PDA

View Full Version : Software firewall vs Router firewall.



Colpol
01-01-2010, 01:07 PM
Hi Guys.

In a previous thread God Speedy said
If youre going through a router with a firewall, I wouldnt bother with installing a software firewall
Speedy can you please elaborate on this. What will stop a naughty program from starting or playing silly buggers.

Speedy Gonzales
01-01-2010, 02:02 PM
Well a router should stop incoming hits if its got a firewall. It depends on how paranoid you are, what you actually do on the net, whether you install a software firewall. If youre into dodgy sites, file sharing programs, pirated software. Then you SHOULD install a software firewall. Because most will tell you WHAT files are running / trying to connect to whatever. Then you have an option of blocking it. In case its something like a trojan. Windows firewall (depending on the OS) will block incoming but not outgoing.

I used to use a firewall when I was on dial up, but dont now since I've changed to broadband (since Oct 06). I havent bothered with installing any software firewall.. The modem has a firewall. And I'm using Vista / Win 7's firewall. Thats good enough for me

Colpol
01-01-2010, 02:22 PM
Thank you Speedy.
Food for thought.

Agent_24
02-01-2010, 01:12 PM
The firewall built into the router will stop some incoming attacks but not all. You should really have a software firewall anyway

The other thing to remember is that you don't just have to worry about things coming in, it's things going out that can also be a problem.

Back when I was stupid enough to use Norton AntiVirus and Firewall, I got a virus (no surprises there, I had NAV)

I didn't know it was even there until it decided to connect to its master and send back all the product keys for everything I had installed. When Norton firewall told me that some strange executable from System32 folder I had never heard of before was trying to access the internet, I became immediately suspicious. I blocked the program and then later found out what it was.

If I had not had a software firewall my Windows XP key and serial keys for my games would have all been stolen.

Sometimes, there are also programs which like to send "usage statistics" etc etc back home as well. You may not want this to happen. A software firewall provides an excellent way to stop this, if there is no option to turn it off in the program.

pctek
02-01-2010, 02:02 PM
If youre into dodgy sites, file sharing programs, pirated software. Then you SHOULD install a software firewall. Because most will tell you WHAT files are running / trying to connect to whatever. Then you have an option of blocking it.

Which I run without going to dodgy sites, or using P2P or pirating.
Because I like to control what goes to the net and what doesn't. Which is mostly masses of unnecessary windows components.

Not to mention its an excellent way to discover nosey phone home crap bundled in legit software.

Agent_24
02-01-2010, 02:16 PM
Because I like to control what goes to the net and what doesn't. Which is mostly masses of unnecessary windows components.

Not to mention its an excellent way to discover nosey phone home crap bundled in legit software.

Exactly.

Chilling_Silence
02-01-2010, 10:28 PM
The firewall built into the router will stop some incoming attacks but not all.

Such as?

Agent_24
02-01-2010, 10:52 PM
When you open a port in your router, it does not know what you are using that port for, and will allow anything for that port through.

However the software firewall can be configured to only allow data on that port which is destined for a specific application.

Chilling_Silence
03-01-2010, 12:52 AM
True ... but if you're port-forwarding an application, such as for RDP, or for hosting a game for example, then it's either for a service you want remotely accessible at all times, or it's for an application that's only relevant when it's started. With a game for example, if you close the application, what's going to happen when you try and "come in" on that port? Nothing ....?

angry
03-01-2010, 01:09 AM
True ... but if you're port-forwarding an application, such as for RDP, or for hosting a game for example, then it's either for a service you want remotely accessible at all times, or it's for an application that's only relevant when it's started. With a game for example, if you close the application, what's going to happen when you try and "come in" on that port? Nothing ....?

Chill,

yes but what of the piggy back trojan/malware/theif that snuck in in your game and sat in you system for some time first.

then et's one random day on your normal channel. if you dont have some sort of paranoid out gatekeeper/local machine out firewall, it will send all it wants and you will not Know??

Chilling_Silence
03-01-2010, 09:16 AM
Then we're back to here aren't we:
http://pressf1.pcworld.co.nz/showpost.php?p=855195&postcount=2

The point I'm making is that NAT will stop things coming *in*, so if you trust your system (As Speedy and myself do) then there's little / no need for a software firewall, because anything that wants to come *in* must first have the connection initiated by an internal application going *out* :)

Besides, semi-decent malware is able to kill off A/V and Firewalls anyways :p See here for example: http://www.techspot.com/vb/all/windows/t-18950-Nasty-Trojan-disables-regedit-msconfig-antivirus-firewall-task-manager-etc.html

Agent_24
03-01-2010, 11:06 AM
Besides, semi-decent malware is able to kill off A/V and Firewalls anyways :p See here for example: http://www.techspot.com/vb/all/windows/t-18950-Nasty-Trojan-disables-regedit-msconfig-antivirus-firewall-task-manager-etc.html

No wonder it disabled his Antivirus since he has NAV, and firewall since he has Windows Firewall. Both are pretty terrible.

If he was running Comodo with Defense+ he would have had a popup telling him the trojan was trying to execute and with an option to block it

This is a great example of why an updated antivirus is not that great anymore, and why HIPS and whitelisting is much more effective.

pkm
03-01-2010, 12:46 PM
No wonder it disabled his Antivirus since he has NAV, and firewall since he has Windows Firewall. Both are pretty terrible.

If he was running Comodo with Defense+ he would have had a popup telling him the trojan was trying to execute and with an option to block it

This is a great example of why an updated antivirus is not that great anymore, and why HIPS and whitelisting is much more effective.
I agree, HIPS + firewall very important.

The only other thing to do is to use a virtual machine for dodgy browsing.If it gets hosed you can transfer any files off and restore its state. I think hak5 has an ep on this topic-infecting VMs to see changes in processes/folders

Chilling_Silence
03-01-2010, 01:43 PM
It's hard enough getting consumers to purchase a semi-decent router (They expect that the free ones are top of the line), let alone anything like what you're talking about.

In theory, nice. In reality...

Agent_24
03-01-2010, 02:58 PM
What? Are you saying they expect their router should include HIPS? But this is not possible, with something like Comodo's Defense+ it must be software.

Battleneter2
03-01-2010, 05:20 PM
Its worth mentioning the OS effects this topic.

The Vista firewall is better than the near worthless XP firewall, and the Win7 firewall is substantially better again.

The Win 7 firewall is very configurable, does profiles and logging etc, monitors inbound and outbound. It probably out performs some 3rd party solutions, so in combination with decent AV this is actually pretty good.

If you have Win 7 and a Router firewall, a 3rd party firewall is nearly certainly a waste of time and money for general users including those that P2P etc.

Agent_24
03-01-2010, 05:23 PM
I agree with that. But firewalls will still not stop malware, and neither do Antivirus programs when the malware has just been released and the signatures have not been updated.

Which is why, a whitelist\HIPS etc is really the only effective way against new and unknown threats

Speedy Gonzales
03-01-2010, 05:28 PM
Well who really cares. If you want a firewall, install it. If you dont, dont. Its your prob, if you get infected, for not installing one

Agent_24
03-01-2010, 05:33 PM
Who cares? I certainly do.

I do not want the chance of a virus infiltrating my system, and causing me headaches and doubts over my computer's security wondering if I had fully removed the virus or not.

Speedy Gonzales
03-01-2010, 05:34 PM
Well so be it. Install it. Not everyone feels like installing one. Or needs to

Agent_24
03-01-2010, 05:43 PM
Well so be it. Install it. Not everyone feels like installing one. Or needs to

And nor should you if you don't want to, and I'm certainly not telling you to do it either.

But what Colpol said:


What will stop a naughty program from starting or playing silly buggers.

In my mind, the only way to prevent or monitor this kind of thing is with a program like Comodo's Defense+ or Threatfire's Antivirus.

As they say themselves:

Normal antivirus products usually need to have first identified and seen a threat before they can provide adequate protection against it. The protection is then provided via a signature or fingerprint update, which must first be written by an antivirus researcher. This creates a large window of time where threats are undetected and can therefore infect your PC even when you have antivirus software installed.

For me, this is simply not good enough.

But even with just a simple default-deny system (whitelist) you can allow only the applications you know and trust, and deny everything else. Since any virus is in the "everything else" category, you are protected against all current and future viruses