Firewalls and routers

  • Thread starter Thread starter Dave Turner
  • Start date Start date
D

Dave Turner

Guest
I have installed a D-Link router for my home net, and I have a question
about firewalls that is not in the book from D-Link;

When I configure the firewall that is internal in the router, should I
then disable windows firewall? It's confusing, because if I stayed with
windows firewall (or any 3rd party firewall) it would have to be enabled
on each machine on the net. Having it in the router would then cover
everything on the net, right (or wrong)?

Thanks in advance for any advice...

Dave
 
The D-Link firewall will protect your network from attacks outside your
network. But if one of the computers in your network gets infected anyway,
the D-Link firewall is powerless to stop it from spreading to the other
computers in your network.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Dave Turner" <dlturner@MyPlace.net> wrote in message
news:0H4yi.4272$i75.1498@newssvr19.news.prodigy.net...
>I have installed a D-Link router for my home net, and I have a question
>about firewalls that is not in the book from D-Link;
>
> When I configure the firewall that is internal in the router, should I
> then disable windows firewall? It's confusing, because if I stayed with
> windows firewall (or any 3rd party firewall) it would have to be enabled
> on each machine on the net. Having it in the router would then cover
> everything on the net, right (or wrong)?
>
> Thanks in advance for any advice...
>
> Dave
 
Steve Riley [MSFT] wrote:
> The D-Link firewall will protect your network from attacks outside your
> network. But if one of the computers in your network gets infected
> anyway, the D-Link firewall is powerless to stop it from spreading to
> the other computers in your network.
>

Steve,
thanks for the reply.
From your answer, can I assume that each machine should continue to
have it's own firewall to protect it from the other computers on the lan?
 
That's my preferred configuration, yes. Especially if any of them are
laptops. Mobility adds a new twist to traditional approaches to network
defense. When your laptop isn't connected to your LAN, then the host
firewall is your _only_ choice for protecting the machine from everyone else
using the same hotel/airport lounge/whatever network you're on. Say you
inadvertently open an email with attached malware while you're bored at the
hotel and you get infected with something. Then after you fly home tomorrow,
having the host firewall on your other computers will protect them from your
(now malicious) laptop.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Dave Turner" <dlturner@MyPlace.net> wrote in message
news:vw5yi.18555$eY.13704@newssvr13.news.prodigy.net...
> Steve Riley [MSFT] wrote:
>> The D-Link firewall will protect your network from attacks outside your
>> network. But if one of the computers in your network gets infected
>> anyway, the D-Link firewall is powerless to stop it from spreading to the
>> other computers in your network.
>>

> Steve,
> thanks for the reply.
> From your answer, can I assume that each machine should continue to have
> it's own firewall to protect it from the other computers on the lan?
 
Steve Riley [MSFT] wrote:
> That's my preferred configuration, yes. Especially if any of them are
> laptops. Mobility adds a new twist to traditional approaches to network
> defense. When your laptop isn't connected to your LAN, then the host
> firewall is your _only_ choice for protecting the machine from everyone
> else using the same hotel/airport lounge/whatever network you're on. Say
> you inadvertently open an email with attached malware while you're bored
> at the hotel and you get infected with something. Then after you fly
> home tomorrow, having the host firewall on your other computers will
> protect them from your (now malicious) laptop.
>

Steve,
thanks again...
sometimes it's hard to know what to do. The rule of thumb is to only
have one firewall running, but I guess that means one firewall per.

Dave
 
> sometimes it's hard to know what to do. The rule of thumb is to only have
> one firewall running, but I guess that means one firewall per.
>


For the record, the rule regarding one firewall refers to personal software
firewalls running on the computer. Additional firewalls on the network,
such as the one in your router, don't count in the "one firewall rule" <g>.
 
"Victek" <Victek@xyz.com> wrote in message
news:eTggGSu4HHA.3940@TK2MSFTNGP05.phx.gbl...
>> sometimes it's hard to know what to do. The rule of thumb is to only have
>> one firewall running, but I guess that means one firewall per.
>>

>
> For the record, the rule regarding one firewall refers to personal
> software firewalls running on the computer. Additional firewalls on the
> network, such as the one in your router, don't count in the "one firewall
> rule" <g>.


I agree about the differences between a firewall running in a hardware
solution protecting a network, as opposed to a host based FW running on the
computer protecting the computer. There is no conflict there, because the
solutions are running on two different devices.
 
I just got my first laptop and router. I am on the internet at home via the
router which is connected to my cable modem. When taking my laptop
elsewhere, I have a Verizon network card.

I've heard, for years, that if you have a router, you don't need a firewall.
I never understood why. I suspected that the hardware of a router must be
such that people couldn't access my machine through it. Now you folks
mention a firewall (software, I guess) in the router. How do I know if I
have one in mine? It is a Buffalo Air Station Wireless G High Power model
WHR-HP-054 I don't remember turning it on or setting it up when I installed
the thing. Does my router have a firewall? Right now the laptop has
Norton Internet Security using that firewall (not the MS one) and that
antivirus. I'm planning on installing Zone Alarm free version and a free
anti-virus onto the laptop in a week or two when the Norton subscription
runs out. Does that sound reasonable? I run Vista Home Premium.

Thanks.

Chet

"Mr. Arnold" <MR. Arnold@Arnold.com> wrote in message
news:uGptEqv4HHA.5424@TK2MSFTNGP02.phx.gbl...
>
> "Victek" <Victek@xyz.com> wrote in message
> news:eTggGSu4HHA.3940@TK2MSFTNGP05.phx.gbl...
>>> sometimes it's hard to know what to do. The rule of thumb is to only
>>> have one firewall running, but I guess that means one firewall per.
>>>

>>
>> For the record, the rule regarding one firewall refers to personal
>> software firewalls running on the computer. Additional firewalls on the
>> network, such as the one in your router, don't count in the "one firewall
>> rule" <g>.

>
> I agree about the differences between a firewall running in a hardware
> solution protecting a network, as opposed to a host based FW running on
> the computer protecting the computer. There is no conflict there, because
> the solutions are running on two different devices.
>
 
"Chet" <nospam@nospam.net> wrote in message
news:u35IgI44HHA.1164@TK2MSFTNGP02.phx.gbl...
>I just got my first laptop and router. I am on the internet at home via
>the router which is connected to my cable modem. When taking my laptop
>elsewhere, I have a Verizon network card.
>
> I've heard, for years, that if you have a router, you don't need a
> firewall.


A host based software solution like ZA is not a FW. A FW separates two
networks and sits at the junction point between the two networks, which are
usually the WAN (Wide Area Network)/Internet it's protecting from and the
network it's protecting the LAN (Local Area Network). A FW must have two
interfaces. One or more interfaces that face the WAN and one or more
interfaces that face the LAN.

In the case of a network FW that is a software solution running on a gateway
computer. the gateway computer will have one or more Network Interface Cards
(NIC;s) that face the WAN and one or more NIC's that face the LAN.

A solution like ZA and others that fall into that category are machine level
packet filters that protect at the machine level. They do not separate two
networks.

A FW device using FW software in the solution will fall into the defintion
of (What does a FW do?) that is being explained in the link below. Yes, a
FW router, a FW appliance and FW that is a host based software solution
running on a gateway computer will fall into that definition.

http://www.vicomsoft.com/knowledge/reference/firewalls1.html

A FW of the type above will be able to stop inbound and outbound traffic
with the WAN, but it can also stop inbound and outbound traffic on the LAN
between machines.

> I never understood why. I suspected that the hardware of a router must be
> such that people couldn't access my machine through it. Now you folks
> mention a firewall (software, I guess) in the router. How do I know if I
> have one in mine? It is a Buffalo Air Station Wireless G High Power
> model WHR-HP-054 I don't remember turning it on or setting it up when I
> installed the thing. Does my router have a firewall? Right now the
> laptop has Norton Internet Security using that firewall (not the MS one)
> and that antivirus. I'm planning on installing Zone Alarm free version
> and a free anti-virus onto the laptop in a week or two when the Norton
> subscription runs out. Does that sound reasonable? I run Vista Home
> Premium.


Your router comes closer to the definition of being a FW, because of the two
interfaces it has of WAN and LAN ports. It may even be running SPI. But is
it running FW software, which you'll have to make that determination?

Here is another link that may help you in the determination.

http://www.more.net/technical/netserv/tcpip/firewalls/

For a router that cannot stop outbound traffic, some use something like ZA
or even Vista's FW/packet filter to stop outbound traffic, and I am not
talking about Application Control in some of these solutions. I am talking
about setting a FW rule to stop outbound traffic from leaving the computer
to a LAN or WAN IP.

If I have a computer such as a laptop that's connected to a foreign LAN like
a wireless cafe or the computer has a direct connection to a modem, like a
dial-up, BB or DSL modem, which is a direct connection to the Internet - no
router or other such device between the computer and the modem, then the
laptop is running Vista's FW/packet filter or some 3rd party packet filter
like ZA to protect the machine.

When the laptop is on my LAN protected by a FW appliance, its packet
filter/FW is disabled, along with the rest of the machines having their
packet filter/FW(s) disabled both MS and Linux machines. They are not needed
in my case in this situation.

You'll have to make the determination of not running the packet filters on
machines behind your router.
 
>I just got my first laptop and router. I am on the internet at home via
>the router which is connected to my cable modem. When taking my laptop
>elsewhere, I have a Verizon network card.
>
> I've heard, for years, that if you have a router, you don't need a
> firewall. I never understood why. I suspected that the hardware of a
> router must be such that people couldn't access my machine through it.
> Now you folks mention a firewall (software, I guess) in the router. How
> do I know if I have one in mine? It is a Buffalo Air Station Wireless G
> High Power model WHR-HP-054 I don't remember turning it on or setting it
> up when I installed the thing. Does my router have a firewall? Right
> now the laptop has Norton Internet Security using that firewall (not the
> MS one) and that antivirus. I'm planning on installing Zone Alarm free
> version and a free anti-virus onto the laptop in a week or two when the
> Norton subscription runs out. Does that sound reasonable? I run Vista
> Home Premium.
>


Push the Vista orb (what used to be the Start button) select RUN. Then type
CMD and push <enter>. You should then have a black command window (that
looks a lot like an old DOS window). At the prompt type ipconfig. This
will reveal your computer's IP address, and also the Gateway IP which will
like be something like "192.168.1.1". Then open Internet Explorer and type
that gateway IP address into the address bar like this:

http://xxx.xxx.xxx.xxx (put your real numbers in place of the xxx's)

This will open the router interface where you will see many interesting
settings including firewall settings (if your router has one built-in). By
the way, a router provides some protection by hiding your private IP address
from the internet. That's why some people say "if you have a router you
don't need a firewall". I wouldn't rely exclusively on a router though. If
the router has firewall features then turn them on and use Zonealarm on the
computer too. Hope this is clear enough.
 
Thanks, Victek and Mr. Arnold. I learned a lot from your replies.

Chet
 
he'll also have to know the password for his router. there are websites
with router default passwords for most routers.
 
Chet wrote:
> Thanks, Victek and Mr. Arnold. I learned a lot from your replies.
>
> Chet
>

I have learned a lot too. Thanks guys!
Dave
 
Back
Top