I have a dsl connection and am using a lynksys cable/dsl router - how effective is this firewall? Do I also need a software firewall - if so is win xp’s firewall enough along w/ the hardware one?
I have one of those routers too. But I don’t know enough about firewalls to answer your question. Just thought I’d chime in saying I was in your position too. But it won’t help. Why the hell am I posting this. Jesus.
IANACSE (I Am Not A Computer Security Expert) But…
A software firewall is designed to do the exact same function as a hardware firewall, it just sucks at it. In fact, they suck so much that I am of the opinion that they are just wastes of memory.
What really matters is an intelligent port filtering scheme. Firewalls work by blocking off selected ports, preventing remote access. What you should do is disable all but the ports you ABSOLUTELY know you need, then see what internet-related programs you broke, and start opening up ports as needed.
Hope this helps.
In general, the most secure (note - not perfectly secure, or foolproof, but the MOST secure) firewalls are the “NAT” type, where the router/firewall/whatever does some magic packet translation. (NAT = “network address translation.”) These have their problems (it’s hard to make them work with some filesharing programs and chat clients, for example) but they are the most secure, in general.
Next down the list are the packet filtering firewalls. These just disallow certain kinds of traffic. If these
are well put together, they can be as good (though I would say never better) as the NAT firewalls. Whether your particular one is well put together or not I have no idea. There are companies that make lots of money telling other companies how to put together packet filtering firewalls well. It’s a non-trivial thing to evaluate it and fix it if it’s broken.
I don’t know which of the above your router uses. Look up the docs and see if they mention NAT or somesuch. Also, if your computer has an IP address like “192.168.x.x” or “10.x.x.x”, you’re probably behind a NAT firewall. If you really have a burning desire to understand this stuff deeply, I suggest you get the O’Reilly and Assoc. firewall book - it has a safe on the cover. Any Barnes and Noble should have a copy. Other than that, about the best you can do is read magazine reviews and see what they rate the firewall at and why they say it’s good or bad.
-Ben
The lynksys cable/dsl router has NAT. If you are using it, you really don’t need a software firewall in addition.
By the way, NAT is a pretty standard feature in firewalls anymore. Most firewalls have a combo of packet filtering, NAT and proxies. Only the most basic of firewalls (typically offered as a basic feature in a router) will have only basic packet filtering.
(Just in case you don’t have the manual anymore, get the PDF here: ftp://ftp.linksys.com/pdf/befsr11&befsr41ug.pdf)
This is a NAT router, as posted above. It’s absolutely safe and secure, once set up properly. For example, since you have a popular model, people know that to access your router you don’t need a User Name for authentication – just the password (default is Administrator, IIRC). Put in a GOOD, STRONG password, otherwise other people can access your router from the internet using your WAN IP address (i.e., the address provided to you by your ISP). Of course, if you have DMZ host turned on, or the right incoming ports, incoming traffic will go to the designated machine rather than to the router configuration.
The instructions say that things like DMZ and port-opening don’t work with DHCP - that’s NOT true, but, be aware that if your LAN IP address changes, traffic will be redirected to the machine that has the IP address!
DMZ means “de-militarized zone,” i.e., if you set up a LAN IP as DMZ, all incoming traffic to any port goes to the DMZ IP. Not a good thing if you want a firewall!
Look in the above-linked manual for IP forwarding – that’s where you can open up well-known ports for applications that are affected by the hardware firewall. I know I have to have one opened up to use BattleNet (StarCraft).
Software firewalls have been reported to slow down your connection speeds (well, not YOURS, but, well, you know what I mean).
I run my main computer in DMZ mode all the time, i.e., without fireware protection. If you have good passwords, there’s nothing to worry about hackers. The worst they could do is print to my networked DeskJet and waste all my paper and ink, since it’s the only unprotected resource on my home network. Just because you have a port OPEN doesn’t mean incoming traffic will do anything on that port. You need SOFTWARE on your computer that responds to traffic on that port. So, for Windows networking, use a good password. For a Mac, who cares, hackers don’t try to use AFP so there’s nothing to worry about! (okay, okay, we need to use passwords, too!)