How secure are software firewalls?

I upgraded my DSL service and recieved a new DSL Modem/Wireless router with the deal. I'm having some issues with my DSL router provided to me by my isp. For some reason port forwarding does not seem to work. The only way I can set up a server of any kind and have someone connect to it from the net is if I enable IP Passthrough on my DSL router, that basically opens up my PC directly to the internet.

I've always relied on my router's firewall to protect me, and have used a software firewall as a second layer of security. With IP Passthrough enabled, I'll have to rely solely on my software firewall. I'm currently using Zone Alarm 7 on the Windows side and just IP Tables on the Linux side (I have a dual-boot setup). How protected am I with this configuration?

I ran some tests on grc.com and passed, all ports stealthed, but I'm still not convinced it's enough. What's you're opinions on relying solely on a software firewall?

Why not grab a low budget PC and throw 2/3 nic cards in it and install smoothwall/astaro? (even a p1 with a little bit of RAM would work well, I have a bunch set up at the businesses I work at they work like a charm. Set up the 3rd nic for VPN access if needed)

IMHO opinion ZA is a joke. But then again, a lot of it depends on the person behind it. So, I will stick to my comment above especially if you are proficient in UNIX/linux already........why would you mess around with ZA?

Set everything to go through the smoothwall PC and ditch the cheap broadband "router"

Smoothwall, PFSense, or Monowall are the ones you should be looking at. Software firewalls blow ass, nuff said. Or shit if you wanna spend the money you could get a 501 or a 5505.

Pix FTW!

Looks like the scope is just to protect a non-critical server at home. Otherwise, he'd be (hopefully) running it at a hosting site or something.

In that case, s/w firewall is probably good enough. You can always do better with a lot more money or time or both. But I don't think it's worth it in this case. Others on this thread have said nice things about Kerio, and the built-in Windows firewall is not too bad.

Actually, you probably mean a personal firewall vs. gateway? For your own use, personal security (on your own machine) is fine. You use gateway security products more for larger networks to control the policy.

For personal firewalls, its always nice to know what application is trying to make a connection to the Internet, as it can be a reverse connecting RAT, spyware, malware, etc. A lot of the Trojans have FWB (Firewall Bypass) which disables your personal firewall.

In terms of gateway products, the trend is towards UTM (Unified Threat Management), Fortinet, Astaro, Watchguard, Netscreen SSGs, Cisco ASA, etc.

I personally believe point products (separate firewall, proxies, IPS, Content Filtering, AV Mail, etc) makes it difficult to manage a security policy. Instead of managing a unified interface and logging, you're looking at configuring, managing, and monitoring each separate device. With UTMs, you get an overview of the security problems and how to fix them immediately. Then it boils down to comparing product versus product in terms of its security tools, definitions, management, etc.

Good point on the point products vs UTM

Warez comes through again with explanations that just drive it home.

Always good to hear from you Warez.

Warez, have you ever thought of opening your own security company? I don't know, you seem to know a little. ;)

Disclaimer for all who do not know.....he does.

Warez, wouldn't you agree, that the ease of setting up a gateway is worth it even on a personal machine? If anything, you learn a lot that maybe during the setup?

Edited because anyone you knows me here knows I am retarded when it comes to the english language and writing of it.

Hello Hunting... I've been doing IT security for some time now, and thanks for the kind words.

The weakness in personal firewalls is that it sits on the machine that can get compromised. With the addition of a gateway product, you are still able to manage a compromised workstation (block its ports, IPS drop traffic, etc) and also the hacker isn't able to clean up his tracks by deleting logs, etc on the gateway.

If you are a home user and want the additional packet filtering on your router, it doesn't hurt to turn it on.

To really control an enterprise security policy, you need to have both gateway security for general network policy, and good desktop management to control the end points.

If you're learning to be an admin and you have a spare PC, then go ahead and install a gateway product so you can at least understand what managing a network policy feels like, what tools you have to work with, what tools are missing, etc.

Cool, thanks for the advice warez. I'll check some of those out.

in going off of warez said, you can use products such as smoothwall, m0n0wall or PFSense which are basically Linux Distros that you can use to install on a Spare PC.  Essentially you need 2 network cards minimum.

 

Strike what i said above, i already mentioned that before.

anyway, yeah the UTM products are very good for a maybe a soho but for a larger enterprise they arent so good...Ive learned that hard way...

 

"I've been doing IT security for some time now"

lol@some time.....

I think you have have been doing it more then anyone here. Although there are some other real smart mf's here.

Thanks for the confirmation Warez. ;)

"anyway, yeah the UTM products are very good for a maybe a soho but for a larger enterprise they arent so good...Ive learned that hard way..."

The UTMs are the future trend, even for large enterprises, and the trend after that will be virtualization. This comes with increase in CPU performance.

A lot of the problems you see with UTMs now is that most organizations are buying them undersized, thinking they will save money instead of sizing the company and building the infrastructure correctly from the beginning.

So you can cluster for large enterprises, and virtualize for inidividual clients if you're an ISP while providing a manageable security policy.

Managing point products with a complicated policy is a nightmare in management - VPN user A from HQ is allowed to VPN to branch office B, and access only specific subnets, branch user B is allowed to use IM to talk with all internal employees but not allowed file transfer and has certain restrictions on web access, wireless users allowed for everyone with restricted web access unless they authenticate, can have SSL VPN access to the backoffice, etc. - are all typical enterprise polices that you might be requested to help enforce.

Trying to create that kind of policy and make sure the point products are interoperable is much harder than deploying a single or clustered UTM to handle the job, and that's why Cisco, Checkpoint, Netscreen, are all jumping on the UTM bandwagon. According to IDC (who coined the phrase UTM), UTMs will surpass point products by 2010.

hunting,

I'm in IT security because of bad karma ;)

the biggest problem with UTMs, though, is "break one to break them all".

there are definitely management problems with having several devices, but it also gives you some amount of defense in depth.

practically, though, the reduced management hassle may be worth the risk.

Touch? Warez

Lol

Damn I can't say the word I meant because I am a mudnamer.

You guys know what I meant damn it.

No flaming ya bastards

"the biggest problem with UTMs, though, is "break one to break them all"."

That applies to point products equally as much, and perhaps statistically more so since only 1 of the devices has to fail. If your HTTP proxy goes down, are you just going to open up port 80 on the packet filter?

The remedy for single points of failure is High Availability or clustering and you can do that with point products as well as UTMs. Any enterprise that can't have zero downtime has to have redundancy.

"That applies to point products equally as much, and perhaps statistically more so since only 1 of the devices has to fail."

right, but you have to root multiple devices to finish degrading the security.

I'm talking about security and not reliability here.

I agree that UTM's are probably better from a management perspective. And if you are more aggressive from a security policy enforcement standpoint because you are more confident in the management, that might beat more theoretical advantages.

"I'm talking about security and not reliability here."

How is a UTM less 'secure' if we are talking about single points of failure? I'm not sure I get the point you're trying to make.