[CS-FSLUG] Linksys Router Firewall, Windows Security & Backups

Frank Bax fbax at sympatico.ca
Tue Nov 28 08:11:38 CST 2006

At 02:53 AM 11/25/06, Nathan T. wrote:
>I would like your opinions, if I'm behind this router and I keep the
>firmware up to date, do I need to have a firewall on every computer
>as well?

It depends.  Isn't that the usual answer to this type of question?  Know 
how the systems work together, define your security needs, then implement 
software and procedures to protect yourself.  Security is not an on/off 
switch, it's a matter of degrees.

I admin five office site within the county all with LinkSys or D-Link routers.

Once I get a router working, I don't bother with firmware updates; the 
upgrades usually address functionality I don't need/use rather than 
security vulnerabilities.  I've had one case were newer LinkSys firmware 
actually broke my network and I had to downgrade firmware.  At most sites, 
I need the functionality of assigning static ip addresses through the 
router which LinkSys doesn't do, so I've been moving away from that brand 
over time.

Current machine population is about 3 WinXP, 6 SUSE, 50+ Win98.  There is 
no firewall software on the Win98 systems.

Think about what your external firewall/net device does.  The most "normal" 
interaction between a machine on your network and the internet is that the 
local machine initiates some communication with a remote machine on the 
internet and the remote machine provides some response - email, browser, 
etc all work this way.  What is considered "abnormal" is a random machine 
on the internet trying to connect to your machine (unless you are running a 
service like website hosting).  At first glance an instant messaging system 
looks like this type of random request; but in fact when you start your IM 
software, it connects to a central server and the software maintains an 
open connection to that server.  A request from a random machine to chat 
with you goes through the IM server so it is not seen as a random request 
by your machine; it is seen as a response to your initial connection to the 
IM server.

What your firewall/nat device does is remember which pc/apps make a 
connection to the internet and when a response comes back from a remote 
host, that response is forwarded to the correct local system/app.  When the 
router/firewall sees a packet of data from a machine that is not in the 
volatile list of "open" connections, the packet is "blocked".  Therefore, 
another firewall on your WinXP is redundant; although I do leave the 
software enabled on those systems.

The usual argument for continuing to run firewall software behind a 
firewall router is that this config protects you from internal 
attack.  Given the remote possibility that an attack penetrates your 
router/firewall; the damage would be limited to one system if all of them 
had firewalls.  I think this argument is garbage.  If the attacker got into 
one system; the odds are good it could also penetrate other systems with 
same OS and firewall configurations.

My son has occasionally connected his WinXP system directly to the 
internet, bypassing our router.  Random attacks that exploit holes in the 
MS firewall software have been known to cripple his system within hours.

Hope this helps. 

More information about the Christiansource mailing list