Stoyal, if you have no anecdotes of successful hardware firewall attacks, then how do you know your Netgear combination firewall/router is absolutely useless?
Thanks NS! I’m using the router as a DHCP server, and I had previously programmed it to assign 19.168.1.100 to my PC.
I guess my problem is I really don’t know what a “NAT firewall” is. Is it simply not exposing my PC to the world by giving it that “private” IP? Or is there more to it?
And can you give me an idea how much more or less secure I am using just a NAT firewall vs a software firewall like ZoneAlarm?
Thanks again.
Traffic flows through the firewall/router before it reaches my PC. If the hardware was doing its job, packets containing malicious data would never reach my computer, yet they have to reach it without being in any way disarmed before the software firewall even has a chance to scan them. Ergo, if Norton alerts me to any attempts, particularly ones classified as “High Risk”, Netgear is not 100% effective. And 99% effective isn’t enough for me.
It’s a matter of preference, I suppose; as long as you’re performing regular (daily or every other day) virus checks, keeping an eye on your system resources (notice a sharp drop in available hard drive space, for example), and checking running processes occasionally to make sure something hasn’t snuck in, you’ll be fine. I’m lazy and prefer not to do the housekeeping more than weekly.
Other hardware firewalls may well be much more effective than Netgear. I still recommend keeping the software firewall going for a week or two after the hardware firewall is set up, to see if it detects any attacks that the firewall let through.
Here’s a nice FAQ on NAT, but to summarize, yes, it’s hiding your PC from the rest of the Internet. Say you make a request for a web page. The router translates your internal address to a real Internet IP address and sends that information to the web server. The server sends the page back to your external IP address. Your router recognizes that the data the web server is sending you comes from a trusted source (i.e. a source you requested information from) and passes it along to you. If you didn’t request the data, the router won’t let it get by.
One problem with using just a hardware firewall is trojan horses. Since these programs (I hesitate to call them viruses, since that’s not technically what they are, but that’s how the media refers to them) run on your machine, they can trick the router into thinking you’re actually requesting data, and thus allow unwanted inbound connections. ZoneAlarm blocks programs from sending data unless you explicitly allow them to do so.
It’s likely that stoyel’s “attacks” were, in fact, quite innocuous. Many software firewalls are hypersensitive about that kind of thing. And even if you’re idle, you’re still transmitting and receiving a little bit of data to keep your connection active.
Thanks for the info stoyal and neutron star.
I really do like ZoneAlarm’s policing of what progs try to access to network. I’ll probably run both most of the time, but when I want to play a game that needs a lot of CPU, I’ll kill ZA and just rely on the NAT.
Thanks again!
In my own defense, I’m not completely computer illiterate. Level 3 on hackerslab, baby. One or two Invalid TCP Flags alerts won’t convince me that the evil martians are out to get me.
When I walk away for an hour or two and find more than 500 blocked intrusions from a single remote address when I come back, I begin to get suspicious.
When I trace those attacks to a DSL service provider with which I have never had any contact, I’m concerned.
When over the course of the next few days I am attacked again by the same (or an ever so slightly different) address, I’m pretty convinced, and send the log segment to the provider.
I’m sure many of the attacks were harmless. I’m almost certain that at least a few were malicious. Either way, I’m glad I have the software firewall as a backup, and as a result of my experience, I don’t believe that Netgear is reliable, and I’m disinclined to believe that other hardware firewalls are as infallible as they are advertised to be.
I’m keeping the software up. YMMV.
Well, that does sound like cause for concern. The web interfaces of some NetGear routers are susceptible to a cross-site scripting vulnerability. Perhaps this or something like it was used to compromise your router.
Hmm, so if I have the external Linux box running a NAT firewall, is there any way to also have only selected programs get priority to send without running software on my Windows box? If I need to have that anyway, then I don’t really see the need to set up a separate machine…
“Personal firewall” software is a flawed implementation of the firewall concept to begin with because you can’t improve security by adding more software to an untrusted system - not even if you trust the new software to be secure. The problems with excessive CPU use discussed here indicates that the software is badly written or incorrectly configured; a packet filter shouldn’t affect performance that much.
If a machine is already compromised (by running trojan code), so is the firewall if it runs on the same machine. There are viruses that disable virus protection software and there are trojans that disable personal firewalls. A piece of hardware dedicated for firewall use (like a Linux or *BSD box) is much easier to secure.
Nothing short of completely disconnecting the computer from the network will give you 100% effective protection, but knowledge about the actual problems is a much better defense than any prepackaged security solution.
True. Hell, I’d forgotten the OP’s original concern. FWIW, I did have an older version of ZoneAlarm that was buggy and sometimes gobbled CPU cycles like PacMan munching up dots. An upgrade fixed the problem.
I didn’t know there were trojans that disabled firewalls. Thanks for the info. Still, at least you have some protection with ZoneAlarm, and it is good for things like spyware and other annoying, but not illegal, software that wants to access the Internet against your wishes. I’d still like to know why Windows 2000’s Logical Disk Managment service tries to access the Internet every time I use it. Whether I have ZoneAlarm allow or disallow it, it still seems to have exactly the same functionality.
Yeah, you can do packet shaping this way. See my post at the top. (Or just click here)
I think it’s one of several components that uses DCOM in order to allow for remote administration. You’ll break things if you disable DCOM entirely, but restricting it to non-routable protocols (try running dcomcnfg.exe for options) is probably fine - assuming you are not using DCOM over TCP/IP for anything else.