Do I need a software firewall in addition to a NAT router/firewall? - Networking

This is a discussion on Do I need a software firewall in addition to a NAT router/firewall? - Networking ; Hi: I have operated Linux and Windows XP boxes behind a Linksys WRT54G NAT router with it's firewall enabled as well as blocking anonymous internet requests (black-hole) mode for years, and have not had any problems (that I am aware ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Do I need a software firewall in addition to a NAT router/firewall?

  1. Do I need a software firewall in addition to a NAT router/firewall?

    Hi:

    I have operated Linux and Windows XP boxes behind a Linksys WRT54G NAT
    router with it's firewall enabled as well as blocking anonymous internet
    requests (black-hole) mode for years, and have not had any problems
    (that I am aware of). Because of the hw router, I figured I didn't need
    to run firewall software on the PCs behind the router. This includes
    running the XP box totally unsecured with it's firewall turned off, and
    no anti-virus software.

    Now I am worrying that maybe this isn't so true. There are several
    means by which things could go wrong. What comes to mind are (in order
    starting with what I think are the most likely risks): java and
    javascript code that runs in the web browsers (see note below), Active-X
    controls in M$ IE, recent exploits involving things which I would have
    considered passive such as images and flash video, downloading a program
    infected by a virus or trojan. Also, this recent DNS hijacking business
    is scary.

    We have used administrative controls to mitigate some of these hazards,
    by doing the following:

    1. Basically nothing about the java, javascript, and flash/images.
    2. For Active-X, my wife who uses XP frequently, only uses IE for
    accessing trusted sites such as a bank or a merchant that cannot
    function without IE (almost never). We primarily use Firefox on XP.
    She also uses XP to Skype.
    3. To avoid viruses we simply don't install programs that aren't from a
    source that is trusted. By that I mean, a vendor that we sought out and
    know well, like Vmware, Skype, Mozilla, OpenOffice, etc. We use
    Seamonkey or Thunderbird on Linux for email (including my wife). So
    attachments are of little danger. We are pretty good at spotting scams,
    and my wife knows how to look at full headers, etc. We use no M$
    software except for XP itself.
    4. In case the XP is compromised, which I regard as more likely than
    Linux, we don't run my Linux box at the same time as her XP, since I
    have the most important family data on my Linux box. Thus, the only way
    anyone could get to important personal data is if an exploit that got on
    her XP could access her ext2 partition (unlikely) and install something
    into the Linux partition, or crack the router, then wait in the router
    to attack either of the Linux machines when they are up. I consider
    these scenarios extremely unlikely.

    So it's mainly the browser scripts and other exploits that are the main
    danger. Should I be running software firewalls on both XP and Linux
    boxes, and anti-virus programs on XP, or is the router and our
    administrative policies enough?

    Thanks for comments.


    --
    _____________________
    CRC
    crobc@REMOVE-THIS.sbcglobal.net
    SuSE 10.3 Linux 2.6.22.17

  2. Re: Do I need a software firewall in addition to a NATrouter/firewall?

    On Fri, 05 Sep 2008 18:53:14 -0700, CRC wrote:
    >
    > So it's mainly the browser scripts and other exploits that are the main
    > danger.


    For starters.

    > Should I be running software firewalls on both XP and Linux
    > boxes, and anti-virus programs on XP,


    Yes.

    > or is the router and our administrative policies enough?


    Not for me. Only thing I do on XP is TurboTax.
    Skype and banking are on done on linux.
    I will not do business with a merchant which requires Internet Explorer.


    http://groups.google.com/group/alt.o...c4674ee714a691

  3. Re: Do I need a software firewall in addition to a NAT router/firewall?

    CRC writes:

    > Hi:
    >
    > I have operated Linux and Windows XP boxes behind a Linksys WRT54G NAT
    > router with it's firewall enabled as well as blocking anonymous
    > internet requests (black-hole) mode for years, and have not had any
    > problems (that I am aware of). Because of the hw router, I figured I
    > didn't need to run firewall software on the PCs behind the router.
    > This includes running the XP box totally unsecured with it's firewall
    > turned off, and no anti-virus software.
    >
    > Now I am worrying that maybe this isn't so true. There are several
    > means by which things could go wrong. What comes to mind are (in
    > order starting with what I think are the most likely risks): java and
    > javascript code that runs in the web browsers (see note below),
    > Active-X
    > controls in M$ IE, recent exploits involving things which I would have
    > considered passive such as images and flash video, downloading a
    > program infected by a virus or trojan. Also, this recent DNS
    > hijacking business is scary.
    >
    > We have used administrative controls to mitigate some of these
    > hazards, by doing the following:
    >
    > 1. Basically nothing about the java, javascript, and flash/images.
    > 2. For Active-X, my wife who uses XP frequently, only uses IE for
    > accessing trusted sites such as a bank or a merchant that cannot
    > function without IE (almost never). We primarily use Firefox on
    > XP. She also uses XP to Skype.
    > 3. To avoid viruses we simply don't install programs that aren't from
    > a source that is trusted. By that I mean, a vendor that we sought out
    > and know well, like Vmware, Skype, Mozilla, OpenOffice, etc. We use
    > Seamonkey or Thunderbird on Linux for email (including my wife). So
    > attachments are of little danger. We are pretty good at spotting
    > scams, and my wife knows how to look at full headers, etc. We use no
    > M$ software except for XP itself.
    > 4. In case the XP is compromised, which I regard as more likely than
    > Linux, we don't run my Linux box at the same time as her XP, since I
    > have the most important family data on my Linux box. Thus, the only
    > way anyone could get to important personal data is if an exploit that
    > got on her XP could access her ext2 partition (unlikely) and install
    > something into the Linux partition, or crack the router, then wait in
    > the router to attack either of the Linux machines when they are up. I
    > consider these scenarios extremely unlikely.
    >
    > So it's mainly the browser scripts and other exploits that are the
    > main danger. Should I be running software firewalls on both XP and
    > Linux boxes, and anti-virus programs on XP, or is the router and our
    > administrative policies enough?

    Forget for a moment about the fact that you have a Linux computer
    networked to an XP machine and focus mainly on the XP security. If you
    have Windows XP SP2 or SP3 there is no reason not to run the built in
    Windows firewall; it can be configured to allow your applications to
    have full connectivity. You still need anti-virus software of which
    there are numerous free or low-cost options (I use AVG Free Edition
    8). The problem is that the so-called Trusted Sites such as banks are
    themselves subject to being hacked. If all of your personal data is
    on the Linux machine you could create an encrypted partition which
    would afford much better privacy protection.

    --
    Allan

  4. Re: Do I need a software firewall in addition to a NAT router/firewall?

    David Brown wrote:[a lot]

    Thanks for the responses, folks.

    --
    _____________________
    CRC
    crobc@REMOVE-THIS.sbcglobal.net
    SuSE 10.3 Linux 2.6.22.17

+ Reply to Thread