[CS-FSLUG] Linksys Router Firewall, Windows Security & Backups
Frank Bax
fbax at sympatico.ca
Tue Nov 28 08:11:38 CST 2006
At 02:53 AM 11/25/06, Nathan T. wrote:
>I would like your opinions, if I'm behind this router and I keep the
>firmware up to date, do I need to have a firewall on every computer
>as well?
It depends. Isn't that the usual answer to this type of question? Know
how the systems work together, define your security needs, then implement
software and procedures to protect yourself. Security is not an on/off
switch, it's a matter of degrees.
I admin five office site within the county all with LinkSys or D-Link routers.
Once I get a router working, I don't bother with firmware updates; the
upgrades usually address functionality I don't need/use rather than
security vulnerabilities. I've had one case were newer LinkSys firmware
actually broke my network and I had to downgrade firmware. At most sites,
I need the functionality of assigning static ip addresses through the
router which LinkSys doesn't do, so I've been moving away from that brand
over time.
Current machine population is about 3 WinXP, 6 SUSE, 50+ Win98. There is
no firewall software on the Win98 systems.
Think about what your external firewall/net device does. The most "normal"
interaction between a machine on your network and the internet is that the
local machine initiates some communication with a remote machine on the
internet and the remote machine provides some response - email, browser,
etc all work this way. What is considered "abnormal" is a random machine
on the internet trying to connect to your machine (unless you are running a
service like website hosting). At first glance an instant messaging system
looks like this type of random request; but in fact when you start your IM
software, it connects to a central server and the software maintains an
open connection to that server. A request from a random machine to chat
with you goes through the IM server so it is not seen as a random request
by your machine; it is seen as a response to your initial connection to the
IM server.
What your firewall/nat device does is remember which pc/apps make a
connection to the internet and when a response comes back from a remote
host, that response is forwarded to the correct local system/app. When the
router/firewall sees a packet of data from a machine that is not in the
volatile list of "open" connections, the packet is "blocked". Therefore,
another firewall on your WinXP is redundant; although I do leave the
software enabled on those systems.
The usual argument for continuing to run firewall software behind a
firewall router is that this config protects you from internal
attack. Given the remote possibility that an attack penetrates your
router/firewall; the damage would be limited to one system if all of them
had firewalls. I think this argument is garbage. If the attacker got into
one system; the odds are good it could also penetrate other systems with
same OS and firewall configurations.
My son has occasionally connected his WinXP system directly to the
internet, bypassing our router. Random attacks that exploit holes in the
MS firewall software have been known to cripple his system within hours.
Hope this helps.
More information about the Christiansource
mailing list