Aren't personal firewalls enough?
Personal firewalls are useful because they can stop all traffic coming from the internet. This means that even if you haven't installed all of Microsoft's security updates, you'll be protected from network worms. You'll still need to update your web browser and email software, or you'll be vulnerable when you visit websites or open messages. But while installing anti-virus software and personal firewalls is sensible, you can reduce some of this workload by using a standalone firewall.
Many current Windows viruses target personal firewall software and attempt to stop them from running. Netsky is a recent example, and it's by no means the only virus that tries to knock ZoneAlarm down. Such tricks wouldn't work if your PC were protected by a standalone firewall, which doesn't have users running programs on it.
The Sasser worm, which targeted Windows' Local Security Authority Subsystem Service (LSASS), was devastating but, as Microsoft itself said, 'If you have a hardware firewall in place for your home or workplace connection, or if you use the firewall included with Windows XP, the Sasser worm is most likely blocked.'
Sometimes using personal firewalls can stop internal networks from working properly, and this was certainly the case with Windows XP's built-in firewall before SP 2 was released. If people had installed a hardware firewall they'd have barely noticed Sasser. If they also had personal firewalls installed they'd most likely have been safe, even without patching their systems or using anti-virus software.
Some Denial-of-Service (DoS) attacks work specifically against Windows systems, and it's rare to find a personal firewall that can deal with these effectively. Having a hardware firewall, particularly one that doesn't run Windows, will completely solve this problem. Both SmoothWall and IPCop are based on Linux, which makes them immune to Windows DoS attacks.
Example network
Our example network has a SmoothWall firewall connected to an ADSL router, which runs a DNS proxy and acts as the gateway between the internet and the entire group of systems. The firewall is set up to use the router as its DNS server. The router is set up to use the ISP's DNS servers. The router is assigned an IP address by the ISP, and has a static local address of 192.168.1.1. The firewall's (external) interface that's connected to the router has the IP address 192.168.1.15.
The LAN computers use the firewall as their default gateway and DNS server. The router actually gets the DNS information from the ISP and passes it back to the firewall, which passes it back to the clients on the LAN. These computers use the IP address range 192.168.0.2 and above. The firewall's (internal) IP address is 192.168.0.1. To configure the firewall after installing, a system on the LAN needs to visit https://192.168.0.1:441/
The systems on the DMZ need to use SmoothWall as their gateway, but should refer to the ADSL router or the ISP's DNS servers directly. They're not allowed to talk to the firewall and ask for DNS details. These systems used the IP range 172.16.0.2 and above. The firewall's DMZ IP address is 172.16.0.1.
You can alter the IP addresses as you wish, but note that the range used on the LAN shouldn't be the same as that used for the DMZ, and you should always use private address ranges for internal networks, including the DMZ.