Question about Firewalls.

[RedM]

I'm waiting for my ADSL connection to be activated and in anticipation I've bought a Netgear DG834 router which has an inbuilt firewall.

 

Can I use this instead of Zonalarm Pro or should I use both?

 

Can anyone also explain (in simple terms) the difference between a hardware firewall and a software one?

 

Thanks.

[Ark]

Use both.

Little statistic for you: it takes less than 20 minutes from your initial connection to broadband until you are first probed by a potential hacker.

 

The more protection you have, the better. Plus _most_ ADSL router/firewalls are nothing more than a one-way NAT box, not a proper firewall at all - good, but not that good! A hardware firewall is doing essentially the same job as a software firewall - scanning TCP ports for activity and blocking the ones which shouldn't be active. Better firewalls will make further decisions based on the type of activity seen. The only real difference is that you are offloading this effort to a separate bit of hardware, possbiliy with dedicated processors for this purpose, rather than software emulating the behaviour of that processor.

 

The external firewall has the added advantages that the traffic is being intercepted before reaching your PC, and it will not eat your PC's processing power. Still, use both if you can.

 

Trust me - this is what I do!

[VIL]

If possible use both.

 

The hardware firewall in simple terms allows or blocks open ports.

ie if you think of your computer as a house with a fence round it then the fence is the firewall. Every fence has a gate and it is this the open port, nothing else can get in or out unless it goes through this open gate!

 

The software firewall in turn is looking to protect your PC against any malicious activity on the PC itself that has come through the firewall.

 

The common myth is that if you have a hardware firewall then you are protected against viruses, worms, trojans, spam and spyware. This is not true.

[GeordieSteve]

I personally prefer hardware only but if in doubt... double up

[Todd]

I just got the same router, is yours the wireless version as well?

 

Brilliant bit of kit and a total doddle to set up, took 20 mins to get the laptop and PC setup and sharing the connection, come a long way since my last try at wireless networking.

 

I've left my software firewall on, as for the router, may be guessing but as it's left on all the time and it is a seperate piece of hardware then I would leave the firewall enabled.

 

As the instructions say

 

You can use this screen to create Firewall rules to block or allow specific traffic. This feature is for Advanced Administrators only! Incorrect configuration will cause serious problems.

 

I'll leave it

[Aerotop Dave]

Router + Zonealarm (the free version).

 

Never had a problem in years.

[caliAl]

Router + Zonealarm (the free version).

 

Never had a problem in years.

 

 

I've had a couple of things get past my Linksys router, so I would recommend the above combo.

[RedM]

I just got the same router, is yours the wireless version as well?

 

No, we chose the wired version as my girlfriend is convinced that we will have people using our network or reading our bank details no matter what security we have.

[Lewis]

use both without a doubt.

 

A hardware firewall does nothing more than implement rules for ports.

 

Think of it more as a gate, the inside of the gate is your machines and the outside is the internet. The hardware firewall(router) decides which traffic it will allow to enter. Http traffic, ftp traffic, smtp traffic etc.

 

The software firewall is the security gaurd on your building (your pc) he will check the credentials of anything attempting to enter the machine despite it being allowed into the compound by the gate.

 

Never use one without the other if you can avoid it.

 

Zone alarm pro also has registry and DLL protection at both the stack and wmi level which is amazingly tough (from experience trying to build a dll that would call information from the process stack - ZA blocked it and we had to get their development engineers to change the code to allow it).

 

there ya go.... I nice little example as well.

 

That will be £100+ vat consultancy fee - invoice in the post

[RedM]

I have read that ZA 6 seems to conflict with the router and requires jiggerypokery to get it running.

 

Anyone experienced this?

[Lewis]

No, we chose the wired version as my girlfriend is convinced that we will have people using our network or reading our bank details no matter what security we have.

 

 

Complete rubbish mate, enable WEP and re-generate a key, been out 5 or 6+ years and not been cracked yet.

[Lewis]

I have read that ZA 6 seems to conflict with the router and requires jiggerypokery to get it running.

 

Anyone experienced this?

 

 

nah, just make sure that the port required for online licence check is open (if required) or crack the exe

[CJ]

I have Outpost Firewall. Is this thought to be a good product?

[Lewis]

never used it mate.

 

Industry wise, due to the level of OS protection, ZA is considered one of the most secure multi-products. A quick check of online surveys should answer your Q Colin

[RedM]

Complete rubbish mate, enable WEP and re-generate a key, been out 5 or 6+ years and not been cracked yet.

 

I know it's rubbish but I couldn't convince her. By crikey I tried. TBH we have no need for a wireless network as all our pcs are close to each other and to heavy to carry around

[CJ]

never used it mate.

 

Industry wise, due to the level of OS protection, ZA is considered one of the most secure multi-products. A quick check of online surveys should answer your Q Colin

Much horse grassy arse

[RedM]

crack the exe

 

...and what does that mean?

[Lewis]

I'll give you a 100page report and tell her she can't disagree until she has read it all and understood it.

 

My MRS read 3 pages and now I have a massive wireless LAN

[Lewis]

...and what does that mean?

 

 

Replacing (or hex editing) the original zone alarm executable to remove the "call home" code which cases the product to call home to check if the licence is valid using an internet connection.

 

I'm not sure if ZA use it now, they never used to but it is such a well used (and cracked) product that they have probably followed suit and implemented it.

[Todd]

I know it's rubbish but I couldn't convince her. By crikey I tried. TBH we have no need for a wireless network as all our pcs are close to each other and to heavy to carry around

 

Wise move, I bought the laptop from Carlos, so I can now sit upstairs in peace whilst the missus can use the laptop downstairs. She has in one day figured out that she can use messenger to bug the living cr*p out me.

 

I'm busy looking at all the nice stuff in the NWS section on here and she's sending me links to laminate flooring web sites, it's just not right

[chilli]

Use both.

Little statistic for you: it takes less than 20 minutes from your initial connection to broadband until you are first probed by a potential hacker.

 

That's an old statistic isn't it? The one we used a while back was that an unprotected windows machine would be actually hacked (not just probed) within 10 minutes of connection.

 

anyhow,

 

IIRC WEP has need cracked! It's not that secure (I work in proper security, none of this WEP nonsense) - however for normal use, a min 128 bit key length should be ok for most purposes, just don't use the 64 bit key length or you are asking for trouble.

 

if you have it, switch to WPA as it's better.

 

Ok as for hardware firewalls bundled in general purpose router boxes costing

 

A decent hardware firewall or a software firewall is pretty essential. For a small system, one PC with nothing that sensitive, zone alarm etc will do the job For more security or larger networks I'd start to think about something more.

 

Personally for home I have an ADSL router with firewall (that I don't relly on for any security at all) + a Smoothwall dedicated firewall machine - that gets you to my main network + DMZ that then has firewalls on each machine, easy

 

you can make a dedicated Smoothwall firwall box with change from £50 including the machine and mine has been running reliably since the day I set it up.

 

OTT if you have 1 machine, good practice if you have a network or sensitive stuff on your machines...

[Lewis]

heh.......

 

What is proper security then? I have worked with symmetric-key block ciphers for the MOD for use with weapons systems on nuclear submarines, I guess that is kiddy security?

 

WEP has never been cracked, using a series of likley combinations it can be decrypted (being a two way cipher and not a one way algorythm that is always possible). Various tools exist (mostly nix tools) for doing this, still - as no doubt with your security background you will be aware - this does not constitute being cracked. What would be needed to guess the key would be over a month of packet sniffing uninterrupted and even then, a considerable amount of time simply to guess the key. This is still considered a secure environment for home purposes. I would use WEP without any issue, change your key monthly and you have a VERY secure network regardless of your standpoint.

 

anyhoo, I would be interested to see what you work on to consider this "wep nonesense"

 

You are remembering that we are talking about a home network where the most sensitive data will not cost lives right?

 

pe@ce

[chilli]

Sorry, I didn't mean to offend, you sound slightly defensive about it lol.

 

Ok well I work on Cryptography, that much is true but I am not at liberty to discuss what I am working on. No doubt it would have been the same for you under the OSA etc - which I don't take lightly - I'm not really comfortable discussing it at this level on a public forum so excuse me if I say less, not more. Needless to say, it would be impossible to get any sort of PC to the levels of security we are talking about...

 

Anyway, when in London last year on a Ethical Hacking course we discussed WEP and its crackability and the weakness with it's IVs etc, that much I remember. It took something of the order of a million frames of sniffing, at todays rates that is surprisingly not long at all...

 

when I get time I'll dig out the details for you, this was over a year ago now, kinda thought it was old news.

 

you are right, it's all OTT to some extent, but then again if you get hacked then...

 

I would say 64bit WEP is too weak even for home use (unless you really just don't care), as is a hardware firewall alone. I would recommend a Smoothwall box (or equivalent) since they are so simple and hassle free to set up and something like zone alarm is a minimum

 

anyway all interesting stuff

[Lewis]

Sorry, I didn't mean to offend, you sound slightly defensive about it lol.

 

Ok well I work on Cryptography, that much is true but I am not at liberty to discuss what I am working on. No doubt it would have been the same for you under the OSA etc - which I don't take lightly - I'm not really comfortable discussing it at this level on a public forum so excuse me if I say less, not more. Needless to say, it would be impossible to get any sort of PC to the levels of security we are talking about...

 

Anyway, when in London last year on a Ethical Hacking course we discussed WEP and its crackability and the weakness with it's IVs etc, that much I remember. It took something of the order of a million frames of sniffing, at todays rates that is surprisingly not long at all...

 

when I get time I'll dig out the details for you, this was over a year ago now, kinda thought it was old news.

 

you are right, it's all OTT to some extent, but then again if you get hacked then...

 

I would say 64bit WEP is too weak even for home use (unless you really just don't care), as is a hardware firewall alone. I would recommend a Smoothwall box (or equivalent) since they are so simple and hassle free to set up and something like zone alarm is a minimum

 

anyway all interesting stuff

 

Nah you didn't offend me mate, I just don't like the 'holier than thou' approach. I too am still bound by the DPA and OSA but that doesn't prevent me talking about technologies which are in the field. Anyway, if you dont feel able to talk about it then that's fine. You are totally correct that 64bit WEP is weak (although still 100 times better than no encryption) a smoothwall box is a decent option and requires little knowledge to set up, I find that most people dont go down that route due to the space of another box (to do it cheaply and use a full size case). Is this the certified ethical hacker course? I too went on this but found it much too high level (cgi exploits etc) this was the type of thing we were playing with in senior school. Good course for some tools to use but other than that I didn't really rate it - how did you find it?

 

I don't at all think you are misinforming people but I find that sometimes people just want a quick, simple, cheap solution which will do the job. Sadly, my company would be ten times the size it is now if everybody bought what I recommended from a security standpoint, but cost is a limiting factor as is knowledge. EG, would the gentleman above be able to support his smoothwall box in the event of a kernel corruption or updates? I think not (although I make an assumption).

 

His best option in terms of cost, space and support is to stick with his ZA install.

 

Just my two penneth.

[chilli]

I'm suprised you are happy to talk about what you work(ed) on, SC and DV people here generally don't talk, OSA is 30 years IIRC and not to be taken lightly!

 

It was the same course and in general I would agree with your summary lol - only about 2% was actually useful to me, since general pc security doesn't really interest me so much. Who gave the course to you?

 

FYI I think WEP is now an under 10 minute crack, just had a quick look and things like this make for interesting reading htttp://wifinetnews.com/archives/004580.html

 

This is why I would recommend WPA over basic WEP, at least as a starting point.

 

Security is only as good as you make it, and there is no perfect security at the end of the day.

 

I recommended the smoothwall box because they are so reliable, mine has been up for 2 years now without a single hickup. If it died, 10 mins could see the whole thing reinstalled and setup!

 

anyway, I agree, for home use on a single PC with nothing too sensitive, ZA is ok as a minimum and that's what I said earlier