Who firewalls?

[h4x5h17]

So in some basic home network configurations you have a wifi/wired router that is also a dsl or cable modem. Most, if not all, of these devices have a built in firewall that can be enabled. Most of the time is enabled by default. This firewall is a standard security feature between your home network and the internet outside of your home network and the network between you and your Internet Service Provider.

Your Internet service provider also takes in to account that its clients may not have the best security practices, or may use insecure applications and operating systems. With that in mind they protect their network from possible intrusion from security holes that their clients may unintentionally provide for attackers via internet connectivity.

So this is all pretty standard. Many years ago I heard of an case where Hughes Communications disonnected a client until the client agreed to removed a trojan from their computer. However you can't disconnect, from the internet providing network, for the insecure practices of your Internet Service Provider. Not without cuting off internet access. But you can use an additional firewall between your home network and your I.S.P. (cable/dsl modem). Your cable/dsl modem will need to support providing DMZ host to your new firewall device. Even with that, this network configuration can be a hassel. Many feel this in not needed because your Operating System probably comes with its own firewall. In addition to the modem firewall this should be good enough, right.... or maybe?

I was just wondering what you guys thought. Do you think it is important to firewall your ISP? Do you think the Built in operating system Firewall is enough?

I have been helping friends, family, and many others with their computer ills for years. Sometimes the problem pointed to access via the ISP network. Often the problems were trivial. It seems to happen more often in rural areas. Sometimes it has seemed like bad security practices on the part of the ISP. Other times (when the ISP doubles as a PC repair/sales shop), I have seen the problems look a little more like something an average college student might think up (like tasks scheduled to delete system dlls). I'm not saying that some hack over the internet couldn't be a college student, but that sometimes it seems like the attacks that have cause problems seem to be of differing artistic level. And that the simpler attacks seem to go away when you protect yourself from your ISP.

[ale5000]

I think it isn't good to just trust the ISP, you can never be sure they protect you.

I leave the firewall of the router enabled and I only forward needed ports in the router manually so all not needed ports are hidden from internet point of view.

I also have the firewall that come with the antivirus; the firewall of Windows also cannot really be trusted (it is enabled on all pc so it is so common that it is the first to be breached).

[Lord of the Rings]

I'm not an expert at anything so simply speaking from my own opinion.

I'm guessing there are standard port blocks ISP's use to block out known channels of exploit. With my ISP I do have the option to disable this but I have no reason to.

Don't get confused with DNS contact with the ISP, of which I was once upon a time paranoid about until I spoke to support.

I have no issues about my ISP, after all they prioritize customer privacy and even won a court case against the anti-p2p campaigners.

Router NAT I think is standard & should be allowedj for basic security. However there does exist some routers on the market which don't possess UPnP or even port forwarding which does not give you much choice.

Apparently some routers these days have either or both SPI and Content Filtering. Content filtering would be best done on a specific computer, not the entire home network so I dislike that option. SPI I know very little about. But SPI can be exploited by hackers in any case so it's not an ideal system. I would have doubts about using SPI because it could quite easily clash with p2p file-sharing.

Being predominantly a Mac user, my thoughts on security are probably lesser than the average person. However I do utilize a 3rd party tool. I also keep the system firewall on.

Some 3rd party Windows firewalls are not designed to cater for p2p file-sharing. I recall giving BearShare the maximum permissions on one of these and BearShare still detected it was being firewalled by this particular firewall.

DMZ is potentially dangerous IMHO.

[h4x5h17]

OPNsense and PFsense are pretty good firewall systems, if you have an spare PC around. Real easy if you just want to serve Wifi and you don't need a switch. An old laptop with ethernet and a access-point mode compatible wireless device would do the trick.

There is IPfire also. All three are good.