NAT firewall is more needed? 1

[audiopimp]

Hi
My setup:

Cable WAN
I
Router/NAT
I
10/100 Switch
I I I I I I I I I I
Win 2000 Server Win XP workstations

Now, as you can see, the router does provide a type of firewall. Is it then required to install software firewalls on the stations connected via the switch?

Thanks and cheers,

 

[RiezalR]

You can never be too safe. Sometimes routers do have their vulnerabilities. Just keep in mind, less open ports mean less possible vulnerable holes. So if you think your router is safe enough and good enough to block unwanted ports, then I presume it is safe. But if you really are paranoid, then go with the firewall.

 

[audiopimp]

Hmm ok, any more opinions?

 

[wreave]

Agree with cod3x. Routers are good for blocking unwanted incoming traffic, but most of them don't question connections that are initiated by your internal machines. Software firewalls can be configured to monitor, audit and block both incoming and outgoing connections from the workstation.

There are two concerns here. First, if one of your workstations picks up a virus, then having a firewall on each computer may help prevent it spreading to your entire network. Second, there is always the possibility that one of your machines will pick up a trojan. Some trojans then initiate a connection to external sites and download backdoor trojans, or they initiate a connection with the person trying to hack your system. Since the connection was initiated internally, your router isn't going to block it.

A good firewall would notice the connection attempt (either because it would be a new program asking for permission to connect or because the firewall would note that the program had been altered). Before allowing the connection, it would ask the user if it should be allowed to proceed. It would also log the event - so even if the user said yes, you could at least figure out later what happened.

(There are probably routers out there that can be configured to do the same thing as a firewall - but software could be a cheaper solution. High end routers get pretty expensive.)

 

[dickn]

Sorry for the late reply...

Routers with only acls have not been industry acceptable for some years as there are a number of simple attacks to turn routers into hubs or bypass them. If they are running their own fw software ie pix firewall with cisco, great.

Information security works on security in depth the more manageble layers of security, the better, hence adding a stateful packet inspecting FW behind you packet filter firewall would be wise.

IF

Your data and/or organisation justifies the time and expenditure on the product. Do your cost benefit analysis to tell you this.

Richard.

 

[vesselescape]

You might want to try running Gibson Research's "Shields Up"
program from their website (

http://grc.com).

It will run a couple of scans on your ip address from their server to check for running services and open ports. The results should let you know if you want to increase security via firewall on the NAT box. After running it on our NAT server we had a firewall installed on the outside connection that afternoon.