hi steve
i know that you posted your question to graystone, but i think i can address it to a degree, so permit me....
re, "If I have a hardware router, I am guessing that it is impervious to sabotage from the internet... what do I gain from a firewall except additional complexity."
here is an excerpt from a recently posted #reply-15891674 fred langa article titled How Much Protection Is Enough?. the article in its entirety can be found here informationweek.com
*******************************
"Protecting The Back Channel
But there's more to a multilayered defense than simply providing backstop protection. For example, most hardware/firmware firewalls don't do much, if anything, about protecting the outbound side of a connection. They have no way of knowing if a port request from a desktop machine is legitimate or spoofed by a Trojan, a virus, or a worm. (In fact, Blaine's attack could have been the result of just such an attack, where malicious code on his system fooled his firewall into opening a port.)
So, many users employ a multilayer defense that also guards the outbound channel:
I'm an MIS/network-support engineer at a major distribution company. I have a Linksys router, and I run ZoneAlarm on all of my PCs as well. The reason for this is that even though Linksys acts as a firewall, it doesn't block any information from being sent out of your computers. If you happen to download a program that contains spyware, the Linksys router won't do anything to stop those packets from being sent out. ZoneAlarm does. It will allow virtually nothing to enter or leave your computer without your permission and works perfectly well with Linksys systems. Of course, you should still run antivirus software as well.
--O'Leary"
*********************************
i know that there are quite a few other articles that say essentially the same thing... the hardware or firmware firewall concept is great, but not perfect, and will always benefit from software solutions.
hope this helps
:)
mark |
