New Hardware Firewall Suggestions?

[Larry_OHF]

I find myself in need of replacing my hardware firewall.
I wanted to see what the popular opinion wants to lead me toward.
Keep in mind I only surf the net at this time, but someday (soon I hope) I'll be getting back into online gaming.

[dplax]

If you only surf online then, in my opinion, you don't really need a hardware firewall, a software one being more than enough with a proper antivirus next to it.

As for hardware firewalls, the only one I've had more than just simple experience with was one of Arkoon's (french company, but they are supposed to sell for international customers too). It was configurable in-depth, but you needed to know what you were doing.

[Froberg]

I haven't seen any home users requiring more than the firewall included in XP and Vista.

[Larry_OHF]

I am surprised by these responses. For years, I've used both hardware and software firewalls after a techie friend of mine suggested it to me (college graduate in computers, not just another enthusiast like me). I've read more than one tech-related website that suggests that anybody with broadband connection should have both for the best protection. Since I do ALL of my finances online, it is vital that I keep the highest level of safety.

[Bungleau]

What's your internet connection? Dial-up, broadband, or something else?

My suggestion... a simple Linksys gateway/router will do the trick. Set it up between your computer and your modem, activate NAT, and you cover almost everything coming in from outside. And if you're gaming on-line, you can open up a hole for your gaming connection.

You still need a software firewall to cover things from the inside trying to get out. Hardware firewalls won't do that... they just stop it from getting in. I also wouldn't go with just a software firewall, either. Having a hardware firewall adds one more layer, making it harder for the average person to get in to your system.

My Linksys wireless router (WRT54G) serves as wireless access point, DHCP server, firewall, and probably a couple more things. I haven't had to touch it in a while, so I don't pay as much attention to it. Lots of protection without realizing that it's there, and inexpensive as well... looks like $45 on-line.

[dplax]

Nowadays a software firewall can do most of what a hardware one does. (NAT being one notable exception) Obviously the hardware firewall is a dedicated box, so it doesn't put any strain on the PC's resources. But then again, it does cost a lot more.

Even free software firewalls nowaday do packet filtering, can be configured to act differently for certain IP addresses/zones for certain ports, for certain applications. They have attack detection algorithms, etc...along with a decent antivirus and antispyware program you don't need anything more.

Apart from 0-day vulnerabilities nothing can get through a properly updated firewall + antivirus (barring user interaction...a user can always mess up their own PC) and 0-day vulnerabilities usually get through a hardware firewall too. So if you are careful and don't go to dubious websites, surf safe, etc... you will be safe with a simple software firewall + anti-stuff.

I'm not saying that hardware firewalls are bad. On the contrary they are better than a software firewall in that they don't hog system resources. But in the case of a home network with maybe 2-3 PCs on it a HW firewall isn't worth the investment.


And on the subject of using HW firewall and SW firewall: the SW firewall is mostly overkill. Supposing that the HW firewall does its job properly, the only stuff the SW firewall would protect you against would be other PCs in your local network. Supposing those are also protected by the HW firewall you don't
really need the SW firewall. Of course it helps in containing a virus, should one get onto one of the local machines, but in the case of the right setup that shouldn't happen.

[dplax]

Quote:

Originally Posted by Bungleau You still need a software firewall to cover things from the inside trying to get out. Hardware firewalls won't do that... they just stop it from getting in.

Are you sure of that? I've seen HW firewalls that could do outbound filtering. (stuff like blocking Adobe Reader from "phoning home" for updates)

Quote:

I also wouldn't go with just a software firewall, either. Having a hardware firewall adds one more layer, making it harder for the average person to get in to your system.

That's true, but usually a system doesn't get compromised because of the firewall, but because of an unpatched flaw in some program. For example when the JPG header exploit came out (already patched in Windows) it didn't matter how many firewalls you had, the attack would get through.

Of course if someone is trying to force their way into your system and you add a Unix-based HW firewall which they have to also hack through before getting in they'll have a harder job. But if someone really wants to get in they will, no matter the number of firewalls. Except hacking a home computer this way simply isn't worth their while. It would take longer than sending out a couple thousand booby trapped emails where you know that at least someone will click on the link...

[Bungleau]

You got me thinking, dplax.... so I just checked the settings on my Linksys. And while other hardware firewalls may have protection for keeping things on the inside, I couldn't find a way in mine to be able to limit individual applications. I mean, I *could* limit them by port number, but there was no easy way I saw to be able to say that Firefox is allowed out while Safari is not. That's not a knock on Safari, BTW... I just don't run it, so if it wants out, something's wrong...

And yes, blind assumptions that a firewall (any firewall, HW or SW) will protect you against everything are foolish. As I'm fond of saying, locks are there to keep honest people honest. The more you have, the quicker someone is going to try to break into another computer since this one's too much work.

That being said, some people have nothing better to do than to try to break into a computer that seems to be well-hidden...

[dplax]

Filtering by ports and addresses is what I meant for outbound filtering on a hardware firewall. There's no easily available way for a hardware firewall to know whether a request to get a web page comes from one web browser or another. However you can leave just a select few ports open on a HW firewall and even then control what type of requests go through there through protocol analysis. There is no need to let FTP-type traffic through on port 80...

[Bungleau]

True enough... and in my house, I'm the only one who could understand why FTP traffic on port 80 would be bad... but everyone can understand that Firefox and Thunderbird are allowed out, and everything else shouldn't be, unless they clear it with me