Router/firewall vs software

[Big Jim Slade]

If a series of computers are connected to the internet via a router with a built-in firewall, is the presence of a software firewall on each machine necessary or just a needless redundancy.

Here's the scenario: A network of 7 computers is connected to the internet via a D-Link DI-704P router with a built-in firewall. One linux machine acts as a web server and ftp server, another linux machine serves a battle.net gateway, and the other machines are more or less just mixed OS, local user desktop systems. There are no computers setup in the DMZ, all are behind the firewall. Is this D-Link router doing the job of preventing access to the network via its firewall, or is it necessary that a software firewall be configured on each machine or is this essentially useless?

[HTRegz]

Originally posted here by Big Jim Slade
If a series of computers are connected to the internet via a router with a built-in firewall, is the presence of a software firewall on each machine necessary or just a needless redundancy.

Here's the scenario: A network of 7 computers is connected to the internet via a D-Link DI-704P router with a built-in firewall. One linux machine acts as a web server and ftp server, another linux machine serves a battle.net gateway, and the other machines are more or less just mixed OS, local user desktop systems. There are no computers setup in the DMZ, all are behind the firewall. Is this D-Link router doing the job of preventing access to the network via its firewall, or is it necessary that a software firewall be configured on each machine or is this essentially useless?

Hey Hey,

I guess that's entirely up to you but here's my take on it...

You've got a Web Server and an FTP server which means you must have ports forwarded (or are they internal only?). Are you comfortable enough with your PC setup that if someone gains access to your WWW/FTP Server... that the other machines have nothing open that would require protection? The last thing you'd want is to have one computer exploited and remotely controlled and then to have that pass to the rest of the PCs on your network.

Also, the D-Link is fine for blocking unwanted inbound attempts, but what about connection attempts that originate on your machine and are destined for the internet? If someone infects one of the computers (accidently or intentionally) with an IRC Bot that joins a server and waits for commands in the channel, you'll never know that it has happened, however a software application-based firewall would prevent this problem.

What about the possibility of a virus spreading internally? Say a machine hasn't been fully patched and you download a virus (Similar to say MSBlast and it's shutdown of the RPC Service). This virus could spread internally because it is already past your firewall and there's nothing stopping it's spreading.

If you asked if I run firewalls on my PCs behind the router/firewall... I'd give you various responses... I have some that do and some that don't.. It all depends on the purpose of the PC and how comfortable I feel with it's setup and it's security... the choice is yours but I definately wouldn't call it a needless redundancy.

Peace,
HT

[ss2chef]

A key feature most likely missing from your edge router/firewall is something in place to protect
the rest of your LAN and the world from a rogue host inside your network.
A decent software firewall on workstations can if properly configured help when (not if but when) a dork inside your network opens the wrong attachment from the wrong person. Without a proper IDS config, properly communicated and enforced usage policies, user training, and locked down systems, you are avoiding many aspects just as important as hiding your users behind a DLINK.

Egress safeguards being too often overlooked are a huge problem on the net today.

So use your software firewalls if you can. I would be just as concerned about saving the world from your LAN than saving your LAN from the world...

[R0n1n]

Using the approach of defense in depth then yes, you should certainly have your software firewalls running on your systems behind your router/firewall. In a corporate setting its probably best to keep it to the servers you deem critical, for a home environmnet using a linksys router or something then absolutely.

One thing you may want to read up on is deperimeterization, which is all about protecting the data more then worrying about borders, so in that model your personal firewalls become even more important then the border firewall. In fact the model (which continues to develop) assumes that evil stuff will get through your border and therefore that perhaps the border doesn`t really serve that much use....an interesting idea, but we are a little way from having the technology to ultimately support it.

[cheyenne1212]

I think one thing that is very important to that I've seen several companies not have is Virus Protection, I've seen many compaines with $5000 firewalls, but no Anti-virus.

A good firewall (we use Cisco Pix) and a good central managed Anti-virus on the inside. I prefer Trend Micro Client/Server security I belive is vital to any company. It provides a central manage point and updates clients automatically. The college I attend has a $2500 Sonicwall firewall, but no AV on the machines. Its like having a fence to keep animals out but leaving a gate open.

If your running Exchange servers make sure you have configured it properly and that you have configured your firewall to not only block connections to the inside that are not legitimate, but also connections from the inside to the outside.

Just remember to turn off what you don't need and keep your computers/servers patched.

[Big Jim Slade]

Alright... got some very good responses here. More or less answered any doubts I had about the internal firewalls.

Now, I've got another question. I'm considering replacing the D-Link router with an old box running perhaps Coyote Linux or such as a dedicated firewall/router. In all y'all's opinion, would such a setup be a better alternative than the current setup--would this be more secure? Also, would I generally have more and better control over port forwarding and blocking--general configuration--or do I just think I would?

Oh yeah... responding to HTRegz's post, the FTP and Webserver are public.

[Tiger Shark]

Just for safety's sake when you have publicly available services you should DMZ them though I don't recommend the D-Link's DMZ "solution". You could but a second D-Link and place it between the LAN and the public machines or use the box you mentioned to create a DMZ. Either way would work just fine....

Cheyenne: I can't afford AV for all my boxes and I can "enforce" is since I have other companies inside my network..... But my firewall does a great job of stripping all executables from SMTP incoming streams and stopping the (l)users from getting to their personal email.... Even on those machines that we have set up for the public to use....