I just finished installing a Linksys wireless router. The router acts as a firewall since all request coming in are handled by the router and then mapped to the individual PC in my house.
Now, reading the manual, it states that I should remove all software firewalls installed on any of the PCs.
I have ZoneLabs installed on some of my PCs. I read somewhere that it doesn’t hurt to have both, router and software firewall.
What gives?
In theory and hacker would only be able to get as far as your router. After that the IP address changes and they shouldn’t be able to follow it anymore. But I don’t think it hurts to be redundent and use both.
Basically, the router is all the protection you need, especially if you’re just a home user. However, except for the slight performance hit running a software firewall makes, it’s not going to hurt you to have both.
The other reason to keep your software firewalls is that they provide control over both incoming AND outgoing traffic. So if you pick up something like an ircbot on one of your computers (say, from a floppy disk or download), you are still relatively protected as the software firewall will stop the outgoing traffic. The router may not.
(I have the same basic setup by the way, only without software firewalls. But I do have anti-virus software running which picks up incoming trojans).
Most Linksys routers perform a Network Address Translation, which effectively isolates your internal network from the outside. So a hacker can’t easily attack you from without. However, if they already have a bit of software inside, all bets are off as NAT won’t stop your computers from contacting the hacker from inside your system.
Definitely uninstall the software firewall. They’re pointless even without a hardware firewall, and with one they simply duplicate a job that’s already being done much more effectively by your router. Why waste your RAM and CPU?
Hhhmmm, seems like a lot of ‘not necessary but doesn’t hurt answers’.
My summary so far is, NAT in the router eliminates any need for software firewall for incoming traffic. Assuming that no port is routed through and no DMZ.
For any software, malicious or not, acting like a server (sending data from one of my PCs) the router does not help at all. So for those cases you need the software firewall or a virus checker.
As I suspected, here is a more detailed and technically correct explanation: http://www.dslreports.com/faq/4629
Very strange. I have a linksys router and the manual talks about various router firmware you can download that works with the liksys box. Which linksys box do you have?
For two reasons, I say keep it:
Reason #1: As has been said already, if you somehow get (or already have) a malicious bit of code on a system to initiate communication, you won’t know - because most HW firewalls (at least the lightweights for home use) assume the inside network to be safe. The SW firewall gives you a sporting chance of catching that.
Reason #2: I can’t know how hard you’ve locked down youur wireless network, security-wise, but the link between router and PC is still vulnerable in a wireless setup. Google “wardriving” to see what I mean.
I’d keep the SW firewall. And I’ll bet you dollars to donuts that LinkSys recommends shutting it down because it may complicate their tech support to have people running anything but vanilla configurations.
Congrats on your new purchase, btw.
Bah! that does not make any sense. What I mean is the manual talks about getting firmware for the linksys box that works with zone alarm.
NAT is not the same as a firewall. NAT does just what it says: network address translation. This means your internal network using non-routable IP addresses can communicate with the Internet because the NAT box handles translation of the addresses much like a proxy would.
A firewall is a completely different function, albeit frequently bundled in the same device. A firewall is doing some sort of traffic inspection and permitting/denying traffic based on some policies. For example, you could configure a firewall to block incoming traffic on ports 25 (SMTP) and 137/138 (mapped drives), etc. While a NAT box would simply modify this traffic to route it to the correct internal machine, the firewall allows you to block it. NAT alone does help some with security because it blocks direct unrequested access from the outside. However, many attacks are based on piggy-backing traffic you initiate or are initiated from the inside if you manage to get a trojan installed.
And by the way, I respectfully disagree with Alereon pretty strongly. I don’t think software firewalls are pointless. I run a linux box that handles NAT and firewall for my LAN, but I still run individual firewalls on most internal machines. This allows me to fine-tune control at the box level (e.g. this specific machine should reject any mapped drives while that one should not) and it allows me to open my firewall to some traffic I want to provide to a certain machine but block it from others (e.g. if I want to make one machine available for external SSH). It also provides more application-level filtering on outgoing traffic. Many applications will “phone home” whether they’re trojans, spyware or just a noxious product registration. This will look like legitimate HTTP traffic to a gateway firewall, but can be blocked by a machine-level firewall which can determine which application initiated the query.
In addition, this belt-and-suspenders approach may seem silly to some, but security is based on building systems which fail in reliable ways. If your Linksys router became unsecure tomorrow, do you want your network completely exposed or would you rather have additional hurdles? Not too long ago, someone published a list of “undocumented” default admin login/password sets for a lot of secure router devices. I don’t know if Linksys was on the list, but there were a lot of Cisco routers and other top dogs which were suddenly essentially open to the world. If you’re not willing to follow the various security mailing lists and be ready to respond to events like this within moments (which no home user should be expected to do) it makes sense to build some concentric circles in your security design. That doesn’t mean you have to string digital barbed-wire around your LAN, but it’s so easy to just leave the machine-level firewalls installed, why wouldn’t you?
I didn’t say that the software firewall won’t work. The Linksys manual just says to turn the software off. It doesn’t give a reason hence my question.
BTW, I purchased the Linksys 802.11g WRT54G.
clarification and question:
I think gazpacho was referring to his above statment (which didn’t make any sense ):
Anyhow, I have the same setup (Linksys 802.11g WRT54G) as Hinten, and I did not realize that they recommended you shut off your firewall - I just transferred my system from their older 4 port LAN router. I have had no problems, except for the fact that I cannot seem to get to folders on other LAN computers when Zone Alarm is running. I didn’t have a problem with this before (with my old linksys router and Zone Alarm), but I can’t for the life of me figure out what is wrong - I can see the folders on the network, but cant look inside them. Shut off ZA, and I can access files, not just see them. Am I missing something obvious?
I am still surprised that your linksys manual says to get rid of zone alarm. What you have looks like what I have except that yours does 802.11g instead of 802.11b. I have a hard time imagining that the router parts of the two boxes are really different. Very strange.
See Linksys user manual, Chapter 5, page 20 (in the grey box): ftp://ftp.linksys.com/pdf/wrt54g_ug.pdf
“You must also disable any Internet log-on software (such as Ivasion
Winpoet or Enternet 300) and any firewall software (such as
ZoneAlarm and Watchdog) on all of your PCs.”
actually, the router is built on a completely different processor than their other ones, according to Tom’s Hardware:
http://www.tomshardware.com/network/20030325/wireless-01.html
(Scroll to bottom, little note after exclamation point)
Oh, and I’m not calling you a liar, Hinten, I meant that I never read the manual becasue ‘I thought I knew what I was doing’.