Originally posted by Dano:
Revaluate your thinking or not, it's up to you but be warned you can be infected behind a NAT and firewall without ever opening a single email and not know about it.
I fail to see how this is possible.
The only ways to get something onto a machine are:
- An action by the user (open an attachment, load some dodgy ActiveX extension, use an infected floppy),
- Run a listening network service (eg. Sendmail, Apache, all those things Windows has on by default), and allow other users to connect to the service and use it to carry out their wishes.
The first can never be fully prevented, and in that case no software firewall is going to help you either.
In the second instance, threats can be blocked in three ways:
- Turn off unnecessary services: The machine cannot receive connections if nothing is listening for requests.
- NAT Routers: These are pretty effective at shielding the machines behind them from detection and communication attempts. The only way around them that I'm aware is some funky source-based routing stuff which most routers don't support IIRC.
- Firewall: Block the ports of services you don't wish to advertise to the internet and it will be extremely hard for someone to access them.
A software firewall is superfluous. If there is some super-intelligent trojan who can evade the above measures it will almost certainly be able to obtain Ring 0 privilages and disable whatever software protection you are using.
I used to run a third-party software firewall, mainly for the purposes of limiting what connections had net access. After a few years of it doing nothing more than irritating me I switched it off and just use the Windows firewall, but only because I'm paranoid and can't go cold turkey
. No problems here.
Cheers,
Mr B