24 Apr 2012 - The original site seems to be working again. So go to http://www.dslreports.com/faq/9787
The main points of the article is extracted here:
----------------------------------------------------------------------
1.1 You should definitely run a software firewall on any computer that connects to AOL using a different Internet Service Provider (AOL's Bring-Your-Own-Access plan or AOL MAX using an ISP) no matter what kind hardware firewall or NAT router you have.
1.2 If you have to turn on port forwarding or the DMZ to run servers or other applications you should consider either a software firewall or a more expensive SPI firewall.
1.3 Generally software firewalls provide valuable additional protection that supplements the protection provided by NAT routers and SPI firewalls.
Ideally a software firewall should be an additional layer of protection behind an NAT router or external firewall. For homes a free version of a software firewall is normally adequate for this additional layer of protection.
- ZoneAlarm Free
»www.zonelabs.com/store/content/home.jsp
Look for the free version / free download, and continue to ask for it rather than the Pro version.
- Sygate Personal Firewall
»download.com.com/3000-2092-10049···g=button
- Kerio Personal Firewall Limited Free Version (Sunbelt Kerio Personal Firewall)
»www.kerio.com/kpf_download.html
Look for the "limited free" version.
For businesses, computers running public servers, and computers on wireless networks, a paid-for version of a software firewall provides more protection by allowing more customization and more precise control.
2. In selecting an NAT router, software firewall, or hardware firewall, consider its logging and alerts capabilities.
3. If the router or firewall is wireless, secure the wireless interface.
4. Firewalls are not a replacement for adequate backups of data. (Firewalls don't protect against real fires, or burglars.) /faq/10194
5. Other security precautions still need to be taken. For example, operating systems and anti-virus software need to be properly installed, configured and updated.
6. There is no hardware or software you can install that will protect against massive amounts of traffic jamming your communications lines. "SPI firewalls" only protect against certain types of denial of service (DoS) attacks involving malformed packets, or protocol sequence violations and vulnerable software.
7. Historically, the original network firewalls did not do packet inspection. They were rule based, using tables of permitted IP addresses and ports. Packet inspection is not historically in the definition of firewalls.
8. The NAT firewall was a major advance. It limited inbound traffic based on the basic state of communications with the external IP address. Outbound traffic triggered permission for inbound traffic.
9. This is basically how a pure many:1 NAT router works. M:1 is the kind of router commonly used for home and SOHO users to provide a connection for many local computers using one public IP address.
10. Port forwarding bypasses the state table and that source of protection provided by the NAT router. Port forwarding (on a pure NAT router) causes almost all traffic that arrives at a particular port to go to a particular local IP address. (Basic packet filtering is the only protection for the port.)
11. The DMZ should be totally avoided on most NAT routers.
A DMZ is not normally required, provided you know your software. Check the software vendor's website, or email their support area, or search here in BBR, to find out what ports you need to set as trigger ports for which ports, or which ports to forward.
If you really do need a DMZ, use a device that treats the computer in the DMZ as though it was an untrusted computer outside your local network. Ordinary NAT routers do not normally provide this type of DMZ; they normally just forward all unsolicited traffic to the machine in the DMZ, leaving it with no NAT protection.
Here are some security testing sites: /faq/5503
Here is more on securing your home computer: /faq/8463
Here is more on securing a wireless router: /faq/8698
For discussion about your individual circumstances you can post a message in the BBR Security Forum here: /forum/security
No comments:
Post a Comment