Is there any point to a hardware firewall if you are behind a router?

pogeymanz · 2009-03-23 14:04:31

I imagine there has to be. Otherwise, why would someone want to run a computer 24/7 where they can spend $30 for a router and save some electricity?

Daenyth · 2009-03-23 14:35:57

A router almost always is a hardware firewall..

pyther · 2009-03-23 14:53:10

Do you mean software firewalls?

I believe that a machine with iptables or such software can provide greater security and finer restrictions. However, for home use I think a routers firewall is just fine.

tomk · 2009-03-23 14:57:34

Typically, a separate hardware firewall will be in front of the router i.e. it will be directly connected to the internet. I'm not sure exactly what kind of device you're talking about though, as you refer to running a computer 24/7. I run IPCop on a dedicated computer, but that doesn't make it a hardware firewall IMO. A hardware firewall is something like this.

dr/owned · 2009-03-27 05:51:07

I suppose if you wanted to play the "technically" game, a hardware firewall is just a dedicated computer running a (hardcore) software firewall- if you want to see a real hardware firewall, look at the backside of your car's engine Jokes aside, I think it'd be a good idea though to at least employ *some* form of local protection just in case your router's firewall gets bypassed.

Last edited by dr/owned (2009-03-27 05:51:31)

fukawi2 · 2009-03-27 06:12:55

In general sense, not really EXCEPT where the 'hardware' (let's call it a 'dedicated' firewall) does other things like proxy, anti-spam, anti-virus etc.

The biggest thing a dedicated firewall can do that does increase security is egress filtering (ie, blocking OUTBOUND connections). I learnt the hard way back in my Windows days (shudder) when I stupidly ran a random program from one of my IT friends who I trusted and suddenly he was remote controlling my computer because the EXE he gave me had a trojan that initiated the connection back to his computer. All the firewalls in the world blocking incoming connections won't make a lick of difference against my computer initiating the request outbound.

Ever since that day I've run a dedicated firewall blocking outbound connections. I only open up what I need, and everything else get's proxied.

(Thought point: if you open port 80 for http traffic, then any malware inside your network can just use port 80 to get out and 'phone home'. Using a proxy means that only programs using HTTP protocol can get out)

Last edited by fukawi2 (2009-03-27 06:14:04)

Wintervenom · 2009-03-27 07:29:27

I guess its kind of redundant, depending on your router.
I run DD-WRT on my Buffalo router, and it does in- and outbound filtering, so it would be kind of pointless to have a local one, too.

Berticus · 2009-03-27 10:14:13

I'm not exactly sure if I'm remembering this correctly, but from my recollection, a Cert article I read said it's fine to have a dedicated firewall that does in- and outbound filtering, and skip the personal firewall. Having a personal firewall on top of a dedicated one wouldn't really increase security by much.

fukawi2 · 2009-03-27 11:27:48

Berticus wrote:

...a Cert article I read said it's fine to have a dedicated firewall that does in- and outbound filtering, and skip the personal firewall. Having a personal firewall on top of a dedicated one wouldn't really increase security by much.

Depends how much you trust the other hosts on the local network

Obi-Lan · 2009-03-27 20:33:43

Also depends if you are using laptop or workstation. I would consider it as common sense to have software firewall in your laptop. In my home network I just use DSL modem in NAT mode, it filters out most of the noise. Bigger threats are malicious www sites, emails and port knocks to my ssh port.

idosh · 2009-05-22 15:13:57

fukawi2 wrote:

(Thought point: if you open port 80 for http traffic, then any malware inside your network can just use port 80 to get out and 'phone home'. Using a proxy means that only programs using HTTP protocol can get out)

care to elaborate?

fukawi2 · 2009-05-22 23:06:27

Well if you just open port 80, then anyone inside the network can connect to any server listening on port 80 regardless of the service it provides (eg, I could setup SSH to listen on port 80) then from within your network, I could establish an SSH session back to my server, then tunnel anything I want over the connection. Same theory applies to someone or something malicious. Using a proxy, it won't understand the SSH protocol, so it won't be able to proxy it on my behalf.

Arch Linux

#1 2009-03-23 14:04:31

Is there any point to a hardware firewall if you are behind a router?

#2 2009-03-23 14:35:57

Re: Is there any point to a hardware firewall if you are behind a router?

#3 2009-03-23 14:53:10

Re: Is there any point to a hardware firewall if you are behind a router?

#4 2009-03-23 14:57:34

Re: Is there any point to a hardware firewall if you are behind a router?

#5 2009-03-27 05:51:07

Re: Is there any point to a hardware firewall if you are behind a router?

#6 2009-03-27 06:12:55

Re: Is there any point to a hardware firewall if you are behind a router?

#7 2009-03-27 07:29:27

Re: Is there any point to a hardware firewall if you are behind a router?

#8 2009-03-27 10:14:13

Re: Is there any point to a hardware firewall if you are behind a router?

#9 2009-03-27 11:27:48

Re: Is there any point to a hardware firewall if you are behind a router?

#10 2009-03-27 20:33:43

Re: Is there any point to a hardware firewall if you are behind a router?

#11 2009-05-22 15:13:57

Re: Is there any point to a hardware firewall if you are behind a router?

#12 2009-05-22 23:06:27

Re: Is there any point to a hardware firewall if you are behind a router?

Board footer