Software Firewalls

[Wingco1]

Do we really need them?. I've just bought my wife a new Tosh Lappy and have taken the preloaded cr*p, "Norton" off, and put AVG on. My three other boxes all have ZA on, which she finds a pain to use. Everytime a programme is updated ZA asks for permissions. So bearing in mind we are sitting behind a router and Windows firewall, do we really need a software firewall?.

[Rik]

I ran a software firewall behind a router for the first six months. It didn't have to do a thing in that time, so I abandoned it. I've never seen a virus or a piece of malware on any of my machines. That said, the risks are dependent on an individual's surfing habits and, for some, it may be a good idea to prevent apps accessing the web without their knowledge.

Others will have different views.

[Sebby]

Do we really need them?. I've just bought my wife a new Tosh Lappy and have taken the preloaded cr*p, "Norton" off, and put AVG on. My three other boxes all have ZA on, which she finds a pain to use. Everytime a programme is updated ZA asks for permissions. So bearing in mind we are sitting behind a router and Windows firewall, do we really need a software firewall?.

I would say it depends on the user. For myself, I don't feel a software firewall is necessary as I only need inbound protection, which every router using NAT does. For someone that doesn't know so much about computers and may allow malware to be installed, I think it's probably a wise move.

[Noreen]

I'm using a router and Vista Windows firewall and everything appears to be OK. I understand that the firewall can be configured for outward bound stuff too but I've never understood all the technical instructions.

[Wingco1]

For someone that doesn't know so much about computers and may allow malware to be installed, I think it's probably a wise move.

Luckily she doesn't download, just browsing and emails.

[Rik]

Does she click on attachments in emails?

[Wingco1]

Only from people she knows, but I agree that's no guarantee.

[Rik]

How about HTML mail and links?

[Wingco1]

  What are you saying Rik 

[Simon]

I use F-Secure Internet Security, which obviously includes a firewall.  I have this, mainly for my own peace of mind, and I also like to know what's going in and out of my PC.  I have never fully understood how router firewalls work, but I get the impression that they work on an 'all or nothing' basis, and can't see how they could detect a specific trojan, for example, if it tried to enter your machine.

[Noreen]

.........and can't see how they could detect a specific trojan, for example, if it tried to enter your machine.

Wouldn't anti-virus or anti-spyware programs pick that up?

[Steve]

If choose to run a software firewall behind a router you only need one!! If you using a third party such as Zone Alarm turn windows firewall off. 

[Noreen]

When I used Comodo firewall on my previous computer I believe that it automatically turned Windows firewall off. Don't other firewalls do the same?

[Steve]

As a rule yes, but Windows and Windows security center is inconsistent in its approach to third party firewalls

[Simon]

Wouldn't anti-virus or anti-spyware programs pick that up?

It should do, Noreen, yes.  It's just the extra layer of protection I find reassuring. 

[bob_s]

My personal opinion is every PC should have anti virus, firewall and run spyware every so often if not live.

But thats based on people including myself who like to try freeware and trialware.  Allot of which comes with spyware, which isnt a virus because you actively installed it by choice, and you may even want its functionality, although it is unlikely.

But if your a safe and web surfer that sticks to basic email and html you should be ok with just the anti virus.

[Simon]

The trouble is, Bob, even the safest surfer can run into trouble, even on familiar sites these days.  The example that springs to mind is the recent trojan ad on Digital Spy.  In my opinion, within reason, you can't have too much protection, especially with the ever increasing concerns about identity fraud and general internet security.

[Wingco1]

AVG 8 seems a good prog at the mo. It seems to cover all bases.

[Niall]

AVG8 is awful for a LOT of people. I had to get a refund from them because they've now made it similar to Zone Alarm; bloated with more features than you need. I had to turn off over 50% of them for it to run on my system (which isn't a small system by any means).

As for firewalls, basically you'd be stupid not to use one. If you can guarantee EVERY piece of information that comes in and goes out of your network is safe and always will be, you should go speak with Microsoft, as you've obviously got some sort of knowledge that no one else on the planet has. I imagine you'd be paid well for that knowledge

I'm using a nat router, Windows firewall (it does the job, and all other firewalls you have to pay for, all have something wrong with them in one way or another, to my irritation. I've spent god knows how many hours looking and trying a LOT of them) and Kaspersky AV. Combine that with Spybot, Spyware blaster, peerguardian on my laptop too (no 64bit vista version last time I checked). The most important part is common sense.

[Sebby]

When I say I don't use a software firewall, the Windows one is enabled.

[Dangerjunkie]

I have never fully understood how router firewalls work, but I get the impression that they work on an 'all or nothing' basis, and can't see how they could detect a specific trojan, for example, if it tried to enter your machine.

The Internet works on IP addresses (you can think of these as like your computer's phone number) and ports (you can think of these as  like extension numbers within an office phone system.)

To send a piece of information the remote system gets your computer's IP address from it's name using a thing called DNS (Domain Name Service.)  It then calls the number it gets and asks for the port it needs. A bit like someone dialling the switchboard of a big company and asking for extension 4567. Think of the programs on your computer as people sitting at desks. Some will have no extension on their desk, some will have one, others will have more. When the phone rings the program will answer it and act on whatever the program at the other end says. Most callers are genuine but a few are con artists.

Think of your firewall as the operator that answers the phone when a program calls the switchboard. That operator has been given a list of extensions that they are allowed to connect callers to and told not to connect a caller to any other extension.  So when ICQ calls asking to speak to your ICQ the rule you set up says this is OK and the operator puts the call through. When the Hacker's Toolkit calls, asking to speak to the credit card number storage department the operator won't put it through because no rule exists for that, protecting the business.  Some firewalls also insist all employees wanting to make a call do it through the operator to make sure nobody within the company is talking to someone they shouldn't.

Some of the best firewalls use a thing called "Stateful Packet Inspection" where the operator connects the calls but continues to listen to the call and disconnects it if they think the caller is up to something bad.

I'm using a nat router, Windows firewall (it does the job, and all other firewalls you have to pay for, all have something wrong with them in one way or another, to my irritation. I've spent god knows how many hours looking and trying a LOT of them) and Kaspersky AV. Combine that with Spybot, Spyware blaster, peerguardian on my laptop too (no 64bit vista version last time I checked). The most important part is common sense.

Not all decent firewalls cost money. The line of IPCop, Smoothwall and Monowall are free. However you do need to find a separate cr*ppy old computer to run them on. This is much better than a software firewall (yes, these are software too) because there is nothing else running on the machine with the firewall that can be used to get a trojan in to bypass the firewall.

Cheers,
Paul.

[Rik]

Nice explanation, Paul. 

[madasahatter]

Have another  Paul

Brilliant explanation 

[Ray]

Excellent explanation, Paul, and yet another,

[Niall]

When I say I don't use a software firewall, the Windows one is enabled.

Heh, I wasn't aiming my comment at anyone. I use the windows firewall too

I just find it irritating how many people post on various forums (not these) saying stupid things like "why bother? I've never had a problem", when in reality they don't know if they have or not!

[Niall]

The Internet works on IP addresses (you can think of these as like your computer's phone number) and ports (you can think of these as  like extension numbers within an office phone system.)

To send a piece of information the remote system gets your computer's IP address from it's name using a thing called DNS (Domain Name Service.)  It then calls the number it gets and asks for the port it needs. A bit like someone dialling the switchboard of a big company and asking for extension 4567. Think of the programs on your computer as people sitting at desks. Some will have no extension on their desk, some will have one, others will have more. When the phone rings the program will answer it and act on whatever the program at the other end says. Most callers are genuine but a few are con artists.

Think of your firewall as the operator that answers the phone when a program calls the switchboard. That operator has been given a list of extensions that they are allowed to connect callers to and told not to connect a caller to any other extension.  So when ICQ calls asking to speak to your ICQ the rule you set up says this is OK and the operator puts the call through. When the Hacker's Toolkit calls, asking to speak to the credit card number storage department the operator won't put it through because no rule exists for that, protecting the business.  Some firewalls also insist all employees wanting to make a call do it through the operator to make sure nobody within the company is talking to someone they shouldn't.

Some of the best firewalls use a thing called "Stateful Packet Inspection" where the operator connects the calls but continues to listen to the call and disconnects it if they think the caller is up to something bad.


Not all decent firewalls cost money. The line of IPCop, Smoothwall and Monowall are free. However you do need to find a separate cr*ppy old computer to run them on. This is much better than a software firewall (yes, these are software too) because there is nothing else running on the machine with the firewall that can be used to get a trojan in to bypass the firewall.

Cheers,
Paul.

Well yeah, obviously a proxy/dedicated box would be good (dedicated racks in your room being ideal ), but I don't want to build a seperate PC that I route everything through, when I've got a router to avoid that in the first place. Okay not exactly the same thing, but if it works.

I did briefly try this when I had 3 PCs from left over bits. I found it to be interesting, but overly complicated for a home user. All you really need is a router and good firewall. You can actually get a hardware firewall for a decent price these days too, if you want to do it properly.

[Dangerjunkie]

Hi,

Well yeah, obviously a proxy/dedicated box would be good (dedicated racks in your room being ideal ), but I don't want to build a seperate PC that I route everything through, when I've got a router to avoid that in the first place. Okay not exactly the same thing, but if it works.

There are a number of mini-itx or pico-itx machines about that are about the same size as a router. If you visit http://linitx.com/viewcategory.php?catid=117&pp=116,117 they will sell them pre-built with the firewall software already installed. I know they're not cheap but IMHO you get what you pay for.

did briefly try this when I had 3 PCs from left over bits. I found it to be interesting, but overly complicated for a home user. All you really need is a router and good firewall. You can actually get a hardware firewall for a decent price these days too, if you want to do it properly.

Which product gives the best protection depends on the user as well. I agree with what you say as I could never give a real firewall to my mother for example unless I set it up for her. For anybody with a basic knowledge of what  IP addresses, ports and  NAT are then a real firewall shouldn't be a problem. IMHO anyone that could manage to set up my old Linksys router to let a port in could do the same with IPCop.

There is no such thing as a hardware firewall. It's a myth generally spread by the people that make "hardware" firewalls. They try to market their products as better because they are a specialist piece of hardware but in reality a hardware firewall is just a small computer with a couple of network interfaces in a box running a piece of firewall software. I would have much more confidence in one that an software firewall though.  In fact if hardware firewalls did exist they would be very poor because it would be mpossible to update their behaviour when new threats emerged unless you used (very expensive) FPGA parts

Some of these are good products but you should bear in mind they do have limitations. The amount of memory they have is limited and us usually not upgradable so the size of the firewall rule table is limited (may or may not be a problem to you). With something like IPCop or Monowall running on a mini-itx box you can always buy a bigger CF card (where the program is stored) if you run out of space for rules or other things. With a hardware firewall you are generally stuck with software from the manufacturer whereas if you used  Monowall for example and got upset with it you can just load another firewall program onto the box and move on without spending any money.

Hardware firewall software is almost entirely proprietary and the source code isn't publicly available. This means that you have to take the word of the manufacturer (who have a vested interest in you thinking it's good and buying it) to tell you how good it is. With an open-source product the code will have been examined by many people and there are likely to be a number of well informed opinions on how good it is. This process also generally means that problems with it will be found early and fixed fast.

A specialist hardware firewall isn't always east to use either. As an example I have a Juniper Netscreen on one of the networks I manage. I have a degree in computer science but when I started with it I had to get someone to show me how to set up rules for incoming connections. I couldn't even get it on my own when I had the manual.

A hardware firewall will always be a firewall. If you no longer need it then you can't change it into something else like a print server or a mail server. Though I do agree that this would only tend to be an issue for more advanced users.

Software firewalls have their uses but are limited because many pieces of malware use approved programs, like IE, to do their network access so they won't be spotted. They also run on the same machine as the malware so if anything gets past your antivirus then there is a chance it will be able to shut down the firewall from the inside and you will have mistaken confidence you are protected when you aren't.

Cheers,
Paul.

[Dangerjunkie]

Just read that post again. Maybe it didn't sound quite right. I didn't intend it to sound rude.

Cheers,
Paul.

[Rik]

Sounded OK to me, Paul. 

[Niall]

Me too I would have replied sooner, but I've been enjoying relaxing in the nice weather when I've not been in the gym