No, but a router would keep the malware away from my machine. IANAexpert, but I think you should not be on the same LAN as an untrusted machine or user unless you are a professional with the skills to set everything up securely.
If some clown is clicking away on attachments and so on, then they will presumably also be clicking away accepting any popups from their software firewall - either way their machine will become hopelessly compromised and will be a never-ending plague carrier hammering the bejesus out of the network. I’d rather have a router keeping all that away from me than a buggy piece of software which uses resources, stops games working and keeps popping up ‘Alerts’ every 15 seconds to habituate you into accepting every damn thing.
I have been running 3pcs on a Draytek ADSL router/hub and no software firewall for over a year with no problems whatsoever. It keeps stuff from invading the LAN and NOD32/SpybotS&D mops up anything we might accidentally invite in.
A router with a decent built-in firewall will keep external threats at bay, but won’t do a thing about threats originating internally; ideally, it’s actually the untrusted machine or user that shouldn’t be on the same LAN as my machine, but in the real world, that never happens - people who work in offices can quite resistant to instruction on how not to fuck up their machines with malware; they’ll install file-sharing programs, they’ll click on the enticing banner ads for 1000 free smileys; they’ll actually believe that they are the 1,000,000th visitor to [whatever website] and they’ll click on the link and install SuperHelpBrowserSearchSpotter, or whatever it is, and the floodgates are opened; sure, you can block bad sites and TCP ports, you can filter emails and TCP packets, but as a last resort, they’ll bring the damn software in on a floppy disk. Sure, you can sack them for it, but having installed a software firewall on each workstation means there’s a lot less mess to mop up afterwards.
That’s true, although it shouldn’t make much difference on a switched LAN, as the incoming packet isn’t going to go everywhere, just to one address and get rejected there.
Software firewalls offer more flexibility, for example, by allowing application X to listen on ports P and Q, and application Y to listen on port J and broadcast on port K - an external firewall isn’t even really aware of what applications are trying to do what.
A sensible policy would seem to be to implement an external firewall on any external connections to the LAN, and software firewalls on all of the workstations.
Ummm - I think we may be talking at cross purposes here, since I am thinking about Joe Punter struggling with a home broadband connection and you are talking about corporate IT.
Sounds like you have to deal with this stuff for a living and all I can do is offer you my profound sympathies - unfortunately there seems to be no evolutionary pressure to give cubicle monkeys basic awareness of the hazards of the internet.
Meanwhile I shall continue cowering behind the reassuring bulk of my Draytek
It’s true that I am thinking about this primarily from a corporate POV, but LAN parties are becoming more and more popular and with wireless home networks, it’s also not uncommon for a visitor to ask for access. Either of these scenarios (and probably a few others we could imagine if we tried) could result in attack originating inside the area protected by a router/firewall.
