I have a D-Link router with a hardware firewall, and having just run a test at the Shields Up!! site, my comp passed with flying colours.

I'm interested in what you all think in regards to a software firewall - do you think it is worth my while getting one too, or is my hardware firewall pretty much all I need?

I also have a D-Link router and I love the built-in hardware firewall. In addition to the D-Link, I also run Zone Alarm. The main reason being that it can detect any app trying to get out to the internet or act as a server without my permission.

Zone Alarm personal edition is free, as is Sygate, which has similar functionality.

Do you completely trust any machine that may end up on the inside of your hw firewall?

That depends on what else you've got behind that firewall. If it's just a few other computers which you also personally administer, then I'd say a software firewall is not needed.

My personal setup is a few Linux computers which are very tightly integrated. For convenience and performance, the computers share data files via NFS. For me, any additional software firewall would be almost be pointless anyway.

I'm with you, IsaacKuo, for my 'nix boxes. But I do run ZA on the Windows box, specifically because I don't trust Windows OR some of the software I need to run.

Anyone remember Turbo Tax from a couple of years ago...

Pretty much the same for me too. I'm using a Linksys router and ZA for by Windows boxes. According to Ubuntu's website, it doesn't listen to the outside world (or something like that, I don't remember clearly) so they don't include a firewall with the distro. Wouldn't dare dream of not using one on my Windows boxes. Now, if I had a Slackware for dummies install guide....

Zone Alarm kinda sucks, actually. I've seen programs punch a hole right through it, NO QUESTIONS ASKED.

I run iptables on my personal linux box.

My hardware router is also a Wireless Access Point and while I do run WEP I don't completely trust that someone wouldn't be able to crack it.

Also, I like the ability of me being able to SSH into my box at home and change the access list to limit certain ports.

For example, on my hardware router, I open port 22 inbound to all, but I limit port 22 to certain source IPs using iptables. When I go out of town I can easily change iptables to allow all source addresses and not have to mess with the hardware router.

I also have my personal website at home so I can configure Snort to block any malicious traffic that it detects.

As an added benefit, I have a port knocking daemon running that will listen for a series of SYN requests and will open my SSH port. I rarely use this but I do have it installed and configured. :)

So yes, I definitely recommend running iptables on your personal box in addition to a hardware router.

ZenelithCalling,
Firestarter (ZenelithCalling) is a pretty decent Linux software firewall with a GUI, I personally don't bother on my Slack boxes, but it's there if I need it. (i.e. like when I had to take my router out of the loop for troubleshooting and ran a straight connection from the PC to the DSL modem)

infiniphunk,
I agree on the freeware version, but my employer bought me ZA Pro for my XP laptop and I'm fairly impressed with it. If anything, it's a liitle over restricitive!
The trick is to do a little research when those little pop-ups ask for permission to go outside. I mean does notepad really need to act as a server...?

I will admit, however, that ZA does have some unholy alliances with other software vendors, much like certain antivirus programs that come in yellow bosex...

Originally posted by psych-major
ZenelithCalling,
Firestarter (ZenelithCalling) is a pretty decent Linux software firewall with a GUI, I personally don't bother on my Slack boxes, but it's there if I need it. (i.e. like when I had to take my router out of the loop for troubleshooting and ran a straight connection from the PC to the DSL modem)


http://www.fs-security.com/

The original URL aint quite right; interestingly, it takes you back to a JL page if you click it in firefox. Must be the use of Google's feeling lucky feature.

Originally posted by davisfactor
and while I do run WEP I don't completely trust that someone wouldn't be able to crack it. Good that you don't trust WEP's unbreakability, because it takes no more than maybe 6-7 hours of sniffing packets before a "128-bit" WEP key (of which the REAL key is only 104 bits long; the other 24 bits are the initialization vector, which are sent in the clear in every packet, but 128 sounds bigger than 104, so retarded marketing morons use it instead) can be broken.

Sometimes it takes a lot less, it depends on which packets you happen to sniff at what times.

WPA is supposed to be better (the WEP key automatically changes every so often), but it's still WEP under the hood. I think the WEP key is supposed to change more frequently than the WEP minimum sniff time, but I don't know that for sure.

I use AES here (A.K.A. WPA2, 802.11i, or WPA-AES, depending on who you talk to), which is a completely different algorithm. Works pretty well when the keys are handed out by the RADIUS server (FreeRADIUS, if anybody cares ;)).

WPA is much more secure than WEP, but, can be broken. The CowPatty program, for example, takes advantage of some exploit in WPA to bust it open fairly quickly. And it's still also vulnerable to dictionary based attacks, of course.

Both WEP and WPA are more secue than many people give them credit for. Although new attacks that don't require weak IVs are making them weaker. In this instance, you only need packets. Packet injection via ARP relay attacks are just one way of producing network trafic from outside the network. Still, you'll need a lot of packets to break either WEP or WPA; expect any attacker to have more than average levels of patience and free disk space.

Of course, RADIUS is the way to go. I run TinyPeap on my linksys WRT54G.

http://www.tinypeap.com/index.html

Originally posted by The Others
I run TinyPeap on my linksys WRT54G. I actually run OpenWRT on my 54G, with the "nas" binary from the Linksys firmware talking to my FreeRADIUS server. (I use EAP-TLS, not PEAP. I find that client certificates are MUCH more secure for authentication than passwords, because even if the passwords used on your MS-CHAPv2 or PAP connection are tunneled through a TLS connection (which is what I believe PEAP does), they're still vulnerable to social engineering and/or random guessing. Certificates are not. No EAP type that I've ever seen uses client certificates other than EAP-TLS -- EAP-TTLS and PEAP tunnel another type inside a TLS connection, and the only other types are username/password based.)

www.openwrt.org

Of course, it worked just as well with the original Linksys firmware. But where's the fun in that, when I can put a (more or less) full fledged Linux system on it with OpenWRT? I mean come on, ssh on an AP? Duh! ;)

You mean you don't run the OpenRADIUS server on the access point its self? ;)

I've played with OpenWRT, but my router is pretty mission critical and fiddling can only happen when my housemate goes out. He would get very upset if he lost wireless access for too long; after all, those ebay auction don't click themselves.

There's so many packages that I would never use, but, I want to load up OpenWRT just to try them. There is, for instance, some games listed in the package repositary. Games on an acess point!? The big question "why?" means I have to try it. :D

Nah, I had FreeRADIUS set up on my router before I put OpenWRT on the AP. (I also had a certificate authority set of web pages that works pretty nicely.) I was using FreeRADIUS with the Linksys firmware for a few weeks at least before I found OpenWRT.

I was trying to get all my wireless traffic on a separate VLAN, because that's one of the nicer features on the Orinoco access points we use at work. Not that we use separate VLANs yet, but we're trying to get into it. I was trying to see if we could use $60 APs whenever we need more of them, instead of $600 ones. Alas, I can't figure it out, although by all rights the hardware in the WRT box should handle it just fine. I think I probably just don't understand the software interface to VLANs well enough.

And I see I've been referring to the box as an AP -- but it's not, it's a router. I refer to it as an AP because I use it as one; I don't use the router functions (it was cheaper than the equivalent Linksys AP, go figure). Its WAN port is not plugged into anything, and one of the LAN ports is plugged into my "backbone" (heh -- it's only "backbone" because it's the only one I have... ;)) switch. My Linux box is the router/firewall.

If you have a wireless laptop that you use at home and bring outside to other wireless networks, then yes, I would recommend using a software firewall. At home I'm protected by my router, but when I bring my laptop to Starbucks, I can't trust anyone else in that WLAN, so the software firewall will act as a hindrance to most attackers.