Virus?

Yes of course, but far more complexity and expense. A simple software firewall and a cheapo router gives 100 times more protection than nothing at all.

"Free" and some protection.

What he said.

There are Linux distros specifically desgned for this. Smoothwall is one such.

I find ZA Pro a pretty reasonable software firewall for 'doze boxen; as a networking geek it's a bit tedious to have to fight through a whole load of "advanced" menus to be able to specify simple things like protocol and port numbers, but the per-program control which ZA Pro gives - and in the current version, detailed "real" firewall rules too - gives me a degree of control I feel happy with. Its presets - for the less terminally geeky - seem pretty sound as a starting point.

As Andy Hall points out, running a software-only firewall on top of the leaky bucket which is Windows in its various guises only stops some forms of attack: denial-of-service crud which hits the box before any ZoneAlarm routines have a chance to run will still get through, as will other low-level tricks like overlapping packet fragments (though ZA claims to be able to at least reject fragmented packets). It's safer to have a less known-exploitable device as the first port of arrival for packets from Out There - a hardware firewall and/or a Linux/OpenBSD box running a minimal and up-to-date kernel with routing policy suitably defined, for example. But ZoneAlarm, or the similar Norton or Sygate products, or even WinXP's built-in IP filtering, is better than nothing.

HTH - Stefek

The trouble is that any of these are only as good as the underlying system. Windows NT derived environments such as NT, 2000 and XP are not too bad, but anything that is 95/98/ME based is really a house of cards. It doesn't matter how good the firewall application is, if the underlying components can be compromised or hit in such a way as to collapse, then it doesn't matter.

Also people tend to pack too much onto a single machine. Some server capabilities, security and assorted shareware of dubious origin are typical.

Having a Windows machine with a personal firewall is better than nothing but lulls the user into a sense of false security.

It's much better to use a pensioned off machine as a separate firewall. There are predigested Linux distributions which require no general sysadmin.

.andy

To email, substitute .nospam with .gl

Up to a point yes, it does. I'm mulling over what to do when I upgrade things in this area. As things stand I'm using a number of copies of ZAPro, and I have NAT on my router, and as far as I can tell it's stopping stuff the whole time and I've seen nothing to suggest it's not fine in general.

However which way to go next time is something which still has me scratching my head a bit. I'm not all that keen on using a whole machine just to run a firewall, as it seems a bit wasteful of what are pretty modest resources already. I might if I could find the "perfect" "telecomms side" unit to do the connecting to the net with; although quite impressive, well specified at it's price point, and with many happy users, the Netgear range is not without it's issues (remember the "time server" debacle on one or two of their models!).

I have yet to find something which seems to have pretty much "no issues", and enough good features, but with anything like a sensible price tag for home use. I absolutely require it to present me with ethernet as it's connection method, whatever make and model it may turn out to be. USB won't do for me in that respect.

Not all that easy to strike a truly comfortable balance at the moment sadly, I'm hoping it might change as time passes though.

Take Care, Gnube {too thick for linux}

Actually not because you can reuse an old machine and the software is free. There are firewall distribution packages that are not any more complicated than a dedicated firewall/router.

Using both is better still.

.andy

To email, substitute .nospam with .gl

If we are talking "always on", then to me it seems far simpler for Joe Average to get a router cum firewall one box solution. It could even be running some form of U**x inside (to appease the hair-shirt brigade), who knows. (I don't, nor do I care.)

Isn't this like wearing two condoms ? Your foil hat is slipping off...

I agree. We use an old laptop with Win2000 with a smashed tft screen. One cm in the corner still works and you can guess what's happening by the colour in it :-} (or remote access if we can be bothered/ it has crashed). Plenty of free firewalls about too.

Not really - a perimeter firewall is great at stopping incoming attacks. AFAIK most if not all do nothing about outgoing traffic.

A software firewall on the PC should stop the majority of unauthorised outgoing traffic, but there are ways around it. firehole.exe is quite a simply program but works around the majority of firewalls by patching into a browsers` access (this works with Opera as well as the patchwork quilt from hell known as IE)

In the end, user education is the only way to keep systems secure - I now use a router, I have ZoneAlarm on my system - as have every system i`ve built for the last few years - and I pre-install Spybot S&D and give the end-user a set of guidelines on how to update and scan their system regularly, including virus checker.

A thought that occurred to me about 2 seconds after I hit "send"... (thinks, there must be a law that states this always happens)

My primary concern is in stopping evil coming in. If I somehow install some spyware, then I can only blame myself. But my router will permit some control of which ports can be accessed (although if I pin them down there's still no absolute guarantee and this might break even passive ftp, not too sure there).

Solution:

Why bother with extra security, when the one your using at the moment is three updates behind?

Brad.

Has any new malicious viruses come out in two weeks?

Well, if you open attachments to bogus emails you'll soon find out ;-)

Brad.

Sadly the most common entry point for "evil" is not via a direct intrusion via a TCP/IP related vulnerability (the recent Blaster outbreak being an exception!) but via lookout express.

Once you have a compromised system (and remember that with outlook/express, simply selecting an email to enable you to delete it can be enough to get yourself infected if you have the preview pane enabled!), a firewall ought to be able to stop unauthorised outbound connections as well as inbound. Alas relying on NAT by itself will not help you here.

Software firewalls can work well at detecting unauthorised outgoing connections. However be aware that some malware will attempt to disable all of the common ones, or circumvent them by posing as an application that you have authorised for outbound access.

Not really. Conventional security practice is to use a number of levels of security simply to make it harder for an attacker to penetrate to the internal machines.

A very typical solution for this involves using two routers and having a demilitarised zone (DMZ) between them. Filters are applied to each to allow the required traffic through and not otherwise. An intermediate firewall appliance may then be put into the DMZ as well and traffic passed through that. The logic is that having disparate solutions provides a greater level of protection.

This architecture also allows machines to which you do want to have public access to be placed outside the firewall. In some environments people even put machines known as honeypots in place. These are deliberately made to be relatively easy to attack and the idea is to distract the hacker from greater prizes. It also can provide a means to do forensic work on where the attack is coming from.

While running a firewall package on an application machine is better than having nothing at all, notwithstanding the poor security environment of Windows, it is all too easy for said firewall to be compromised as new software is added to the machine.

This is why it's much better to have a dedicated machine with a solid and conservative operating environment which is kept stable without the addition of applications.

.andy

To email, substitute .nospam with .gl

Why not get hold of an old PC from a computer sale and stick a couple of NICs in it and run Smoothwall or similar? Total cost probably under £100 and no Linux knowledge needed.

That's a tall order. There are dedicated hardware firewalls like Firebrick, but you are talking about £400+ for one of these.

Another option is the Cisco 830 series routers (831 for ethernet to ethernet or 837 for ADSL) These are just over £300 and are very well featured with optional extra software feature sets if you want them.

.andy

To email, substitute .nospam with .gl

That's not been true for any version of OE for large number of years, please don't spread misinformation, people may actually be scared now to view their mails rather than taking sensible precautions. Current OE versions won't even let you execute programs direct from OE.

Jim.