Is Software Firewall Necessary with a H/W already running?

Archived from groups: comp.security.firewalls (More info?)

I finally purchased a hardware firewall (Netgear FVS318). Alot of
helpful people in the group suggested I go hardware to free some
resources and cycles. However, I have seen some people that use BOTH
H/W and S/W firewall. I scanned my system with ShieldsUp! and found
everything is stealth. My question is:

Do I still need a software firewall with this hardware one installed?

Thanks in advance!!!

- Robert Smith
12 answers Last reply
More about software firewall running
  1. Archived from groups: comp.security.firewalls (More info?)

    [This followup was posted to comp.security.firewalls and a copy was sent
    to the cited author.]

    In article <CdyOc.182482$tH1.8031261@twister.southeast.rr.com>,
    rsmith.remove@triad.rr.remove.com says...
    > I finally purchased a hardware firewall (Netgear FVS318). Alot of
    > helpful people in the group suggested I go hardware to free some
    > resources and cycles. However, I have seen some people that use BOTH
    > H/W and S/W firewall. I scanned my system with ShieldsUp! and found
    > everything is stealth. My question is:
    >
    > Do I still need a software firewall with this hardware one installed?

    It's still a good idea. In particular, most software firewalls also
    monitor outgoing data on a PER PROGRAM basis. You can control excactly
    which programs have access and prevent anything being sent, even if it's a
    common port like 80.

    Basically, unless you have a VERY fast connection, and a VERY slow
    computer, the speed loss shouldn't be a big deal, if it's even detectable.
    You could always help things a bit by setting the software firewall to
    allow all incoming, if you believe the hardware firewall will fully
    protect you.

    Just remember that just blocking data ports alone doesn't cut it these
    days. With spyware, adware, trojans, etc.. you need help on actual program
    control.

    --
    If there is a no_junk in my address, please REMOVE it before replying!
    All junk mail senders will be prosecuted to the fullest extent of the
    law!!
    http://home.att.net/~andyross
  2. Archived from groups: comp.security.firewalls (More info?)

    7/30/2004 5:24:33 PM

    Andrew Rossmann <andysnewsreply@no_junk.comcast.net> wrote in message

    MPG.1b74788d1cef603b989a47@news.comcast.giganews.com


    > It's still a good idea. In particular, most software firewalls
    also

    > monitor outgoing data on a PER PROGRAM basis. You can control
    excactly

    > which programs have access and prevent anything being sent, even if
    it's a

    > common port like 80.

    >

    > Basically, unless you have a VERY fast connection, and a VERY
    slow

    > computer, the speed loss shouldn't be a big deal, if it's even
    detectable.

    > You could always help things a bit by setting the software firewall
    to

    > allow all incoming, if you believe the hardware firewall will fully


    > protect you.

    >

    > Just remember that just blocking data ports alone doesn't cut it
    these

    > days. With spyware, adware, trojans, etc.. you need help on actual
    program

    > control.

    >

    > --

    > If there is a no_junk in my address, please REMOVE it before
    replying!

    > All junk mail senders will be prosecuted to the fullest extent of
    the

    > law!!

    > http://home.att.net/~andyross

    Good advice Andrew! Thanks!!
  3. Archived from groups: comp.security.firewalls (More info?)

    Robert Smith wrote:
    > I finally purchased a hardware firewall (Netgear FVS318). Alot of
    > helpful people in the group suggested I go hardware to free some
    > resources and cycles. However, I have seen some people that use BOTH
    > H/W and S/W firewall. I scanned my system with ShieldsUp! and found
    > everything is stealth. My question is:
    >
    > Do I still need a software firewall with this hardware one installed?
    >
    > Thanks in advance!!!
    >
    > - Robert Smith

    Ask yourself the following questions:

    1. Are you the exclusive user of your computing system(s)?
    2. Do you apply and enforce safe computing practices on your equipment?
    3. Do you engage in p2p file sharing across the Internet?
    4. Do you rigorously patch new found Windows exploits (I know-that's a
    full-time job)?
    5. Do you use IE and Outlook/OE mail clients as your primary browser and
    e-mail client?

    I wouldn't bother adding a client PFW, unless you can't control your
    computing environment or your behavior.
  4. Archived from groups: comp.security.firewalls (More info?)

    Andrew Rossmann wrote:

    > [This followup was posted to comp.security.firewalls and a copy was sent
    > to the cited author.]
    >
    > In article <CdyOc.182482$tH1.8031261@twister.southeast.rr.com>,
    > rsmith.remove@triad.rr.remove.com says...
    >
    >>I finally purchased a hardware firewall (Netgear FVS318). Alot of
    >>helpful people in the group suggested I go hardware to free some
    >>resources and cycles. However, I have seen some people that use BOTH
    >>H/W and S/W firewall. I scanned my system with ShieldsUp! and found
    >>everything is stealth. My question is:
    >>
    >>Do I still need a software firewall with this hardware one installed?
    >
    >
    > It's still a good idea. In particular, most software firewalls also
    > monitor outgoing data on a PER PROGRAM basis. You can control excactly
    > which programs have access and prevent anything being sent, even if it's a
    > common port like 80.
    >
    > Basically, unless you have a VERY fast connection, and a VERY slow
    > computer, the speed loss shouldn't be a big deal, if it's even detectable.
    > You could always help things a bit by setting the software firewall to
    > allow all incoming, if you believe the hardware firewall will fully
    > protect you.
    >
    > Just remember that just blocking data ports alone doesn't cut it these
    > days. With spyware, adware, trojans, etc.. you need help on actual program
    > control.
    >
    You're correct, assuming he can't control himself or his computing
    environment. Let's hope that's not the case.
  5. Archived from groups: comp.security.firewalls (More info?)

    7/30/2004 5:44:08 PM

    optikl <optikl@invalid.net> wrote in message

    <IizOc.60438$eM2.11183@attbi_s51>


    > Andrew Rossmann wrote:

    >

    > > [This followup was posted to comp.security.firewalls and a copy
    was sent

    > > to the cited author.]

    > >

    > > In article <CdyOc.182482$tH1.8031261@twister.southeast.rr.com>,

    > > rsmith.remove@triad.rr.remove.com says...

    > >

    > >>I finally purchased a hardware firewall (Netgear FVS318). Alot
    of

    > >>helpful people in the group suggested I go hardware to free some

    > >>resources and cycles. However, I have seen some people that use
    BOTH

    > >>H/W and S/W firewall. I scanned my system with ShieldsUp! and
    found

    > >>everything is stealth. My question is:

    > >>

    > >>Do I still need a software firewall with this hardware one
    installed?

    > >

    > >

    > > It's still a good idea. In particular, most software firewalls
    also

    > > monitor outgoing data on a PER PROGRAM basis. You can control
    excactly

    > > which programs have access and prevent anything being sent, even
    if it's a

    > > common port like 80.

    > >

    > > Basically, unless you have a VERY fast connection, and a VERY
    slow

    > > computer, the speed loss shouldn't be a big deal, if it's even
    detectable.

    > > You could always help things a bit by setting the software
    firewall to

    > > allow all incoming, if you believe the hardware firewall will
    fully

    > > protect you.

    > >

    > > Just remember that just blocking data ports alone doesn't cut
    it these

    > > days. With spyware, adware, trojans, etc.. you need help on
    actual program

    > > control.

    > >

    > You're correct, assuming he can't control himself or his computing

    > environment. Let's hope that's not the case.


    I can control, but my wife also uses the system...
  6. Archived from groups: comp.security.firewalls (More info?)

    >

    > Ask yourself the following questions:

    >

    > 1. Are you the exclusive user of your computing system(s)?

    No... :(


    > 2. Do you apply and enforce safe computing practices on your
    equipment?

    Yes!


    > 3. Do you engage in p2p file sharing across the Internet?

    No.


    > 4. Do you rigorously patch new found Windows exploits (I know-
    that's a

    > full-time job)?

    Yes.


    > 5. Do you use IE and Outlook/OE mail clients as your primary
    browser and

    > e-mail client?

    >

    Yes. (Wife uses OE and I use Outlook 2k3)


    > I wouldn't bother adding a client PFW, unless you can't control
    your

    > computing environment or your behavior.


    I am extremely careful, but can't always vouch for my wife - if she
    has a friend send her something, she might click before she looks...
    :(
  7. Archived from groups: comp.security.firewalls (More info?)

    In article <CdyOc.182482$tH1.8031261@twister.southeast.rr.com>,
    rsmith.remove@triad.rr.remove.com says...
    > I finally purchased a hardware firewall (Netgear FVS318). Alot of
    > helpful people in the group suggested I go hardware to free some
    > resources and cycles. However, I have seen some people that use BOTH
    > H/W and S/W firewall. I scanned my system with ShieldsUp! and found
    > everything is stealth. My question is:
    >
    > Do I still need a software firewall with this hardware one installed?

    In general I would say that you don't need the PC based personal
    firewall application, but since most users are unable to manage their
    machines you may want to keep using it.

    If your router, and that's what it is, not a real firewall, has logging
    ability, and you can run a real-time capture program that will let you
    watch the in/out bound traffic by IP/Port, and if you check it
    frequently, then you really don't need to bother with the local copy on
    your PC.

    In the early days, when I was using a NAT device, I never had any
    problems, but I used WallWatcher as a means to monitor what was entering
    and leaving my network, it was an invaluable tool in the overall scheme
    of network protection.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  8. Archived from groups: comp.security.firewalls (More info?)

    In article <IizOc.60438$eM2.11183@attbi_s51>, optikl@invalid.net says...
    > Andrew Rossmann wrote:
    >
    > > Just remember that just blocking data ports alone doesn't cut it these
    > > days. With spyware, adware, trojans, etc.. you need help on actual program
    > > control.
    > >
    > You're correct, assuming he can't control himself or his computing
    > environment. Let's hope that's not the case.

    The problem is, with virus's now being backdoors in disguise, and holes
    in Windows and IE being found every day, you need all the help you can
    get. Even if you practice safe computing, you never know if even a valid
    web site hasn't been hacked and tries to download something.

    --
    If there is a no_junk in my address, please REMOVE it before replying!
    All junk mail senders will be prosecuted to the fullest extent of the
    law!!
    http://home.att.net/~andyross
  9. Archived from groups: comp.security.firewalls (More info?)

    Andrew Rossmann wrote:
    > In article <IizOc.60438$eM2.11183@attbi_s51>, optikl@invalid.net says...
    >
    >>Andrew Rossmann wrote:
    >>
    >>
    >>> Just remember that just blocking data ports alone doesn't cut it these
    >>>days. With spyware, adware, trojans, etc.. you need help on actual program
    >>>control.
    >>>
    >>
    >>You're correct, assuming he can't control himself or his computing
    >>environment. Let's hope that's not the case.
    >
    >
    > The problem is, with virus's now being backdoors in disguise, and holes
    > in Windows and IE being found every day, you need all the help you can
    > get. Even if you practice safe computing, you never know if even a valid
    > web site hasn't been hacked and tries to download something.
    >

    Yes, web-sites can contain malicious content. But, safe computing is a
    regimen. It's not a state one attains by loading up on AV, AT and ASW
    utilities and PFW/IDS programs. It's about making good decisions, which
    means relying on grey matter rather than code.
  10. Archived from groups: comp.security.firewalls (More info?)

    On Fri, 30 Jul 2004 20:30:26 GMT, the right honourable "Robert Smith"
    <rsmith.remove@triad.rr.remove.com> wrote:

    >I finally purchased a hardware firewall (Netgear FVS318). Alot of
    >helpful people in the group suggested I go hardware to free some
    >resources and cycles. However, I have seen some people that use BOTH
    >H/W and S/W firewall. I scanned my system with ShieldsUp! and found
    >everything is stealth. My question is:
    >
    >Do I still need a software firewall with this hardware one installed?
    >
    >Thanks in advance!!!
    >
    >- Robert Smith


    A HW firewall will generally not look at the data content of packets.
    Only at port numbers, protocol types, packet states, interfaces, MAC
    addresses, traffic direction and such low-level things.

    It can't, because by design, they have to be OS independent.
    (at OSI-Transport or Network layer ?)
    Behind the HW firewall there can be linux systems, or IBM AS400
    computers, for which an PC backdoor program with extension can be
    totally harmless.
    What is harmful on one OS, is harmless on another.


    Only an OS aware FW **PROGRAM** can then determin the danger, ON the
    machine with **THAT** OS.

    Maybe there are HW Windows FW's but I dunno... You'd have to buy a new
    FW when upgrading Windows... yuk !!

    So behind the HW FW, you need a SW FW, a virusscanner, and spyware
    removal. All uo to date.

    frgr
    Erik
  11. Archived from groups: comp.security.firewalls (More info?)

    In article <uv6ng0t6drso30c5bs6hbs2lcb62vviiql@4ax.com>, Erik <et57 at
    correos calor dot com> says...
    > A HW firewall will generally not look at the data content of packets.
    > Only at port numbers, protocol types, packet states, interfaces, MAC
    > addresses, traffic direction and such low-level things.

    There are quite a number of real firewalls that inspect the contents,
    remove attachments by type, remove scripting, remove cookies, create
    alias names, etc....


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  12. Archived from groups: comp.security.firewalls (More info?)

    In article <ElNOc.189572$%_6.157792@attbi_s01>, optikl@invalid.net says...
    > Andrew Rossmann wrote:
    > > In article <IizOc.60438$eM2.11183@attbi_s51>, optikl@invalid.net says...
    > >
    > >>Andrew Rossmann wrote:
    > >>
    > >>
    > >>> Just remember that just blocking data ports alone doesn't cut it these
    > >>>days. With spyware, adware, trojans, etc.. you need help on actual program
    > >>>control.
    > >>>
    > >>
    > >>You're correct, assuming he can't control himself or his computing
    > >>environment. Let's hope that's not the case.
    > >
    > >
    > > The problem is, with virus's now being backdoors in disguise, and holes
    > > in Windows and IE being found every day, you need all the help you can
    > > get. Even if you practice safe computing, you never know if even a valid
    > > web site hasn't been hacked and tries to download something.
    > >
    >
    > Yes, web-sites can contain malicious content. But, safe computing is a
    > regimen. It's not a state one attains by loading up on AV, AT and ASW
    > utilities and PFW/IDS programs. It's about making good decisions, which
    > means relying on grey matter rather than code.

    But can you fully trust even a big-name site? How can you guarantee they
    are being smart and have their security up-to-date?

    --
    If there is a no_junk in my address, please REMOVE it before replying!
    All junk mail senders will be prosecuted to the fullest extent of the
    law!!
    http://home.att.net/~andyross
Ask a new question

Read More

Firewalls Hardware Software Networking