t know what he/she is doing a anti-virus is wonderful, due to the simplicity, and after all antiviruses can prevent most of the basic junk… (and that usually the only threat home users have.)

Just using a hardware firewall is “kinda” hardcore. Personally I wouldn’t recommend it. Holes can be found in your hardware firewall… Are the software firewall really that annoying?

Personally I don’t think you should dump the software firewall unless you know what you are doing. But its your call. :slight_smile: :-TU

commanding the celsius said everything. An hardware do a good job of filtering the inbound connections, and a software firewall is good for outbound connections. If you know every program that is in your computer and connected to the internet you are well protected only with a hardware router.

Thanks Guys…DiSP and commanding the celsius. I think i will leave my firewall as it is as it cant make the computer less secure by keeping it!.

Thanks again.

Dave1234.

Your hardware router/firewall is probably more effective at preventing “inbound” attacks than your software firewall. However, it will provide very minimal to no protection for controlling “outbound” attacks. This is where a software firewall can be useful.

For me, I realised that my router/firewall is more than enough, and that Windows Firewall (even the XP one) is very good at filtering “inbound” traffic. I have no use for controlling “outbound” traffic, as all my “malware threat-gates” are sandboxed with Sandboxie. For everything outside the sandbox, I have a default-deny policy preventing anything to start/run/execute with Software Restriction Policies.

Remember, a third party software firewall (with “outbound” filtering) is really only useful if your protection measures get bypassed in the first place, and your computer gets infected with malware that tries to call out.

The only use for a third party software firewall in my case would be to optimise the flow of traffic and perhaps reduce the chances of connection loss etc.

You see, as for the firewall you will probably be indeed fine as the others already said. But remember that CIS is more than that. It packs one of the strongest HIPS in the same suite. No hardware system can give you such a protection. So if you want you can disable your firewall, but as it will almost not lower the recources, it’s kind of the same ;).

best regards,
eXp

I run CIS in addition to my hardware firewall. Sure, the software firewall doesn’t work very hard, but I like having that extra layer of security.

Some routers have hardware firewalls that are configurable, some only use NAT. Mine falls in the second category so I feel that a software Firewall is necessary.

For what purpose? Defense+ will pick up any unknown/untrusted executable/process that tries to call out anyway right?

EDIT: correction, Defense+ will pick up any unknown/untrusted executable/process that tries to start/run/execute anyway right? If it can’t even run, you don’t need to worry about it connecting out to the internet!

Regardless, this is the beauty of Sandboxie - it is isolating all my applications that connect to the internet and in this isolated environment, all my sensitive/private data is protected, as the environment is denied (read) access to it.

Up until this week was running a NAT Router with the Comodo Firewall Attack Detection Settings set to protect against DoS attacks which I thought was a very complementary setup, but when I found out a few days ago that the Comodo v4 Firewall will not feature these settings I replaced the NAT Router with a Firewall Router that does Stateful Packet Inspection as compensation for protection against DoS attacks because I refuse to run my computer without the Comodo Firewall and HIPS protecting it.

~Maxx~

Some of you guys are really too confident that nothing can get onto your PC. Good luck! I still prefer to have an extra layer of security in CIS / firewall, even especially as it is free and makes no difference to the performance of my laptop…even if I also use Sandoboxie!

There are many attack vectors, not just via a web browsing session or email, and so whilst sandboxie is highly useful, as is a hardware firewall / router, nasties can still get onto your system even bypassing the usual controls and checks, and then will try to dial home. So what will you do without a sfotware firewall / CIS then?

I am not being paranoid, but multi-layer security is essential in my book, and I am far from being an expert, but 30 years as a computer user has made me learn many lessons. 8)

Why even take such a chance in not using CIS / firewall? It’s beyond me and strikes me of an attitude of being arrogant or ignorant, sorry to say that, nothing personal just an observation / opinion.

I appreciate your opinion, and let’s work through this together if you have time - I always keep an open mind!

If nothing new can start/run/execute, how can it call out through the internet? Therefore, if nothing new can start/run/execute, why would you need a firewall with outbound protection?

I’ve only recently got rid of Comodo Firewall from my setup solely because of this reasoning. I had kept it in my setup for some time, simply because I thought it would be nice to have Defense+ “on-demand” (to analyse malware) and also because I thought if I ever needed to connect to the internet via dial-up (and therefore lose the inbound protection from my NAT Router), I would have good inbound protection from Comodo. However, on further testing, the Windows Firewall (even on XP) already provides excellent inbound protection, and passes those ShieldsUP! tests (GRC | ShieldsUP! — Internet Vulnerability Profiling  ) by itself.

Furthermore, I pretty much do all my malware testing in a Virtual Machine now (VirtualBox), and so Defense+ is not required on my REAL system.

Anyway, that’s my reasoning. Will be interested to hear yours.

P.S. for those who aren’t setup like me, CIS is still your best bet to get close to “100%” protection - and unbelievably, it’s completely free!

Your NAT router will pass these tests with no firewall…

Unless you’ve set up a DMZ or can turn off NAT on your router, the GRC test was probing your router, not the Windows firewall.

To answer topic starter’s question. Yes, you would need a software firewall for protection from incoming attacks from computers on your local network as well as outgoing traffic. The NAT/firewall of your router will protect against most, if not all, internet based hack attacks.

The opinions in this topic differ on how to tackle outbound traffic. With just the network firewall, just HIPS based (it will stop everything before it can be executed and make its self autostart), virtualization based with added software restriction policies or a combination of them in a layered approach.

Pick your weapon(s) of choice on how you want to handle outbound traffic.

Indeed, and that’s why I did those ShieldsUP! tests with Windows Firewall (XP) via a dial-up connection haha. With the Windows Firewall disabled, I failed those tests. With it enabled, I passed.

Windows Firewall is excellent for inbound protection! It just doesn’t provide much (if any) outbound protection, which is something I personally don’t need and want.

There’s one big problem with the philsophy of: “I don’t need outbound connection control capability, because my HIPS will stop anything not safelisted or approved from running in the first place!”

That problem is applications that are safelisted/approved to RUN, but which PHONE HOME over the Internet for NO GOOD REASON except maybe to keep track of you, or spy on you somehow.

Examples:

  1. Every time you do a search of your LOCAL filesystem with XP (note that there’s NO NEED whatsoever for the Internet to be involved in such a local search!), explorer.exe “phones home” to Microsoft for some reason (somebody says it’s updating XML files, but who knows). explorer.exe is surely safelisted, as it’s one of the core GUI process that lets Windows work at all! Do YOU want these connections happening behind your back, for NO reason, or do you want to use a software firewall to BLOCK them?

  2. I use a DVD player program from a major company that came preinstalled with my system and its DVD drive. Of course, the program is safelisted. When I try to play a DVD movie (entirely locally, no need for the Internet at all), the program tries to “phone home” for NO REASON, except to probably spy on what I’m doing. Do YOU want these connections telling someone you’re watching a DVD movie disc on your PC, when there’s NO reason or need for any network connections like that to occur, or do you want to use a software firewall to BLOCK them?

The whole “safelisted to run == let it make any connections it wants” philosophy is full of holes, IMO.

Excellent points and no doubt these issues have always been in the back of my mind.

However, if we can’t trust Window’s explorer.exe, then what makes you think we can trust iexplore.exe (IE 6,7,8) or any other windows process/application that comes with Microsoft Windows?

I think an element of trust needs to be placed at some point. I think for a lot of trusted applications, they call out to the internet simply because they are checking for updates.

But in theory, these issues are more related to privacy. To be honest, I don’t store any valuable PIN numbers or passwords on my computer. That to me, is the best way to protect my privacy…in fact, it 100% prevents password theft! The same goes with my e-mails etc. I generally never put any valuable/sensitive information like PIN numbers or passwords in them. In my opinion, you’re more likely to get problems from this than explorer.exe calling out to the internet and stealing your data. Right?

Also, with regards to whether someone knows what DVD I’m watching etc, I couldn’t care less. If someone was trying to really spy on you in particular, they would have already broken into your house and bugged your computer or placed a hidden camera in your room etc.

I know some people are so paranoid with privacy that they always use TOR to surf the internet. TOR slows down your internet big time, and is NOT worth the inconvenience, in my opinion. Again, I couldn’t care less if someone was tracking what I am browsing - who knows who is using my computer anyway etc? And once more, if you were actually targeted specifically, (by the FBI or criminals etc) they would have already broken into your house etc.

Also, if you are that paranoid, how do you know if your Antivirus isn’t sending out information about your computer etc whenever you update it? Again, as I mentioned before, an element of trust needs to be there for well known “trusted” applications.

However, if we can't trust Window's explorer.exe, then what makes you think we can trust iexplore.exe (IE 6,7,8) or any other windows process/application that comes with Microsoft Windows?

I think an element of trust needs to be placed at some point. I think for a lot of trusted applications, they call out to the internet simply because they are checking for updates.

Sure, some level of trust is necessary to be on the Internet at all. For example, many bidirectional Internet connections are required between your PC and Microsoft (to check for and apply Windows updates, etc.)

But I’m talking about blocking completely unnecessary communications, particularly ones that are initiated when you perform a local-only task. There is no need for these to occur, except to collect data about one’s private, local activities.

If you don’t mind this sort of thing happening, then that’s fine. For me, it’s about minimizing questionable, unnecessary connections as much as possible. I think that’s entirely reasonable, not “paranoid”, particularly with non-Microsoft things like DVD player software, which comes from a much less monolithic and much less watched-over company than Microsoft. Questionable connections in Microsoft’s code will be found much more quickly, and publicized much more widely, than those in some third-party app like a DVD player. That translates into decreased risk of discovery and publicity, and therefore increased probability, of lower-profile third-party companies doing such shady things.

Also, with regards to whether someone knows what DVD I'm watching etc, I couldn't care less.

As long as you’re watching a fully-legal DVD, then yes there shouldn’t be a problem. But just the same, who wants some DVD player software maker keeping a big database of what you watch and when? If you don’t mind that, then… I suppose it’s fine, for you.

If someone was trying to really spy on you in particular, they would have already broken into your house and bugged your computer or placed a hidden camera in your room etc.

This is ridiculously harder and more dangerous than placing a simple “phone home” in a piece of software, so it’s not too relevant to this discussion. That’s an “all or nothing” mindset… meaning that because theoretically your house can be broken into and hidden cameras set up, etc., then there’s no point in taking simple security measures to limit unnecessary usage data being transmitted from your PC.

It’s kind of like saying that you don’t need to keep simple first-aid supplies in your house, because in theory a giant asteroid could smash into your house and kill you instantly.

The theoretical possibility of incredibly unlikely, extreme and personally-targeted security breaches in no way lessens the value of taking simple and valuable minor security precautions against incredibly common and impersonal “cast a big net” things like “phone home” mass data collection code.

For every case where someone breaks into a house and sets up hidden cameras (targeting one person with extreme effort and risk), there are hundreds of millions of cases that are simply some company looking to build a usage database of their customers, for purposes unknown but probably profit-related (targeting millions of people with very little effort or risk).

It’s comparing incredibly rare apples versus incredibly common oranges.

who knows who is using my computer anyway etc?

It’s very easy to data-mine the database collected over time by the “phone home” code, and easily identify what your specific PC has been doing, particularly if the “phone home” data contains a unique product serial number (as it probably would), so that dynamic things like DHCP-assigned, variable IP addresses do not have to be relied on. So they’d know what YOUR PC was doing, for sure.

Do they know WHO was sitting in front of your PC? No, but I sure as heck don’t even want them knowing what MY PC was doing, REGARDLESS of who was using it… particularly when such “no legitimate reason for the connection” connections are so very easy to block with a software firewall.

And once more, if you were actually targeted specifically, (by the FBI or criminals etc) they would have already broken into your house etc.

Again, orders of magnitude harder and more risky and serious than using simple “phone home” code in a product. I’m talking about simple data collection for someone to data-mine later, not the NSA and KGB breaking into your house!

Also, if you are that paranoid, how do you know if your Antivirus isn't sending out information about your computer etc whenever you update it?

Sure, various apps could be sending arbitrary information during their auto-updates. But you’re looking at this in “black or white”, “perfection or nothing” terms. Connections with an obvious legitimate use (antivirus definition updates, Windows updates, etc.) are far less suspect than connections made for no good reason at all, right when you perform a LOCAL-ONLY action. Those are the ones that are much more suspicious.

I think blocking those is a good step to take. We can’t have perfect security, but I’ll take improved security over no security any day.

Just my opinion, of course.

Again, very good points, and a good disucssion.

With regards to the FBI etc thing, I was merely pointing out that you would rarely be specifically targeted as an individual, and that if you were, they would rely on much better and invasive techniques than trying to “data mine” your computer off site.

As for me, I have my own protection in place to achieve that level of “peace of mind”, and it doesn’t require a software firewall with outbound control. All my third party programs which connect to the internet, eg. web browsers, chat messenger programs, online games etc are sandboxed with Sandboxie and with file/folder protection in place. This means that in these sandboxed environments, nothing can access (not even READ) certain areas of my computer which may contain sensitive data.

Regardless, why would you be using third party software that may act as keyloggers and are out to steal your passwords as you type them? If you are that paranoid, all your software should be well known and come from a trusted company etc. As you have admitted, you are already putting trust in Microsoft, Antivirus software and anything you are allowing to connect out to the internet like firefox.exe, opera.exe, java.exe, pidgin.exe, online gaming processes etc. And how does the saying go? The ones you least expect are the ones who will bite you? Joking joking haha.

Anyway, you provide very valid arguments about privacy issues. However, simply using well known and trusted third party software is all you really need to do.