Do I need a software firewall in addition to a NAT router/firewall?

Do I need a software firewall in addition to a NAT router/firewall?

Post by CRC » Sun, 07 Sep 2008 10:53:14



Hi:

I have operated Linux and Windows XP boxes behind a Linksys WRT54G NAT
router with it's firewall enabled as well as blocking anonymous internet
requests (black-hole) mode for years, and have not had any problems
(that I am aware of).  Because of the hw router, I figured I didn't need
to run firewall software on the PCs behind the router.  This includes
running the XP box totally unsecured with it's firewall turned off, and
no anti-virus software.

Now I am worrying that maybe this isn't so true.  There are several
means by which things could go wrong.  What comes to mind are (in order
starting with what I think are the most likely risks):  java and
javascript code that runs in the web browsers (see note below), Active-X
controls in M$ IE, recent exploits involving things which I would have
considered passive such as images and flash video, downloading a program
infected by a virus or trojan.  Also, this recent DNS hijacking business
is scary.

We have used administrative controls to mitigate some of these hazards,
by doing the following:

1.  Basically nothing about the java, javascript, and flash/images.
2.  For Active-X, my wife who uses XP frequently, only uses IE for
accessing trusted sites such as a bank or a merchant that cannot
function without IE (almost never).  We primarily use Firefox on XP.
She also uses XP to Skype.
3.  To avoid viruses we simply don't install programs that aren't from a
source that is trusted.  By that I mean, a vendor that we sought out and
know well, like Vmware, Skype, Mozilla, OpenOffice, etc.  We use
Seamonkey or Thunderbird on Linux for email (including my wife).  So
attachments are of little danger.  We are pretty good at spotting scams,
and my wife knows how to look at full headers, etc.  We use no M$
software except for XP itself.
4.  In case the XP is compromised, which I regard as more likely than
Linux, we don't run my Linux box at the same time as her XP, since I
have the most important family data on my Linux box.  Thus, the only way
anyone could get to important personal data is if an exploit that got on
her XP could access her ext2 partition (unlikely) and install something
into the Linux partition, or crack the router, then wait in the router
to attack either of the Linux machines when they are up.  I consider
these scenarios extremely unlikely.

So it's mainly the browser scripts and other exploits that are the main
danger.  Should I be running software firewalls on both XP and Linux
boxes, and anti-virus programs on XP, or is the router and our
administrative policies enough?

Thanks for comments.

--
_____________________
CRC

SuSE 10.3 Linux 2.6.22.17

 
 
 

Do I need a software firewall in addition to a NAT router/firewall?

Post by Bit Twiste » Sun, 07 Sep 2008 14:16:26



> So it's mainly the browser scripts and other exploits that are the main
> danger.

For starters.

Quote:>   Should I be running software firewalls on both XP and Linux
> boxes, and anti-virus programs on XP,

Yes.

Quote:> or is the router and our administrative policies enough?

Not for me. Only thing I do on XP is TurboTax.
Skype and banking are on done on linux.
I will not do business with a merchant which requires Internet Explorer.

http://groups.google.com/group/alt.os.linux.mandriva/msg/1bc4674ee714...

 
 
 

Do I need a software firewall in addition to a NAT router/firewall?

Post by David Brow » Mon, 08 Sep 2008 19:10:41



> Hi:

> I have operated Linux and Windows XP boxes behind a Linksys WRT54G NAT
> router with it's firewall enabled as well as blocking anonymous internet
> requests (black-hole) mode for years, and have not had any problems
> (that I am aware of).  Because of the hw router, I figured I didn't need
> to run firewall software on the PCs behind the router.  This includes
> running the XP box totally unsecured with it's firewall turned off, and
> no anti-virus software.

You have to think about what the different sorts of protection mechanism
do.  The hardware firewall prevents any outside connection (attacker or
worm) getting in.  It has no effect on anything on legitimate channels,
but it will stop connections opened from the outside.

The firewall can also be configured to limit outgoing connections.  A
particularly useful one is to limit outgoing SMTP connections (on port
25) to only your ISP.  For the majority of networks, there are only two
reasons a computer will send traffic on the SMTP port - one is to send
email via your ISP, and the other is if your PC is part of a virus/spam
botnet.  This simple block will greatly limit the damage if you do get
something on the PC.

Another important configuration on the firewall router is to ensure that
UPnP is turned off.  In theory, UPnP is great - it means that if you are
running a program such as a bittorrent client that needs an incoming
port, the firewall will open it for you automatically.  It also means
that if you are running malware, the malware can open a control port
automatically making it far easier to control your PC from the outside.

A software firewall on a PC can do things that the hardware firewall
cannot, but it is not close to being as solid as the hardware firewall
(this is on Windows - on *nix, the firewall is rock solid as long as it
is properly configured).  A software firewall can block incoming or
outgoing traffic according to application, and it will still work even
if another computer on your network is infected.  But remember that
there are always ways around these restrictions - clever malware will be
hindered and delayed, but not blocked for ever.  And third-party
firewalls are often so large and bloated that attackers use bugs in the
firewall software to break in - the windows built-in firewall is at
least as secure as any third-party tools on windows.  Remember, however,
that windows firewalls make it a lot harder to trace problems with
connections, and get in the way of ordinary networking.

Quote:> Now I am worrying that maybe this isn't so true.  There are several
> means by which things could go wrong.  What comes to mind are (in order
> starting with what I think are the most likely risks):  java and
> javascript code that runs in the web browsers (see note below), Active-X
> controls in M$ IE, recent exploits involving things which I would have
> considered passive such as images and flash video, downloading a program
> infected by a virus or trojan.  Also, this recent DNS hijacking business
> is scary.

That's correct - there are plenty of other ways to get malware into your
PC that the firewall does not block.  The main three routes are web
pages, email, and other computers on the network.

For web and email, the biggest step is to use your head.  No amount of
technical protection measures will save you if you are fooled by emails
titled "I lov you" or install a new "media player codec" to see some
film star in the *.  The technical measures are to prevent others
attacking your systems, and to prevent harm from accidents (such as
mistyped web addresses, DNS hijacked sites, or otherwise compromised web
sites).

For web browsing on Windows, the critical step is to lock down IE (set
it to its highest and most paranoid security setting), then never touch
it again unless you can't avoid it.  Change the settings for specific
sites that still require IE.

For email, the important steps are to ensure that all email is virus
scanned on the way in (any decent ISP will do that for you), and avoid
MS email clients.  Also don't click on links in emails unless you are
confident they are safe.

The other way people get stuff onto their PC's is from other computers
on their network.  It's not uncommon for machines to get infected from
*age kid's connecting laptops into each other's home networks -
remember that you are then behind the hardware firewall!  Using a
software firewall can certainly help against this sort of thing.  An
alternative is to use something like OpenWRT on your firewall/router,
and set up separate virtual LANs.  That way you split your home network
into separate networks, and any malware has to pass through the firewall
to get between computers or subnets (think of it like individual
hardware firewalls for each subnet).

Quote:> We have used administrative controls to mitigate some of these hazards,
> by doing the following:

> 1.  Basically nothing about the java, javascript, and flash/images.

That's overly paranoid, as long as you are not frequenting the darker
areas of the Internet or using IE.

Quote:> 2.  For Active-X, my wife who uses XP frequently, only uses IE for
> accessing trusted sites such as a bank or a merchant that cannot
> function without IE (almost never).  We primarily use Firefox on XP. She
> also uses XP to Skype.

Also make sure that the default for IE is to disable ActiveX and pretty
much anything else, and only allow it for specific sites.

Quote:> 3.  To avoid viruses we simply don't install programs that aren't from a
> source that is trusted.  By that I mean, a vendor that we sought out and
> know well, like Vmware, Skype, Mozilla, OpenOffice, etc.  We use
> Seamonkey or Thunderbird on Linux for email (including my wife).  So
> attachments are of little danger.  We are pretty good at spotting scams,
> and my wife knows how to look at full headers, etc.  We use no M$
> software except for XP itself.

Good idea.

Quote:> 4.  In case the XP is compromised, which I regard as more likely than
> Linux, we don't run my Linux box at the same time as her XP, since I
> have the most important family data on my Linux box.  Thus, the only way
> anyone could get to important personal data is if an exploit that got on
> her XP could access her ext2 partition (unlikely) and install something
> into the Linux partition, or crack the router, then wait in the router
> to attack either of the Linux machines when they are up.  I consider
> these scenarios extremely unlikely.

Unless you think you are a likely specific target for attacks, you
should be safe (at least, relative to the chances of other disasters in
life).

Quote:> So it's mainly the browser scripts and other exploits that are the main
> danger.  Should I be running software firewalls on both XP and Linux
> boxes, and anti-virus programs on XP, or is the router and our
> administrative policies enough?

Anti-virus software on anything other than an email gateway is a big
drain of resources for very little gain (and your ISP should handle the
email scanning).  If you don't download or copy infected programs onto
your computer, there is no need to scan them before running them.  It is
worth installing ClamWin so that you have a decent scanner when you need
it - use it to check downloaded files before running them.  But
commercial anti-virus and on-access scanning is not worth the cost.

Using windows software firewall (again, avoid commercial or third-party
firewalls) is easy enough.  But it is not necessary unless you have
other computers on the network that are likely to be infected with
something, and it gets in the way of normal networking.  I have seldom
felt it is worth the effort.

On Linux, there is also no need to set up iptables unless you are
directly connected to the Internet.  What would it stop?  On most
distributions, services are only enabled if they are actually in use and
configured.  If you are not running a web server, for example, then it
doesn't matter whether incoming http packets are stopped by iptables or
dropped by the kernel when it finds there is no program listening for them.

 
 
 

Do I need a software firewall in addition to a NAT router/firewall?

Post by CRC » Tue, 09 Sep 2008 11:16:42


Thanks for the responses, folks.

--
_____________________
CRC

SuSE 10.3 Linux 2.6.22.17

 
 
 

1. NAT on the firewall/router ...

Hi people,

I'd like to hear your comments/advices on the following subject :

My internet router is a linux box, equiped with two ethernet cards, and
I'd like to turn it into a firewall as well. The Internet is full of
howtos dedicated to build your firewall on a linux box... But ... Mine
seems to be a bit different.

Let me explain ...

I have a cable modem, which is connected to my firewall/router. It is
connected to a provider, and the Ethernet device has an IP address in
the range of the provider (f.i. 191.192.193.194).

I would like to use our address range (a /28 one, f.i.
191.192.200.201/28) for static NAT (mail server and web server, on an
internal system) and for dynamic NAT. If the NAT is on a different
system than the firewall/router, then there is no problem. But of
course, I would like the NAT to be on the firewall/router ...

So, my external Ethernet device should have the following addresses :

191.192.193.194
191.192.200.201
...
191.192.200.216

Packets should arrive at the 191.192.193.194 address, then should be
"routed" to the subnet 191.192.200.201/28 (on the same system), where
the NAT translates the addresses and forward the packets on the internal
interface.

Do you think it is possible ? How ? Where ? If there is a FM, then tell
me where I can RTFM ... :)

Thanks,

Marc

Sent via Deja.com http://www.deja.com/
Before you buy.

2. Build fail 2.5.42

3. DCC thru router/NAT firewall issue..

4. My Mitsumi won't moun

5. Can u suggest a nice router with firewall and NAT

6. Help with ftpaccess

7. Q about box for wired/wireless router + firewall + NAT + local services

8. PPP VERY!!!! SLOW

9. Router/Firewall/NAT

10. using linux for internal router/firewall without NAT ???

11. Linux Firewall vs. Router NAT & accesslists

12. Firewall / NAT / proxy Software

13. Is there software to do NAT on linux firewall machine?