Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
hardware vs. software firewalls 3
- Thread starter stormbind
- Start date
-
1
- #2
This should help:
Point is that a "hardware" firewall (or actually NAT) helps make things more secure from outside attacks. A software firewall (Proxy or program like ZoneAlarm) helps prevent trojans or spyware from making outgoing internet connections that you aren't aware of. So you would want both for good security.
Some home users will argue that only one or the other is really needed, unless you are paranoid over hacking or losing sensitive data. Take whatever advice you get lightly with a grain of salt.
~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884
Point is that a "hardware" firewall (or actually NAT) helps make things more secure from outside attacks. A software firewall (Proxy or program like ZoneAlarm) helps prevent trojans or spyware from making outgoing internet connections that you aren't aware of. So you would want both for good security.
Some home users will argue that only one or the other is really needed, unless you are paranoid over hacking or losing sensitive data. Take whatever advice you get lightly with a grain of salt.
~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884
-
1
- #3
BionicJohn
Technical User
To test your firewall(s), run Shields Up from
Iechyd da! John
Glannau Mersi, Lloegr.
Iechyd da! John
Glannau Mersi, Lloegr.
I prefer a hardware firewall.
Is this for the home or for office? What do you want to protect? Just one PC? If just one computer a software firewall is best for you and in my opinion Tiny Firewall from Tiny Software is the best.
If you want to protect more than 1 computer maybe consider a hardware firewall. I have approximately 12 PC's and servers running at home and the easiest option for me was a hardware firewall. You have more options in the way you can configure and what you can and cannot do.
How much money do you have to spend. In the case of a hardware firewall I like Watchguard and the Nokia Firewall (This uses Checkpoint Firewall-1 Technology which is an industry standard.) If you look around you can usually pick up second hand ones for a few hundred dollars.
Is this for the home or for office? What do you want to protect? Just one PC? If just one computer a software firewall is best for you and in my opinion Tiny Firewall from Tiny Software is the best.
If you want to protect more than 1 computer maybe consider a hardware firewall. I have approximately 12 PC's and servers running at home and the easiest option for me was a hardware firewall. You have more options in the way you can configure and what you can and cannot do.
How much money do you have to spend. In the case of a hardware firewall I like Watchguard and the Nokia Firewall (This uses Checkpoint Firewall-1 Technology which is an industry standard.) If you look around you can usually pick up second hand ones for a few hundred dollars.
- Thread starter
- #5
NAT (Network Address Translation) is not a true firewall. However, many in the industry commonly refer to it as such. For a business environment, it is not enough. For a home environment in combination with software firewalls, it is plenty.
Bigpants listed some suggestions for "true" hardware firewalls if you want to go that route. If you spend the extra money for one, software firewalls on each PC shouldn't be necessary.
~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884
Bigpants listed some suggestions for "true" hardware firewalls if you want to go that route. If you spend the extra money for one, software firewalls on each PC shouldn't be necessary.
~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884
In a Microsoft Best Practices seminar, the instructor advised both types, using different mfrs.
1. The hardware firewall does the general protection. Using NAT, network address translation & port forwarding, you can lock down specific ports such as only allowing port 80 for HTTP (surfing the web) and any other ports needed such as email.
2. Microsoft SP2 firewall protects the PC during the boot-up time if connected to broadband. It only protects against incoming problems.
3. ZoneAlarm free & paid versions protect agains incoming and outgoing problems. I found this useful to detect virus outgoing activity, which I stopped & deleted.
4. Google for Microsoft Best Practices seminar - it may be available under Technet or TS2 at via free web seminar. Good luck.
1. The hardware firewall does the general protection. Using NAT, network address translation & port forwarding, you can lock down specific ports such as only allowing port 80 for HTTP (surfing the web) and any other ports needed such as email.
2. Microsoft SP2 firewall protects the PC during the boot-up time if connected to broadband. It only protects against incoming problems.
3. ZoneAlarm free & paid versions protect agains incoming and outgoing problems. I found this useful to detect virus outgoing activity, which I stopped & deleted.
4. Google for Microsoft Best Practices seminar - it may be available under Technet or TS2 at via free web seminar. Good luck.
daveoasis:
Remember, NAT is not really a firewall. People call it a "hardware firewall" because it is separated from the PC and acts as an extra layer of protection.
A true firewall monitors the type of traffic that passes through, by application and packet inspection. NAT only works with ports, so in theory, it's not the same thing. But it does work well, so I rarely advise anyone in a non-business environment to get anything more than NAT and a software firewall.
~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884
Remember, NAT is not really a firewall. People call it a "hardware firewall" because it is separated from the PC and acts as an extra layer of protection.
A true firewall monitors the type of traffic that passes through, by application and packet inspection. NAT only works with ports, so in theory, it's not the same thing. But it does work well, so I rarely advise anyone in a non-business environment to get anything more than NAT and a software firewall.
~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884
BionicJohn
Technical User
What MS say:
"Why you should only use one firewall
"If you have more than one firewall installed on your computer, you should not have both firewalls turned on at the same time. Two firewalls turned on at the same time can cause compatibility problems that result in some programs not working correctly.
"To help protect your computer against viruses and other security threats, you should always have one firewall installed and turned on. Windows includes a firewall that is turned on by default. (However, some computer manufacturers and network administrators might turn it off.) If you want to install and run a second firewall, turn off Windows Firewall."
Iechyd da! John
Glannau Mersi, Lloegr.
In other words, disable the MS firewall, which is insufficient as it does not monitor packets both ways, and use another firewall that does.
Personally, I do not trust Shields Up. Zone Alarm is not bad, but I run TPF at home. Anyway, you can check www.firewall.com and make up your own mind.
Pascal.
Personally, I do not trust Shields Up. Zone Alarm is not bad, but I run TPF at home. Anyway, you can check www.firewall.com and make up your own mind.
Pascal.
A firewall may not block email with a virus. Most virus's come in through the E-Mail. Another point of entry is through Instant Messenger software like AIM and File sharing programs for sharing Music. Downloading programs from the Internet can leave your PC strangled with Spyware.
I have been using the Microsoft Beta Spyware blocker and it seems to work pretty well. It has a tool in it to reset your Browser back to the defaults if it has been hijacked by spyware.
Just keep in mind that the more programs you have running on your computer in the background the slower your PC will run. This is why I like the idea of a Router with a NAT Firewall. Linksys makes a small firewall that also does statefull packet inspection, but I have never tried it. Like some other posters have said, you may want to look for firewall reviews. Firewalls can be a real pain if they do not work well.
If you do not like my post feel free to point out your opinion or my errors.
I have been using the Microsoft Beta Spyware blocker and it seems to work pretty well. It has a tool in it to reset your Browser back to the defaults if it has been hijacked by spyware.
Just keep in mind that the more programs you have running on your computer in the background the slower your PC will run. This is why I like the idea of a Router with a NAT Firewall. Linksys makes a small firewall that also does statefull packet inspection, but I have never tried it. Like some other posters have said, you may want to look for firewall reviews. Firewalls can be a real pain if they do not work well.
If you do not like my post feel free to point out your opinion or my errors.
An alternative to ShieldsUp is nmap - this is a tool that will scan your computer locally and tell you what ports on your computer are open and (possibly) a guess at what program/service is using it.
nmap is available on linux and now on Windows. Google around for 'nmap windows' and you should be able to find it.
nmap is available on linux and now on Windows. Google around for 'nmap windows' and you should be able to find it.
A software (aka 'personal') firewall can be subverted by malware. A hardware firewall is resistant to subversion by malware. On the other hand, a software firewall can control internet access by applications. A hardware firewall offers protection against such things as denial of service and packet corruption (fraggle, teardrop, etc) and, very often, stateful packet inspection is available. It also offloads processing from the host computer(s) so is good for performance.
I agree that it is best to employ hardware and software firewalls in tandem. I use both types with great success (Globespan Virata EA110 and Agnitum Outpost) and have no problems of compatibility between these two. It must be pointed out that I offer no services so Steve Gibson's port scans reveal a totally invisible host (if that isn't a contradiction in terms).
![[lipstick2]](/data/assets/smilies/lipstick2.gif "[lipstick2] [lipstick2]")
- Thread starter
- #15
Current solution in place:
A proxy server filters http/https requests - there is no way for a xls|doc|exe|zip|jar|cab to be downloaded from the Internet via web browsers (unless someone edits their network settings *1)
Each computer has a software firewall, such as WinXP firewall or something equally user-friendly. I do not want user-error to risk disrupting the use of 'critical' networked software.
There is one broadband connection, currently on the proxy, but not all computers have a physical connection to it which is why I want to swap to WiFi.
If I have a WiFi NAT router, with broadband on one side, and the proxy on the other then it looks like this:
NAT <--> Proxy <--> Workgroup #1
NAT <--> Workgroup #2
*1) I tried NT/2K/XP port forwarding but it does not seem to do anything - at all! How can I force ?:80 connections to go through
*2) What about POP3 downloads: maybe I should block them and insist on using webmail?
*3) Putting ICS on the proxy works..
Internet <--> NAT + Proxy <--> WiFi <--> Workgroups
.. but, that is not a hardware firewall and putting a complete PC so close to the user errors = risk
--Glen
Memoria mihi benigna erit qui eam perscribam
A proxy server filters http/https requests - there is no way for a xls|doc|exe|zip|jar|cab to be downloaded from the Internet via web browsers (unless someone edits their network settings *1)
Each computer has a software firewall, such as WinXP firewall or something equally user-friendly. I do not want user-error to risk disrupting the use of 'critical' networked software.
There is one broadband connection, currently on the proxy, but not all computers have a physical connection to it which is why I want to swap to WiFi.
If I have a WiFi NAT router, with broadband on one side, and the proxy on the other then it looks like this:
NAT <--> Proxy <--> Workgroup #1
NAT <--> Workgroup #2
*1) I tried NT/2K/XP port forwarding but it does not seem to do anything - at all! How can I force ?:80 connections to go through
*2) What about POP3 downloads: maybe I should block them and insist on using webmail?
*3) Putting ICS on the proxy works..
Internet <--> NAT + Proxy <--> WiFi <--> Workgroups
.. but, that is not a hardware firewall and putting a complete PC so close to the user errors = risk
--Glen
Memoria mihi benigna erit qui eam perscribam
-
1
- #16
spazmahoney
Technical User
You should consider a Cisco PIX. It'll do NAT for your private ip addresses, provides Stateful Packet Inspection, and uses the Adaptive Security Algorithm. For a workgroup, you only need a pix 501 and you will notice a big difference between a hardware firewall and software firewalls. Combined with a proxy server and a corporate antivirus product, you will have a high level of protection.
- Thread starter
- #17
![[lipstick]](/data/assets/smilies/lipstick.gif "[lipstick] [lipstick]")
- Status
Similar threads
- Locked
- Question
