Firewalls and routers

Discussion in 'Windows Vista Security' started by Dave Turner, Aug 20, 2007.

  1. Dave Turner

    Dave Turner Guest

    I have installed a D-Link router for my home net, and I have a question
    about firewalls that is not in the book from D-Link;

    When I configure the firewall that is internal in the router, should I
    then disable windows firewall? It's confusing, because if I stayed with
    windows firewall (or any 3rd party firewall) it would have to be enabled
    on each machine on the net. Having it in the router would then cover
    everything on the net, right (or wrong)?

    Thanks in advance for any advice...

    Dave
     
    Dave Turner, Aug 20, 2007
    #1
    1. Advertisements

  2. The D-Link firewall will protect your network from attacks outside your
    network. But if one of the computers in your network gets infected anyway,
    the D-Link firewall is powerless to stop it from spreading to the other
    computers in your network.
     
    Steve Riley [MSFT], Aug 20, 2007
    #2
    1. Advertisements

  3. Dave Turner

    Dave Turner Guest

    Steve,
    thanks for the reply.
    From your answer, can I assume that each machine should continue to
    have it's own firewall to protect it from the other computers on the lan?
     
    Dave Turner, Aug 20, 2007
    #3
  4. That's my preferred configuration, yes. Especially if any of them are
    laptops. Mobility adds a new twist to traditional approaches to network
    defense. When your laptop isn't connected to your LAN, then the host
    firewall is your _only_ choice for protecting the machine from everyone else
    using the same hotel/airport lounge/whatever network you're on. Say you
    inadvertently open an email with attached malware while you're bored at the
    hotel and you get infected with something. Then after you fly home tomorrow,
    having the host firewall on your other computers will protect them from your
    (now malicious) laptop.
     
    Steve Riley [MSFT], Aug 20, 2007
    #4
  5. Dave Turner

    Dave Turner Guest

    Steve,
    thanks again...
    sometimes it's hard to know what to do. The rule of thumb is to only
    have one firewall running, but I guess that means one firewall per.

    Dave
     
    Dave Turner, Aug 20, 2007
    #5
  6. Dave Turner

    Victek Guest

    sometimes it's hard to know what to do. The rule of thumb is to only have
    For the record, the rule regarding one firewall refers to personal software
    firewalls running on the computer. Additional firewalls on the network,
    such as the one in your router, don't count in the "one firewall rule" <g>.
     
    Victek, Aug 20, 2007
    #6
  7. Dave Turner

    Mr. Arnold Guest

    I agree about the differences between a firewall running in a hardware
    solution protecting a network, as opposed to a host based FW running on the
    computer protecting the computer. There is no conflict there, because the
    solutions are running on two different devices.
     
    Mr. Arnold, Aug 20, 2007
    #7
  8. Dave Turner

    Chet Guest

    I just got my first laptop and router. I am on the internet at home via the
    router which is connected to my cable modem. When taking my laptop
    elsewhere, I have a Verizon network card.

    I've heard, for years, that if you have a router, you don't need a firewall.
    I never understood why. I suspected that the hardware of a router must be
    such that people couldn't access my machine through it. Now you folks
    mention a firewall (software, I guess) in the router. How do I know if I
    have one in mine? It is a Buffalo Air Station Wireless G High Power model
    WHR-HP-054 I don't remember turning it on or setting it up when I installed
    the thing. Does my router have a firewall? Right now the laptop has
    Norton Internet Security using that firewall (not the MS one) and that
    antivirus. I'm planning on installing Zone Alarm free version and a free
    anti-virus onto the laptop in a week or two when the Norton subscription
    runs out. Does that sound reasonable? I run Vista Home Premium.

    Thanks.

    Chet
     
    Chet, Aug 21, 2007
    #8
  9. Dave Turner

    Mr. Arnold Guest

    A host based software solution like ZA is not a FW. A FW separates two
    networks and sits at the junction point between the two networks, which are
    usually the WAN (Wide Area Network)/Internet it's protecting from and the
    network it's protecting the LAN (Local Area Network). A FW must have two
    interfaces. One or more interfaces that face the WAN and one or more
    interfaces that face the LAN.

    In the case of a network FW that is a software solution running on a gateway
    computer. the gateway computer will have one or more Network Interface Cards
    (NIC;s) that face the WAN and one or more NIC's that face the LAN.

    A solution like ZA and others that fall into that category are machine level
    packet filters that protect at the machine level. They do not separate two
    networks.

    A FW device using FW software in the solution will fall into the defintion
    of (What does a FW do?) that is being explained in the link below. Yes, a
    FW router, a FW appliance and FW that is a host based software solution
    running on a gateway computer will fall into that definition.

    http://www.vicomsoft.com/knowledge/reference/firewalls1.html

    A FW of the type above will be able to stop inbound and outbound traffic
    with the WAN, but it can also stop inbound and outbound traffic on the LAN
    between machines.
    Your router comes closer to the definition of being a FW, because of the two
    interfaces it has of WAN and LAN ports. It may even be running SPI. But is
    it running FW software, which you'll have to make that determination?

    Here is another link that may help you in the determination.

    http://www.more.net/technical/netserv/tcpip/firewalls/

    For a router that cannot stop outbound traffic, some use something like ZA
    or even Vista's FW/packet filter to stop outbound traffic, and I am not
    talking about Application Control in some of these solutions. I am talking
    about setting a FW rule to stop outbound traffic from leaving the computer
    to a LAN or WAN IP.

    If I have a computer such as a laptop that's connected to a foreign LAN like
    a wireless cafe or the computer has a direct connection to a modem, like a
    dial-up, BB or DSL modem, which is a direct connection to the Internet - no
    router or other such device between the computer and the modem, then the
    laptop is running Vista's FW/packet filter or some 3rd party packet filter
    like ZA to protect the machine.

    When the laptop is on my LAN protected by a FW appliance, its packet
    filter/FW is disabled, along with the rest of the machines having their
    packet filter/FW(s) disabled both MS and Linux machines. They are not needed
    in my case in this situation.

    You'll have to make the determination of not running the packet filters on
    machines behind your router.
     
    Mr. Arnold, Aug 21, 2007
    #9
  10. Dave Turner

    Victek Guest

    I just got my first laptop and router. I am on the internet at home via
    Push the Vista orb (what used to be the Start button) select RUN. Then type
    CMD and push <enter>. You should then have a black command window (that
    looks a lot like an old DOS window). At the prompt type ipconfig. This
    will reveal your computer's IP address, and also the Gateway IP which will
    like be something like "192.168.1.1". Then open Internet Explorer and type
    that gateway IP address into the address bar like this:

    http://xxx.xxx.xxx.xxx (put your real numbers in place of the xxx's)

    This will open the router interface where you will see many interesting
    settings including firewall settings (if your router has one built-in). By
    the way, a router provides some protection by hiding your private IP address
    from the internet. That's why some people say "if you have a router you
    don't need a firewall". I wouldn't rely exclusively on a router though. If
    the router has firewall features then turn them on and use Zonealarm on the
    computer too. Hope this is clear enough.
     
    Victek, Aug 21, 2007
    #10
  11. Dave Turner

    Chet Guest

    Thanks, Victek and Mr. Arnold. I learned a lot from your replies.

    Chet
     
    Chet, Aug 22, 2007
    #11
  12. Dave Turner

    David Guest

    he'll also have to know the password for his router. there are websites
    with router default passwords for most routers.
     
    David, Aug 22, 2007
    #12
  13. Dave Turner

    Dave Turner Guest

    I have learned a lot too. Thanks guys!
    Dave
     
    Dave Turner, Aug 22, 2007
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.