Firewall Questions
February 7, 2005 1:25 PM   Subscribe

Is additional firewall protection necessary or advisable if one accesses the internet via a wireless router that ostensibly contains a firewall? (More clueless noobery within...)

I have a Netgear MR814 wireless router, and was initially able to get my laptop wirelessly connected to it and access the internet with no problem. Being a nervous nellie, I immediately installed Zone Alarm, and for several months everything went along swimmingly. Then one day I was suddenly unable to get on-line, getting a message that said signal strength was excellent but the computer was unable to obtain an IP address. I did the release/renew thing, to no avail. I googled around and found a couple of people who advised, in such situations, that one disable any firewall one might have installed. I shut down Zone Alarm, and voila, instant connection. As soon as I reactivate Zone Alarm, however, I am no longer able to connect.

My question: I know that the Netgear router supposedly has a built-in firewall. Is this adequate protection, though? Is anything gained by having an additional firewall such as Zone Alarm, or is this overkill? Ancillary question: is there something simple I could do that would make the wireless connection and Zone Alarm co-exist peacefully?
posted by Kat Allison to Computers & Internet (20 answers total)
 
If you're behind a router, and you haven't manually configured any pass-throughs for an internal IP (e.g. redirecting http traffic on port 80 to an internal machine), you don't need a firewall on an internal machine as they are not accessible to the outside world.

Although maybe there's this huge heinous underworld of router hacking that I am not aware of.

But I doubt it.
posted by xmutex at 1:32 PM on February 7, 2005


Some folks swear by ZoneAlarm, but I had no luck with it. That's OK, it was worth what I paid for it. I'm using a Linksys wireless router and Norton Personal Firewall with no problem. Maybe it is overkill, but it is working fine and I don't see a problem with having an additional level of protection.
posted by fixedgear at 1:32 PM on February 7, 2005


As long as you change the default password to something non-obvious, your router with WEP enabled should offer all the protection you are likely to need in terms of intrusion prevention. In my experience, Zone Alarm is not good software and should be avoided. YMMV.
posted by McGuillicuddy at 1:33 PM on February 7, 2005


I wouldn't run a Windows box without a Kerio Personal Firewall if for no other reason than to be informed when applications which have no business accessing the Internet are trying to do so (and to have the option of blocking them.)
posted by Zed_Lopez at 1:45 PM on February 7, 2005


As long as you change the default password to something non-obvious, your router with WEP enabled should offer all the protection you are likely to need in terms of intrusion prevention.

That's debatable given that even WEP has potential security problems.

There are some well-known free software utilities that will even pick-up non-broadcast SSID's, with WEP enabled authentication and still implement man-in-the-middle attacks quite easily (provided the user accepts the non-standard certificate).

As to the original posters question, there is little to no harm in running an additional firewall and I would recommend that you do. As Zed_Lopez mentioned, sometimes machine-based firewalls are good at reminding you that you should not only concern yourself with incoming threats, but what might be coming from your machine and internet connection.
posted by purephase at 2:05 PM on February 7, 2005


I've never had real problems with ZoneAlarm, and I like that it tells me when software is trying to make a connection. I've been tipped off to some spyware this way.
posted by Tubes at 3:50 PM on February 7, 2005


I use both the router's firewall and Kerio 2.x. I prefer Kerio to ZA now because I can do some very specific access blocking.

I don't worry about this machine being compromised from without: that's what the router firewall is going to prevent. However, the router provides absolutely no protection against software that wants to go *out* -- like the odd DNS requests being made to a Chinese site by Azureus. Dunno what that was about, but it was blocked.
posted by five fresh fish at 4:23 PM on February 7, 2005


i suspect (wag) you acidentally blocked a connection in zone alarm that is critical to something like dhcp. unfortunately it's easy to get a bit click-happy and block everything that comes up. is there some way to reset zone alarm so that it loses all its rules and prompts again for each new connection? if so, try that, and spend some time understanding each alert.

i haven't used zone alarm for some time, but when i did, it seemed to work as advertised. these days i use kerio. even if you're ok behind this router, are you sure you're never going to use your laptop elsewhere? having a firewall running by default is a good idea, imho.
posted by andrew cooke at 4:30 PM on February 7, 2005


Just FYI -- WEP is pretty trivial to break. It's best to consider that anything you're transmitting over a wireless connection can be eavesdropped upon. Passwords, email, personal information, credit card numbers, etc.
posted by Jairus at 4:42 PM on February 7, 2005


It's best to consider that anything you're transmitting over a wireless connection can be eavesdropped upon. Passwords, email, personal information, credit card numbers, etc.

You're probably using SSL for most of those things already, however, and that's still not trivial to break.
posted by kindall at 5:00 PM on February 7, 2005


Even if the router protects you against incoming connections, it won't (generally) prevent outgoing connections.

The software firewall will.

Since trojans like to "phone home" with your personal data, you want to be able to stop outgoing connections too.

The latest Kerio will stop both incoming and outgoing connections, and can also be setup to ask you if one program should be allowed to start another program -- useful if a trojan were to run your browser into order to phone home.
posted by orthogonality at 5:05 PM on February 7, 2005


years ago, i ran blackice firewall on my Windows98 machine. this software was well known for its many urgent messages crying out "blackice has intercepted a possible attack!" blah blah for tcp and udp pings and the like. I started blocking these "attacking" IP addresses to see if i could get the messages to slow down from several per day to several per week.

One day i lost connectivity on that machine completely. I tried everything i could think of to no avail. Since I had another computer handy, it was over a week before I got around to checking the blackice banned IP log. Turns out I had banned my router's IP by accident.

YMMMV: your moronic mistakes may vary
posted by Jonasio at 5:19 PM on February 7, 2005


The not-latest-Kerio also works on both incoming and outgoing packets, and it doesn't have the gawdawful monstrosity UI that the newer versions have.

Yes, with software firewalls you do need to be half clue-ful.
posted by five fresh fish at 8:48 PM on February 7, 2005


Wow, it's like the safe-sex vs. abstinence debate.
Everyone else is right, of course. WEP is a trivial obstacle if somebody is intent of eavesdropping. But for day-to-day security on a home network, well, it beats nothing. Set it up once, and forget it.

On the other hand, with its constant alerts Zone Alarm almost tempts end users to disable it. Or break it. In my experience, both are easily done. Kerio may be better. Window 2003 ships with a built-in firewall which is a step in the right direction on Microsoft's part and will likely be included in the next consumer edition.
posted by McGuillicuddy at 10:05 PM on February 7, 2005


Zone Alarm I use, no problems. Alerts are user-configurable to not pop up.
posted by Goofyy at 10:39 PM on February 7, 2005


Since trojans like to "phone home" with your personal data, you want to be able to stop outgoing connections too.

Only if you run trojans. If you have antivirus software, it will probably cover you pretty well in that department.
posted by kindall at 11:01 PM on February 7, 2005


You know, it's funny, I don't run anti-virus software or any sort of software firewall and in all my years of web surfing, I've only ever caught a virus off the web once.

That was like 4 years ago and I was using IE.

I think a lot of it has to do with where you go, what you look at, and what you download. Avoid "free" porn and warez sites, and those insipid joke of the day sites, and you're already clear of 90% of the problem.

Wow, it's like the safe-sex vs. abstinence debate.

Yeah, except that most people on the internet don't realize that their "condom" is actually on their left ear, rather than their interwang, where it belongs.
posted by jaded at 6:12 AM on February 8, 2005


Oh - and just to clarify - a couple of times a year, I get paranoid and install anti virus software, just to check. Then I get rid of it, because I'm virus free.
posted by jaded at 6:14 AM on February 8, 2005


I don't run AV software, nor do I ever install it. I once in a loooong while (been a year now) go do an online virus check. In the past fifteen years of PC use, I've had precisely one virus (an Excel macro virus from a government office).

I run Kerio simply because I want to be aware of what applications are attempting to access the internet. There are a few that try to "call home" with usage reports, and I don't care to share that data.

It helps that I've never used MSIE to any great extent and have never, ever used Outlook Express.
posted by five fresh fish at 10:21 AM on February 8, 2005


Kat, if you've recently upgraded to XP SP2 or otherwise turned on the windows firewall, make sure you've got the lastest version of Zone Alarm or it won't connect.
posted by zanni at 12:04 PM on February 8, 2005


« Older application for scraping info from a web page for...   |   Magic Eyes Newer »
This thread is closed to new comments.