Using a software firewall and hardware firewall in tandem

Dennis Faas's picture

Almost a month ago we were knee-deep in discussion with respect to tracking down a hacker.

In short, our ongoing discussion probed possibilities and known methods which might be used to track down a hacker, if one ever attempted to hack into *your* computer system. RE: Can I track down a Hacker?, Part 1, and Can I track down a Hacker?, Part 2.

Shortly after Part 2 was released, I received an email from Dan Daily (editor / webmaster) of Danny's Daily. Dan's comments focused on a proposed supposition, which was sent in from John B. in Part 2 of our Discussion. To recap: John suggested to get rid of Norton (software) Firewall and go with a hardware Firewall in order to block hack attempts:

" My advice would be to ditch the Norton firewall (software) and go with a hardware firewall.

If properly configured with a private IP (ie. 192.168.X.X), your computer can be invisible to the outside world. The easiest way to obtain this is with a cheap DSL router w/ built in firewall. I suggest the LinkSYS NR041 (about $35). It has tons of features (DHCP, portmapping, DMZ configuration, remote administration, just to name a few). "

Dan's Crucial Comments: Use BOTH a software firewall and hardware Firewall in tandem.

" I received a forwarded comment from one of your articles or something concerning the subject of firewalls. Being a Web Master myself and having about 20 years experience with computers, I've amassed some knowledge on these issues.

With regards to John B.'s comment, I'm afraid I find his solution to be very wrong and dangerous at best However, I do agree to dump Norton though. Norton, it seems, has problems with all of it's stuff -- especially it's anti virus program.

Zone Alarm software firewall is the only firewall that passes every test thrown at it. In fact, Zone Alarm still functions even if a virus tries to shut it off. By the way, I have NO affiliation with Zone Alarm. This is my opinion and I'm in very good company.

As far as using a router as your only protection, I wouldn't do it. I have a Linksys router and would never trust it as my only protection. In fact, If I were to use file sharing on my two systems here at home, I wouldn't use one router to handle both the LAN and the Internet at all*!

Side note: the proper solution in this case would be to install another router, two more Ethernet cards and NOT use the TCP/IP protocol for the file sharing through the second router. This, though more expensive, completely separates the Internet from file sharing. This is the only TRUE way to achieve 100% security (if there is such a thing) for your LAN. A miniature corporate solution, if you will.

Warning: DHCP is not an option, it's the DEFAULT!

John B. knows enough to use a private IP address for his routers connected PC's but cites DHCP as an "option" or "feature." DHCP is not an option, it's the DEFAULT! It makes installing the router as simple as 1, 2, 3 for non-techies. Worse, it's a server protocol that uses dynamic IP addresses which is the direct opposite of a "private / static" IP address. I have that function disabled on my router but it's default is on.

Most people (98.6%) will use all the system defaults and this is quite proven. Using static IP addresses for the router takes quite a bit of reading and requires setup on all connected computers. For the new user who's never done it before, it can be quite taxing. They will experience MANY hits and misses. Inevitably, if they even bother to try it, (and they won't) they will become frustrated, intimidated and use DHCP. Using DHCP as the default will allow anyone access to your system and your LAN (if your LAN shares the router) if they crack the router.

I don't trust my routers firewall for Internet security let alone LAN security.

I have done stand alone tests and my router does indeed make my ports invisible, but, tests from Extreme Tech show that the Linksys router will respond to scans specifically for the router itself / versus / scans specifically for your computers ports, and now PCWorld has confirmed this (Nov 04, 2002). If you leave the password at the Linksys default, (which most people do, like I said before, system defaults) hacking the router is very easy. Once the router is hacked, your system can easily be infiltrated. REALLY!

A wireless router compounds these problems immeasurably!

Even your next door neighbor can hack you with a wireless without even being online or knowing it! In fact, if you're both using the system defaults, you'll be walking all over each other and using each others routers without either of you even realizing it. Much the same way the old cordless telephones did.

Now, let's assume you got a new wireless router and loved it, you told your neighbor about it and he got one. If you're both using the system defaults, and 98.6% of you will be, you WILL get into his system, even accidentally. Can you honestly tell me you wouldn't surf his computer just to see what he has in there?

And that's how easy it is!

This is why the Government is putting a stop to wireless anything for Government confidential traffic. Almost EVERYONE uses the system defaults unless they have a full time IT Administrator who understands these issues!

Here are my Internet Security settings at a glance: Each Layer uses TCP/IP protocol Linksys router: Cloaks all Ports Static IP addresses: In case the router gets cracked, without a specific IP address, you can't get into my system. Unique Password: Helps protect the router from being cracked. Zone Alarm, installed on all connected computers: When all else fails, the last line of defense.

My setup is not perfect, but...

If the router was cracked by a password cracking program, the static IP addresses would probably be laid bare: So much for that "protection." This is the reason for Zone Alarm software firewall. As you can see, it would take a very experienced and persistent person (hacker) to crack my system but it *could* be done! If you use system defaults it won't take experience or persistence; it's child's play!

In conclusion

It is essential to have a software based firewall! Even with all the "protection" I have, I would NEVER put my LAN in the middle of that. "

Content has been edited by Dennis Faas, infopackets editor of the Gazette.

Rate this article: 
No votes yet