Poll: Is a software firewall necessary if you have a hardware firewall ??

[Oaf357]

Originally posted by: JackMDS
It all depends whether one want to show ?Plumber? muscles or to take into consideration the ?Small? LAN guys.

Bulldozer is a vehicle

Saturn is a Vehicle.

That does not mean that Saturn = Bulldozer, or that when ever you need a Vehicle you should get a Bulldozer because it is bigger and stronger.

You have a small home Network and you use an Entry Level Cable/DSL Router you get a One Way NAT Firewall. I.e. you have a decent protection from ?Dirt? coming in. You do not have protection from info going out. You put a decent medium level software Firewall you get notified when ?Billy? calls home, you can make a decision what you want to do with ?Billy?.

Few times during the course of Internet work I have to disable the firewall for few minutes. Toward the end of the day I have a habit to look at my WinXP StratUp list.

Well few minutes ago I see a new entry called Bargain Buddy. Looking at the running threads there is a Bargain Buddy program chucking in the background. Tracing the program I found a directory called Bargain Buddy. It has two exe file and 4 dll. Where it is coming from? What it is doing? I do not know, and I do not care. I already got rid of it.

I know how to take proper care of my PC and how to handle a network (already did it before some of you guys was born). If I did not have a software firewall I would have about 20 ?Bargain Buddies? per day.

Along these lines I am afraid to think what type of ?Bargains? my family, and people that work for me will get if there was no Software Firewall on my SOHO Networks.

Being knowledgable in networking never replaces the knowledge of knowing what sites to surf and what not to surf and when to click yes or no.

When I say firewall, I mean an independent device that IS a firewall. Thanks to Linksys, NetGear, etc. other people think firewalls are home routers.

If you have a properly configured hardware firewall your network is safe and a software firewall is a waste.

 

[Fuzznuts]

Originally posted by: Oaf357

Originally posted by: JackMDS
It all depends whether one want to show ?Plumber? muscles or to take into consideration the ?Small? LAN guys.

Bulldozer is a vehicle

Saturn is a Vehicle.

That does not mean that Saturn = Bulldozer, or that when ever you need a Vehicle you should get a Bulldozer because it is bigger and stronger.

You have a small home Network and you use an Entry Level Cable/DSL Router you get a One Way NAT Firewall. I.e. you have a decent protection from ?Dirt? coming in. You do not have protection from info going out. You put a decent medium level software Firewall you get notified when ?Billy? calls home, you can make a decision what you want to do with ?Billy?.

Few times during the course of Internet work I have to disable the firewall for few minutes. Toward the end of the day I have a habit to look at my WinXP StratUp list.

Well few minutes ago I see a new entry called Bargain Buddy. Looking at the running threads there is a Bargain Buddy program chucking in the background. Tracing the program I found a directory called Bargain Buddy. It has two exe file and 4 dll. Where it is coming from? What it is doing? I do not know, and I do not care. I already got rid of it.

I know how to take proper care of my PC and how to handle a network (already did it before some of you guys was born). If I did not have a software firewall I would have about 20 ?Bargain Buddies? per day.

Along these lines I am afraid to think what type of ?Bargains? my family, and people that work for me will get if there was no Software Firewall on my SOHO Networks.

Being knowledgable in networking never replaces the knowledge of knowing what sites to surf and what not to surf and when to click yes or no.

When I say firewall, I mean an independent device that IS a firewall. Thanks to Linksys, NetGear, etc. other people think firewalls are home routers.

If you have a properly configured hardware firewall your network is safe and a software firewall is a waste.

Couldnt agree more.

 

[Eltano1]

Lizardboy, you shoud also make a difference between a Cisco and a SOHO (Linksys, Dlinks, etc) firewall/routers, in thay way it would show better why to have both kind of firewall.
Personally I do have both (at home and at the school) , and no matters how good are you, trying to prevent no to get infected, there is always someone that somehow it will get a virus of any kind.

Eltano

 

[glugglug]

Most stuff phones home on port 80 and will go right through your hardware firewall.

Sure you can set up a SOCKS proxy and block port 80, but it isn't very difficult for any 3rd party program to find the proxy settings part of your browser settings (in fact built in winAPI calls for making HTTP requests will do this), so that still doesn't accomplish anything without blocking on a per-application basis which a hardware firewall can't do.

Any windows product without a software firewall = stupid.
And even with the software firewall you still need a hardware firewall to see what windows is doing during boot.
And its not too difficult for programs to get around some of the software firewalls after boot either -- tiny firewall doesn't realise that VMWare has access to the internet since it makes all calls at raw ethernet level, not layer 4+. ZoneAlarm sees this but is less stable. Anyone have a good suggestion for the best of both worlds?

 

[Oaf357]

Originally posted by: glugglug
Most stuff phones home on port 80 and will go right through your hardware firewall.

Sure you can set up a SOCKS proxy and block port 80, but it isn't very difficult for any 3rd party program to find the proxy settings part of your browser settings (in fact built in winAPI calls for making HTTP requests will do this), so that still doesn't accomplish anything without blocking on a per-application basis which a hardware firewall can't do.

Any windows product without a software firewall = stupid.
And even with the software firewall you still need a hardware firewall to see what windows is doing during boot.
And its not too difficult for programs to get around some of the software firewalls after boot either -- tiny firewall doesn't realise that VMWare has access to the internet since it makes all calls at raw ethernet level, not layer 4+. ZoneAlarm sees this but is less stable. Anyone have a good suggestion for the best of both worlds?

Yes, don't install crap that phones home.

I think everyones' input is great but there is one problem with everything people are saying. The only "valid" reason so far that I've seen to use both hardware and software firewalls is to keep ad/spyware from doing what it's programmed to do. The best way to prevent ad/spyware from doing what it's designed to do is to not have it, at all.

Great, it calls home on port. Use a sniffer and identify the client PCs that are calling home and take the problem app out if you don't trust msconfig to remove it then use this.. It all boils down to what users have on their PCs. Educate them.

Using a software firewall isn't worth the time, in my opinion, because a good hardware firewall and good administrators can easily handle the purpose of the software firewall without eating up resources on users' PCs. Plus, for every app you install that's another app you have to keep up to date, troubleshoot, and support.

For someone to say that not using a software firewall is stupid shows how little attention they pay to what sites are being surfed and what IP addresses they should deny access to (via a hardware firewall).

 

[Lord Evermore]

Anyone maintaining multiple machines that may have people randomly installing such software should be using a single firewall that all traffic passes through anyway (a real firewall) if it's that much of a concern. Someone with two PCs in their house should be able to handle spyware/adware easily, no need for a firewall other than a NAT router.

 

[Oaf357]

Originally posted by: Lord Evermore
Anyone maintaining multiple machines that may have people randomly installing such software should be using a single firewall that all traffic passes through anyway (a real firewall) if it's that much of a concern. Someone with two PCs in their house should be able to handle spyware/adware easily, no need for a firewall other than a NAT router.

An excellent point. Could you imagine using software firewalls on say 500 PCs. That's 500 firewalls to configure, update, and control. It can be done (more effectively) with one hardware firewall.

 

[JackMDS]

Lucky me in my community there is a local Village ordinance that mandate each house to keep outside a hose connected to a faucet long enough to reach any point in the property.

Firewall or not. I Guess I am Protected!

 

[glugglug]

Originally posted by: Oaf357
Yes, don't install crap that phones home.

I think everyones' input is great but there is one problem with everything people are saying. The only "valid" reason so far that I've seen to use both hardware and software firewalls is to keep ad/spyware from doing what it's programmed to do. The best way to prevent ad/spyware from doing what it's designed to do is to not have it, at all.

Really the only way to do this is to not install any windows version later than 98/NT.... Although if MS really wanted to they could obviously get around any software firewall. Which leads back to what you say being the real answer... if you want real security, just use Linux + hardware firewall.

 

[Lord Evermore]

So you're saying that phonehome software only works on 2k and XP and 98/NT are automatically protected?

 

[glugglug]

Originally posted by: Lord Evermore
So you're saying that phonehome software only works on 2k and XP and 98/NT are automatically protected?

No there is plenty of phone-home software for 98/NT also. But 2K/XP have it in a default installation with no non-MS software installed.

 

[Oaf357]

Originally posted by: glugglug

Originally posted by: Oaf357
Yes, don't install crap that phones home.

I think everyones' input is great but there is one problem with everything people are saying. The only "valid" reason so far that I've seen to use both hardware and software firewalls is to keep ad/spyware from doing what it's programmed to do. The best way to prevent ad/spyware from doing what it's designed to do is to not have it, at all.

Really the only way to do this is to not install any windows version later than 98/NT.... Although if MS really wanted to they could obviously get around any software firewall. Which leads back to what you say being the real answer... if you want real security, just use Linux + hardware firewall.

You don't think phone home software could be made for Linux?

It's not an OS specific issue.

Security is a "look forward" issue. Using Linux as a counter to phone home software only means that you're not looking far enough into the future.

ANY OS COULD BE VULNERABLE. In the future of course so plan far ahead and develop an active system for keeping spyware and adware off systems and keeping that software from communicating outside of your network.

 

[spidey07]

Managing software policy on thousands of PCs is really not that hard. It is just another administrative tool just like virus protection and is managed as such.

 

[glugglug]

I'm sure there is spyware for linux.

But a) It's not there by default with JUST linux installed.
and b) AFAIK there is no standard place for it to see your proxy settings.

 

[Oaf357]

Originally posted by: spidey07
Managing software policy on thousands of PCs is really not that hard. It is just another administrative tool just like virus protection and is managed as such.

Ahh... but wouldn't it be significantly easier just to administer one firewall?

 

[spidey07]

No. You can even manager the desktop and internet firewalls as one using the same policy.

Security is not a firewall, security is methodolgies and policies. A firewall is just part of it. So is a desktop firewall.

It really is pointless to debate this. A firewall is required on PCs if you want tighter network security. It is the security officers call on just how much security is needed.

 

[Oaf357]

Originally posted by: spidey07
No. You can even manager the desktop and internet firewalls as one using the same policy.

Security is not a firewall, security is methodolgies and policies. A firewall is just part of it. So is a desktop firewall.

It really is pointless to debate this. A firewall is required on PCs if you want tighter network security. It is the security officers call on just how much security is needed.

Tighten the belt on your hardware firewall. Software firewalls are pointless and only stop what should already be stopped by a good hardware firewall and network administrator.

As a side note. Name one major entity that uses software firewalls on every PC on its network.

 

[Poontos]

Oaf357 wrote:
> Tighten the belt on your hardware firewall.

This will help, but it is NOT the only solution.

> Software firewalls are pointless and only stop what should already be stopped by a good hardware firewall and network administrator.

This debate is pointless. And your OPINION on the matter, is all well and good, however, spidey07 knows his stuff, so read and learn.

> As a side note. Name one major entity that uses software firewalls on every PC on its network.

Who cares. If someone gives intimate details of such and such company that uses this and that for a firewall, they are full of $hit and should arrested. The dude that started this thread was NOT referring to major entities, corporations, businesses, etc., but rather what Bob Lawblaw has at home for a firewall(s).

 

[JackMDS]

This is not an answer to Spidey, just using is wisdom.

Quote: ?Security is not a firewall, security is methodologies and policies. A firewall is just part of it. So is a desktop firewall?

Absolutely right.

Thus methodologies and policies are not the same when your Network is:

One Computer One User.
One Computer few User.
.
Small Home LAN (3-8) computers. Used by family.
.
Smal Office LAN. (3-8) computers. Used by employees.
.
.
.

Cooperate LAN
.
.
.
Worldwide Cooperate WAN.

Any attempt to claim that one or two rules. ?Rules? all of the above is naïve at best.

Small Home LAN behind Entry Level Cable/DSL Router + Software Firewall is the best solution at my end of the spectrum.

 

[Oaf357]

Originally posted by: Poontos
Oaf357 wrote:
> Tighten the belt on your hardware firewall.

This will help, but it is NOT the only solution.

> Software firewalls are pointless and only stop what should already be stopped by a good hardware firewall and network administrator.

This debate is pointless. And your OPINION on the matter, is all well and good, however, spidey07 knows his stuff, so read and learn.

> As a side note. Name one major entity that uses software firewalls on every PC on its network.

Who cares. If someone gives intimate details of such and such company that uses this and that for a firewall, they are full of $hit and should arrested. The dude that started this thread was NOT referring to major entities, corporations, businesses, etc., but rather what Bob Lawblaw has at home for a firewall(s).

It's nice to know that this forum has Gestapo tactics.

>This will help, but it is NOT the only solution.

Agreed. It is the best solution though for those at home who actually want viable network security. A software firewall has (as stated over and over again in this thread) one real purpose, stopping spyware and adware. This can be accomplished with a hardware firewall and is not dependant upon what OS you're using.

>This debate is pointless. And your OPINION on the matter, is all well and good, however, spidey07 knows his stuff, so read and learn.

So my "opinion" is somewhat moot but spidey07's opinion is worth its weight in gold? How hypocritical and contradicting you are. You're silly to think that I'm not going to post my opinion just because someone else has posted theirs. Opinions are like... you know. If you don't like mine, tough. Move along. Get over it. Don't chatize me for my opinion, that's downright rude.

Because a company's network is well known to some is no grounds to be arrested (you must be from another era, or high). I am curious though as to whether or not a company has implemented software firewalls on its network (that's why I stated it as a side note).

forum (according to dictionary.com): A public meeting place for open discussion.

Since you seem to be somewhat against that, you're somewhat of a putz.

 

[Oaf357]

Originally posted by: JackMDS
This is not an answer to Spidey, just using is wisdom.
Small Home LAN behind Entry Level Cable/DSL Router + Software Firewall is the best solution at my end of the spectrum.

So you wouldn't recommend a hardware firewall to a home user? Why is that?

 

[lizardboy]

wow, never expected 45+ replies to this

My question was intended for the kind of person I think most AT'ers are: fairly advanced home PC users. Most people have no clue what they're doing, this is why their computers get clogged up with crap like Gator & Bonzi Buddy. I realize my original question was not very specific, but I was just curious what type(s) of firewalls the AT community used for their own home PC's. I've been using the linksys firewall (yes, i know it's just a NAT firewall but it does a fairly good job) and ZoneAlarm for several years and I've never had a problem. Unlike most people I actually check to see what programs are and where they're trying to get to before I give them access via ZA. I'm sure if someone really, really wanted to get on my PC it wouldn't be that hard, but since ther are sooooo many other computers out there that have zero firewall protection I don't think it's worth the hackers time to break into my system.

 

[Chubs]

Originally posted by: Poontos

Originally posted by: lizardboy

Originally posted by: JackMDS
Well I need a software Firewall, at the last count I found about 70 programs that can call home.

Read this: Basic Protection for Broadband Internet Installation.

I guess I should have been clearer in my post - personally I like having both the software & hardware firewall, I really just wanted to see how many AT'ers agreed/disagreed & why.

One of the things I like best about zonealarm is being able to see which program are trying to phone home. I love completely blocking crap like Windows Messenger & Real Message Center from getting on the web. Plus I like the visual aspect of being able to glance down at the ZA logo in the sytem tray to see if traffic is coming in or out.

Those that respond that is not necessary -- do not care about security or do not have anything they wish to protect on there computer.

Those that respond that it is necessary = the opposite of above.

I think your statement is a little over the top. Security comes in a wide range of shades. To be truly secure you don't plug your computer/data into a network. Oh, and you don't let anyone have physical access to it either. Oh, and you don't let any removable storage near your computer/data either. Oh, and....

 

[Lord Evermore]

Nobody's offered any specific reasons that every desktop should have a software firewall running, if they're all behind a hardware firewall (or computer acting as firewall). The only possible reason I can see is to limit the spread inside your network of a worm of some sort, but in order for it to become an issue in the first place, security needs to have been lax already. And since many worms use standard ports, a software firewall configured only for port blocking (which is probably common) won't stop them. A firewall that stops particular applications would, but as has been pointed out, may not always be totally able to control it. And if you're going to the effort of putting on a firewall (and paying for that many licenses), then why not have the computers configured so that users aren't able to even install programs or accept spyware installed through the browser? They already can't run filesharing apps through your hardware firewall hopefully, or use IRC. Even if it is possible to remotely administer desktop firewalls, WHY? It's just one more thing that needs to be maintained.

 

[spidey07]

I guess I'm just used to seeing the "big picture" and have a hard time pulling myself down to a SOHO level.

sorry.

But still one of the big drivers for PC based firewalls is the roaming laptops that connect to many different networks, many of which are not under your administrative control. As for companies using them American Standard, UPS, Humana are some I've worked on.