Originally posted by: davehries
Thanks for the info.
I also use ZoneAlarmPro and according to one of ZA guru's, ZAPro has SPI as a security feature. So, if true, as long as I use ZAPro I don't have to be concerned about finding or using a router that has SPI.
This is true to some extent. SPI on a network-level device certainly has it's benefits (and drawbacks) to having SPI-based firewalling software on the host system itself.
With the software on your system, your machine is still getting hit with that traffic that might otherwise be blocked. This will always increase resource usage on your system as the firewall software processes that traffic against it's ruleset. The resource hit might be very little or it might be a lot, but it will be there. Also, as long as you have those packets hitting your NIC, you're opening yourself up to the possibility that one of those packets could exploit a vulnerability in your firewall software, thus potentially making it useless.
Generally when packets are processed at a network-level firewall, there is less risk of it exploiting something in the firewall software and getting around it provided that the firewall is properly configured. That has been my experience, anyway. General thinking is that you want to limit exposure to your PC as much as possible. By putting the firewall on your PC you aren't doing anything to limit it's exposure, you're just relying on that software to block out the bad stuff.
The major downside to using something at the network level is that you dont usually get the granularity in rules that you'd get from something residing on the end system. Unless your firewall is extremely intelligent, you are usually limited to just opening and closing ports to permit applications. At that point, most firewalls dont care what application uses that port, just that something is allowed to use it.
Because I know what's on my PC and what is running at all times, I dont really care too much about having personal firewall software on my PC. A good SPI-based hardware firewall filtering out stuff at the gateway works better for me. I do run firewall software on my laptop in addition to the hardware firewall I have at home though. But that is because my laptop is a critical business resource and it sees a lot of different public-access networks as well. I never trust other peoples networks.