On 25 Sep 2001, at 19:58, Paul Berberich wrote:
> Is a router an effective firewall or should I rely on software alone?
There are a bunch more choices than that.
A router is a device which redirects packets, typically between two
or more subnets/segments. In the process, it may do several other
things, including media conversion (for instance, between LAN
Ethernet and WAN DSL) and Address translation (NAT/PAT).
It *may* also do packet-filtering, applying rules to block some
packets and allow others, based on source and destination addresses
and TCP/UDP port numbers.
A router may be a special-purpose piece of hardware/firmware, or a
general-purpose computer with routing software installed. (Any
Windows NT or 2000 PC can become a router by checking one box on a
Network configuration dialog. Linux and UNIX machines can also serve
as routers.)
A firewall is a piece of software and/or hardware that blocks some
traffic and allows others, based on some kind of policy. It could be
packet filtering capability on a router, or it could be a separate
dedicated box. (Typically, hardware firewalls do not do media
conversion, and default to block all traffic whereas a router will
default to allow all traffic.) Some software firewalls use an NT or
UNIX/Linux OS and turn the box into a firewall instead of a router.
In the last two years, we've seen the introduction of "personal
firewall" software that implements filtering in software, typically
only for the single machine on which the software is running.
Presumably this is the kind of software your question refers to.
You should also be aware that besides packet filtering, some
firewall software does proxying instead. Not all protocols can be
proxied, but proxying (a) can offer certain kinds of protocol
conversion, such as between IPX/SPX and TCP/IP to connect a Novell
network to the Internet, and (b) proxying can block traffic based on
*content*, as well as on address/protocol/port.
As a general bottom-line answer, though:
(a) Routers, although they may *offer* security features, are not
designed to be security devices and do not enforce the use of those
features, and
(b) Multiple kinds of protection may save you from attacks that
would find the chink in any specific product.
So the short anser is that both together is better than either
alone, which in turn is better than nothing.
David Gillett
The NOSPIN Group provides a monthly newsletter with great
tips, information and ideas: NOSPIN-L, The NOSPIN Magazine
Visit our web site to signup: http://freepctech.com
|