Are both PC and router firewalls necessary?

Topic

New Reply

	LANGALIST PLUS Are both PC and router firewalls necessary?
	By Fred Langa Running two firewalls — in Windows and in a router — might seem redundant, but there are good reasons to do so. Plus: Security concerns about Windows Error Reporting, advice on differential copying/synching software, and getting a balky browser add-in to work.

---

The full text of this column is posted at windowssecrets.com/langalist-plus/are-both-pc-and-router-firewalls-necessary/ (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

Hi Fred,

Another good, simple, free backup tool that will do what Keith Pauli is looking for is Genie Timeline. My family uses the free version and it works great. It backs up our files to a shared NAS drive. The files are there to access easily if you like and on the host PC it allows you to right click a file and pick from multiple prior versions if you want to restore. It runs in the background and backs up the files when you change them keeping you constantly backed up. Very easy to use, pretty much set it up and forget it.

Kevin

Reply | Quote

Hi Fred,

When you state “If malware is trying to phone home, you’ve already lost the battle! Your PC is infected and might already be thoroughly compromised.”, you overlook the fact that if the PC is infected the user is probably unaware of it and a firewall requesting permission for an outgoing attempt will, if nothing else, act as a notification of this infection. I think this makes the addition of outbound blocking a very useful addition to any security set up.

Ken

Reply | Quote

Fred,
Two excellent freewares are:
For sync- Freefilesync
For backup- Cobian Backup

Reply | Quote

Lastpass is also a great password manager. I switched from Roboform to it and have never looked back.

Reply | Quote

Hello Thread:

Out of interest my ISP provided me with a “new” modem/router combo. It is a Hitron Technologies CGN2-ROG.

It has a H/W firewall with many choices to be made. My problem is it uses different terminology than my software firewall.

Has anybody here got any links for this product or advice.

Reply | Quote

Another excellent sync tool is syncback from 2brightsparks.com They have a freeware version, but I prefer the SyncbackSE version which is around $30 as it will sync to a named backup. For instance I have two external USB harddrives that I have names Black750. Syncback syncronizes my data to the drive overnight but it can do it more frequently. It will even use named folders like day of week. For my libraries I just keep one copy, but for my active data I have a Sunday, Monday, Tuesday, etc copies. I swap the drives every Sunday with one going offsite. Because the drives are named the same the program just keeps working everynight as configured. I now have 14 days of backups of my active data at all times and two copies of my libraries (like music, photos, and software downloads). The only thing I have to do is remember to swap the drives on Sunday which is how I configured it. Syncback has many other capabilities as well such as copying file security info, compression, etc. All for a very reasonable price.
Jim Nealand
Kennesaw, GA

Reply | Quote

The router is a hardware firewall protecting against flawed incoming packets. Some can be programmed to filter packets as well.
They cannot be curupted by malware like a software firewall.They also protect all pc’s on the LAN some of those users have no firewall.

However, a software firewall can be used to control outbound packets and incoming and give the u.ser control over which applications can access the www. As well you can block certain protocols that you don’t need that would only be used if say you were a server.

On my software FW I have an extensive ip block list. If I take the notebook to another location the protection of the home router is lost but the software FW is still working.

So we need both.

Reply | Quote

The router is a hardware firewall protecting against flawed incoming packets. Some can be programmed to filter packets as well.
They cannot be curupted by malware like a software firewall.They also protect all pc’s on the LAN some of those users have no firewall.

However, a software firewall can be used to control outbound packets and incoming and give the u.ser control over which applications can access the www. As well you can block certain protocols that you don’t need that would only be used if say you were a server.

On my software FW I have an extensive ip block list. If I take the notebook to another location the protection of the home router is lost but the software FW is still working.

So we need both.

Need is subjective. I’ve been running happily for a long time without a software firewall. Personally, I think they cause more problems than they fix. The first thing I do when I get a PC to repair is to disable any software firewalls. I’ve never run across a case where a software firewall caught a problem that wasn’t evident from other symptoms.

Jerry

Reply | Quote

Need is subjective. I’ve been running happily for a long time without a software firewall. Personally, I think they cause more problems than they fix. The first thing I do when I get a PC to repair is to disable any software firewalls. I’ve never run across a case where a software firewall caught a problem that wasn’t evident from other symptoms.

Jerry

Hi Jerry:

My on line banking service REQUIRES me to have among other security tools a Firewall.

Reply | Quote

I’ve never heard of that. In addition to the Windows Firewall and a router firewall? How can they check?
Can you give me a web site reference to this requirement.
Jerry

Reply | Quote

I’ve never heard of that. In addition to the Windows Firewall and a router firewall? How can they check?
Can you give me a web site reference to this requirement.
Jerry

Firewalls prevent hackers want your identity. In my view it is “reckless” not to have one and both are better. The fact that you have not been caught yet does not prove you don’t need one. I’m glad you are safe so far.

Well I’m not going to id my bank on a public forum. But here copy/pasted is the relevant section. It doesn’t say both h/w and s/w but FW is available user must activate it for on line security agreement to hold.

15.Security. (a) You must always keep your Passwords and Personal Verification Questions strictly confidential. You must not disclose your Passwords or Personal Verification Questions to anyone. If you know or think that someone may know your Passwords or Personal Verification Questions, you must tell us immediately and you must change your Passwords or Personal Verification Questions, as applicable, immediately. Your obligations under this Section 15(a) are subject to the sole exception set out in Section 15(b) below. You must select an e-Transfer Question and Answer known only to the person intended to receive your e-Transfer. You must not disclose an e-Transfer Question and Answer to anyone other than the person intended to receive your e-Transfer and as set out in Part E, Section 7 and as we may further instruct you.

(b) You may choose to share your Password with an Aggregator. If you share your Password with an Aggregator, you understand that (i) we will not help the Aggregator in any way and will not be responsible for the information retrieved by the Aggregator; (ii) we will not be responsible to you for any losses that may result from you sharing your Password, using the Aggregation Service or using a Third Party Account Aggregation Service; (iii) you are responsible to review the security and privacy standards of the Aggregator and to determine what your liability will be in connection with the Third Party Account Aggregation Service; (iv) you will change your Password immediately when you end the Third Party Account Aggregation Service; and (v) we have the right to prevent Aggregators from accessing your Accounts.

(c) Your Passwords, Personal Verification Questions and e-Transfer Question and Answer must be unique and not easily guessed or obtained by others, including not using the birth date or name of you or a family member, your telephone number, social insurance number, or sequential numbers such as “1234”. You must not select a Password that is the same as any personal identification number (PIN) you use with a client card or credit card issued to you.

(d) For the Services, the security of your information depends on you using safe practices. You agree that when using the Services, you will take all steps necessary to make sure that you do not reveal any confidential information to anyone, other than through the Services for the purpose of the transaction. This includes making sure that other people cannot see the screen or key pad on your Electronic Access Device or cannot hear your call, as applicable. In addition:
i) There are sections on our websites about how you can make Online Banking more secure and about how we make Online Banking more secure. You must read these sections regularly;
ii) You must sign out after each Online Banking session to prevent anyone else from accessing your Online Banking;
iii) You must not leave your Electronic Access Device unattended while logged into Online Banking or while making Mobile Payments and you must use reasonable steps and precautions to protect your Electronic Access Device against loss or theft; and
iv) You agree to implement and maintain reasonable security measures which include up-to-date virus scanning software and a firewall system, if such security measures are available for your Electronic Access Device.

(e) You will notify us immediately if you become aware of any unusual, suspicious or fraudulent activity in an Account.

(f) You agree to comply with any additional security requirements that we may require in connection with the Services.

Reply | Quote

Nothing in there says the Windows Firewall along with a router hardware firewall isn’t sufficient.

Firewalls prevent hackers want your identity. In my view it is “reckless” not to have one and both are better. The fact that you have not been caught yet does not prove you don’t need one. I’m glad you are safe so far.

I don’t believe an additional software firewall adds anything to protecting against identity theft but that’s just my opinion. As I stated before, I haven’t run acroos a case in a client computer that had a software firewall that detected any malware without other symptoms. I have run into several cases where the firewall prevented normal operation which is why my personal belief is they are more trouble than they are worth.

If you feel more comfortable with a software firewall, its not my place to recommend otherwise.

Jerry

Reply | Quote

Nothing in there says the Windows Firewall along with a router hardware firewall isn’t sufficient.

I don’t believe an additional software firewall adds anything to protecting against identity theft but that’s just my opinion. As I stated before, I haven’t run acroos a case in a client computer that had a software firewall that detected any malware without other symptoms. I have run into several cases where the firewall prevented normal operation which is why my personal belief is they are more trouble than they are worth.

If you feel more comfortable with a software firewall, its not my place to recommend otherwise.

Jerry

Like you I have hit clients who have poorly implemented security. I’ve seen cases where they have 2 suites installed one that came with the box the pc came with and the second one by a well meaning helper. So they had 2 AV’s 2 FW’s 2 HIPS etc.

If user doesn’t know how to setup and manage a firewall and it’s rules then yes issues are certain. Sort of like a plummer doing brain surgery.

HIPS is not a FW
Backup is not a FW
AV is not a FW

All those have value but should NOT be confused with a FW.

A FW blocks problems from the web the others deal with them AFTER they have arrived on your setup.

Reply | Quote

Need is subjective. I’ve been running happily for a long time without a software firewall. Personally, I think they cause more problems than they fix. The first thing I do when I get a PC to repair is to disable any software firewalls. I’ve never run across a case where a software firewall caught a problem that wasn’t evident from other symptoms.

Jerry

Indeed it is. Some people don’t use AVs and don’t get infected (which shows nothing, really). Some people do not use seat belts. It’s all a matter of finding the balance between security and what you are willing to give away to achieve it.

Reply | Quote

Need is subjective.

Indeed.

If we are including Windows Firewall I utilise this to completely block 1 PC on my LAN from my own PC as I know the user to be reckless whilst on the internet.

Reply | Quote

Nothing in there says the Windows Firewall along with a router hardware firewall isn’t sufficient.

Firewalls prevent hackers want your identity. In my view it is “reckless” not to have one and both are better. The fact that you have not been caught yet does not prove you don’t need one. I’m glad you are safe so far.

I don’t believe an additional software firewall adds anything to protecting against identity theft but that’s just my opinion. As I stated before, I haven’t run across a case in a client computer that had a software firewall that detected any malware without other symptoms. I have run into several cases where the firewall prevented normal operation which is why my personal belief is they are more trouble than they are worth.

If you feel more comfortable with a software firewall, its not my place to recommend otherwise.

Jerry

Reply | Quote

I have run into several cases where the firewall prevented normal operation which is why my personal belief is they are more trouble than they are worth.

If you feel more comfortable with a software firewall, its not my place to recommend otherwise.

Jerry

So what about AVs that cause problems? Or other apps?

Sorry Jerry, blanket statements aren’t adequate in any case, and that includes software firewalls. What’s more, with software firewalls that offer HIPS features, you get protection that could easily fall in the same category as protection offered by anti-malware software. Many 3rd party firewalls offer that and do it in quite an effective way, which, IMHO, puts even more clearly your blanket statement on the spot.

Reply | Quote

But in my opinion, software firewalls don’t enough to justify the possibility of additional problems. Apps and AV programs do. As you say, many AV programs already provide HIPS. The most common source of identity theft is stolen online databases, skimmers and breaking into business wireless networks like the TJMAX case. Stealing from individual PCs is a drop in the bucket compared to these cases. But as I said, its only my personal opinion. We all do what we are most comfortable with.

Jerry

Reply | Quote

I think HIPS (thus not only providing software firewall features) are a great complement to AV apps, since they provide similar types of protection through different mechanisms. Given the fact that no single AV gets all the malware, they are an additional layer that can enhance the overall protection.
As any other apps, there can be issues, but some are quite unobtrusive. My own HIPS goes mostly unnoticed. I have never had an infection, but I am quite happy to have two different direct defense mechanisms against malware.

Reply | Quote

I guess we’ll have to agree to disagree on this issue. I absolutely agree no single program will catch all malware and which one is best changes yearly. I assume we still can be friends.

Jerry

Reply | Quote

I guess we’ll have to agree to disagree on this issue. I absolutely agree no single program will catch all malware and which one is best changes yearly. I assume we still can be friends.

Jerry

LOL, I will think about that…
Ok, maybe, as long as you don’t bring any malware :).

Reply | Quote

Maybe we should defer to a scholarly article in an IT journal? 0:-)

Reply | Quote

Here for the thread/forum is a short list of security hazzards

-Hackers uses many delivery attack vehicles to own your PC
–a)Hacked (evil) websites: uses the following means to infect you
—a.1)old adobe flash
—a.2)old java versions
—a.3)Scripting
—a.4)old unpatched browsers
—a.5)in general: any old, outdated and unpatched browser plugin.
–b)rootkits, are means hackers use to hide his programs; which may include:
—b.1)keyloggers, which uses
—-b.1.1)hooking
—b.2)screen scrapers
—b.3)clipboard loggers
–c)malware, which includes
—c.1)virus are spread by
—-c.1.1)masquerading as a useful program ( trojan ), they can take the form of:
—–c.1.1.1)video codecs
—–c.1.1.2)other useful sounding / commercial programs obtained thru P2P
—-c.1.2)Autorun enabled for USB memory sticks
—-c.2)uses these means to foil on board security software
—–c.2.1)process termination
—–c.2.2)registry access
—c.2)spyware include:
—-c.2.1)username and password logging programs ( specialized keyloggers )
—-c.2.2)web surf address logging, which means
—–c.2.2.1)loss of private data
—–c.2.3)spyware uses memory injection to piggy back on legitimate programs to send out data
—–c.2.4)Launch network enabled process
——c.2.4.1)Human Error in Security Decision(s), where you select ALLOW to the firewall warning
—c.3)adware, that presents pop ups depending where you surf to
—c.4)fake security programs telling you that you need to buy them
—c.5)botnet client, which can be delivered as a trojan, or via a drive by download
—-c.5.1)Human Error in Security Decision(s), where you select ALLOW to the firewall warning
—-c.5.2)Launch network enabled process
—-c.5.3)uses these means to foil on board security software
—–c.5.3.1)process termination
—–c.5.3.2)registry access
–d)phishing emails
—d.1)lures you to bogus websites asking for banking credentials
—d.2)sends you attachments which turns out to be virus, spyware, botnet clients
—d.3)attachments can make use of vulnerable programs like
—-d.3.1)old versions of Adobe Reader
—-d.3.2)old versions of media players
—-d.3.3)unpatched MS Word, Powerpoint etc
–e)direct attacks from the network, which targets
—e.1)windows services
—e.2)network protocols
—e.3)browsers
—e.4)server programs, like IIS, FTP

Reply | Quote

Google can be useful: http://www.hitron-americas.com/products/cgn-2/

Reply | Quote

Google can be useful: http://www.hitron-americas.com/products/cgn-2/

Thanks, got the user manual printed it out and put it in a binder. Well written as well.

BUT the Hitron Technologies CGN2-ROG failed a week after this work was all done.

The ISP replaced it (rented at $8.00 per month) with a CISCO which has a poor manual BUT the router/modem works and hasn’t failed (yet)

CISCO modem DPC3825

Reply | Quote

Good luck with the new router.

Reply | Quote