• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Questions About Routers

What is the application? How many machines? What kind of internet connection?
 
You can get combo firewall-routers from a number of reputable suppliers. Depending how they are configurable, they will stop most of the low-level rot getting into your home network - DoS, bad packets, unwanted sources, specific types of packets, etc. However they usually won't stop stuff like spam and email viruses, which are fine at a network level.

There are now "appliance" boxes available that address all the issues - a complete firewall-in-a-box, if you will. Saves you having to configure and dedicate a computer of your own to the task.
 
I use a Linksys BEFSR41 wired router. I've only got the one computer hooked up to it, but it's got 4 ports and one uplink port, should I ever need them in the future. It's cheap, reliable, and according to 'Shields Up' website, I'm operating in full stealth mode without a software firewall. Still, if you should be unfortunate enough to get a 'nasty', it helps to run a software firewall such as Zone Alarm. The free version works just fine, and if you have a trojan that tries to go on-line, it wont be able to do so without your knowledge.
 
RSLancastr said:
1. Does a (hardware) router make a software firewall superfluous?

2. Any recommendations on buying a router?
Click to expand...

1. Yes and no (of course). a hardware router will protect a local network from internet attacks. It won't protect from attacks from other computers on the local network. A hardware router can also protect against a broader range of attacks (the NAT feature of hardware routers is by itself great protection).

For one computer on a network then the hardware router is probably sufficient. For more computers you have to weigh the risks/costs but if they are all desktop machines, and you don't let others connect to your network behind the firewall, then it is probably sufficient also.

If you have a laptop that is used on other networks, or allow other computers on your network, then a software firewall is recommended.

2. I generally avoid the cheapest manufacturer's routers and go one up from there. I really like D-Link's stuff, never had any problems. Got bit a couple of times by LinkSys, but they have a pretty good reputation. Belkin and US Robotics are also good.

As for features, if you're allowed to VPN to your work from home then you want a feature called VPN Pass Through (this is different from VPN end point or just VPN router. It's cheaper for one thing).

NAT is a must, but I don't know of any home use router that doesn't have it. MAC cloning might be necessary. If your ISP locks which computer you can connect with then the MAC clone feature is used to make your ISP think the router is your computer. Again, I don't know a home router that doesn't have this feature.

If you have a DSL or Cable Modem provided by your ISP, you do NOT need to get a router that integrates a DSL or Cable Modem. You'll plug your existing broadband modem into your router.

If you want wireless then a router that has both wireless and wired ports is nice. Costs a bit more though.
 
Be wary of Belkin wireless routers; I'm on my third, and my suppliers have stopped selling them due to the high number of returns.
 
RSLancastr said:
1. Does a (hardware) router make a software firewall superfluous?
Click to expand...

I'd like to add one point that (as far as I can see) no one has mentioned:

If you (like me) prefer having some control of which programs on your computer should have outgoing internet access, you need a software firewall. There are heaps of programs out there that connect to the internet and "phones home" behind your back. If you have a software firewall (like ZoneAlarm), you will get a popup message that tells you which program tries to access the internet, and whether you want to allow it or not.

Of course it is also possible to create programs that can fool the software firewall, but at least you get some additional control.
 
mroek said:
If you (like me) prefer having some control of which programs on your computer should have outgoing internet access, you need a software firewall.
Click to expand...

True. Also one thing I forgot to mention -- turn off UPnP on the router. Most routers support this "feature" these days. Basically UPnP allows any program on your computer to open ports on the firewall without your knowledge. Bad idea. Why they think this is a feature I'll never know.
 
Just to agree with others, a hardware firewall of any type does not remove the need for a software firewall. The programs have two different (if similar) goals.

And, depending on the hardware firewall, its protection may be slim to none. Most of the home use router/firewall combinations are simple port-filtering firewalls. Which means they generally won't stop attacks coming in on recognized ports (such as port 80 for HTTP, or 21 for FTP, etc.) Also, a port filtering firewall offers no protection against trojans you download. These programs are allowed outbound access through your firewall, so you can still be made vulnerable through a program you have obtained and run.

A full state-inspection firewall can provide a higher degree of protection, because it actually examines the contents of the packets as they enter the network. Even then, the software firewall does allow you a degree of control, and immediate notification of issues (you open that neat picture file, for example, and get an immediate firewall alert of a program trying to access the Internet).

In any case, not all firewalls are created equally. Even with the best firewall out there, there are things it won't catch. Layered-defense is not a suggestion, it's a requirement for computer security. Think about your house. You wouldn't remove the locks on your door because you put in a security alarm. You wouldn't remove a security alarm because you added motion-controlled lighting. Treat your computer the same way :)
 
Huntsman said:
And, depending on the hardware firewall, its protection may be slim to none. Most of the home use router/firewall combinations are simple port-filtering firewalls. Which means they generally won't stop attacks coming in on recognized ports (such as port 80 for HTTP, or 21 for FTP, etc.)
Click to expand...

Actually most home routers these days do state-based packet filtering and connection tracking. Add in NAT and they WILL NOT allow attacks through port 80 or FTP. Any attack will be directed at the router itself, not the machine behind the router.

Hardware firewalls will not prevent you from downloading malware and running it. Neither does a software firewall. Most software firewalls will prevent malware from talking to the internet but doesn't prevent it from running on the machine (and slowing it down or crashing it).
 
kevin:

I've yet to see a home-based firewall that does state inspection. Do you have links to information on that? I've never seen one that allowed a ruleset to be initiated or set up, for example, which would seem to be a requirement for a stateful firewall with packet insepction. Either that or they use a simple, default ruleset that would have to be less than optimal. Most of the ones I've seen offer simple rules based on IP address and port numbers, IOW simple port filtering.

NAT does provide a high level of security, yes, simply from it's nature. But it is not impregnable, and believing it is is the first step towards disaster. Attacks at the router itself are often the first stage of accessing a network, and from there access to other portions of a network are easy, even with NAT in-place. Another reason for software firewalls; they can protect against compromise of border routers.

IN addition, proxy-enabled hardware firewalls can prevent you from downloading malware, but we're probably getting beyond the home-user level here :)

And yes, it won't prevent it from running, but it can prevent you from spreading it and provide immediate notice. In addition, it can protect you (as others stated) against malware that affects your router itself or other computers on your network.

Of course, it all depends on what you have to protect, as well. A home user generally doesn't need to have Ft. Knox :) But, if you already have a software based firewall, I would not remove it just because I placed in a hardware firewall or router. Even just the Windows built-in firewall, if nothing else. Keep it running.
 
asthmatic camel said:
Be wary of Belkin wireless routers; I'm on my third, and my suppliers have stopped selling them due to the high number of returns.
Click to expand...

Most Belkin stuff is junk anyway, unless it's something incredibly basic like a power strip or something. Even then, I would recommend caution.
 
Huntsman said:
kevin:

I've yet to see a home-based firewall that does state inspection. Do you have links to information on that?
Click to expand...

My router, D-Link DI-804HV, street price around $60 does it and specifically calls it out in the tech specs.
http://www.dlink.com/products/resource.asp?pid=59&rid=283&sec=0

I've never seen one that allowed a ruleset to be initiated or set up, for example, which would seem to be a requirement for a stateful firewall with packet insepction.
Click to expand...

I don't know what you mean by rulesets requiring stateful firewall. IPChains on Linux was not a stateful firewall but was capable of some complicated rulesets.

The D-Link I mention above does not allow you to build rulesets that specifically call out a packet state, but does allow complicated rulesets based on many factors including IP, MAC address, time of day, ports etc. You can also create rulesets where opening one port outbound will open an inbound port of a different number (frequently required by games)

Even the $30 D-Link DI-604 allows for some complex rulesets to be built on those same things.

http://www.dlink.com/products/?sec=3&pid=62

On both those product pages you'll find a link to an emulator that allows you to play with the capabilities. If you get a window asking for a password just click the picture, it's fake.

NAT does provide a high level of security, yes, simply from it's nature. But it is not impregnable, and believing it is is the first step towards disaster.
Click to expand...

And of course you can provide a link to where I said this.

Attacks at the router itself are often the first stage of accessing a network, and from there access to other portions of a network are easy, even with NAT in-place. Another reason for software firewalls; they can protect against compromise of border routers.
Click to expand...

Yes, I've never disagreed with this. Nor did I disagree with the comments earlier about security in depth. Throwing out the edge router throws out one of the security steps in depth. Presenting incorrect information may lead people to throw out one of their protections thinking it does nothing.

What I did was point out that home hardware routers DO NOT allow inbound packets on well-known ports from sources that were not initially requested from the inside as was claimed.

And yes, it won't prevent it from running, but it can prevent you from spreading it and provide immediate notice. In addition, it can protect you (as others stated) against malware that affects your router itself or other computers on your network.
Click to expand...

Unless of course there is malware that knows how to deactivate your software firewall. And there is. Some are capable of disabling Zone Alarm, others the Windows Firewall.
 
Huntsman said:
kevin:
I've yet to see a home-based firewall that does state inspection. Do you have links to information on that? I've never seen one that allowed a ruleset to be initiated or set up, for example, which would seem to be a requirement for a stateful firewall with packet insepction. Either that or they use a simple, default ruleset that would have to be less than optimal. Most of the ones I've seen offer simple rules based on IP address and port numbers, IOW simple port filtering.
Click to expand...
Well, my Asus WL500G does it (more or less), but to get advanced you have to configure it manually. This router runs Linux, and you have access to the console via telnet. From there you can configure IPChains, and store your settings in a post-firewall script, causing it to run after the router's own rules have been established. Coming to think of it, I am running a custom firmware on mine, I'm not sure if that is a prerequisite to be able to do this.

Anyway, it does what I need it to do.
 
kevin said:
My router, D-Link DI-804HV, street price around $60 does it and specifically calls it out in the tech specs.
http://www.dlink.com/products/resource.asp?pid=59&rid=283&sec=0
Click to expand...

Interesting. Thanks.

I don't know what you mean by rulesets requiring stateful firewall. IPChains on Linux was not a stateful firewall but was capable of some complicated rulesets.
Click to expand...
I meant I've never seen a packet inspection firewall that didn't allow setting for the specific protocols that would be allowed on which ports. In other words, I haven't seen packet-inspection without the ability to create rulesets. I did not state nor imply that rulesets equal packet inspection.

And of course you can provide a link to where I said this.
Click to expand...
I did not mean to imply that you were saying this, I'm simply making sure those unfamiliar with internet security don't read too much into statements made about NAT security and other issues.

What I did was point out that home hardware routers DO NOT allow inbound packets on well-known ports from sources that were not initially requested from the inside as was claimed.
Click to expand...

May was the word I used, and some have. Not all home routers use NAT (some home networks have public IPs), and in some of these cases inbound attacks are possible. Perhaps it's better now, I haven't looked at home systems in a few years, but there are always new exploits.

Unless of course there is malware that knows how to deactivate your software firewall. And there is. Some are capable of disabling Zone Alarm, others the Windows Firewall.
Click to expand...

Yes. Jsut as there are things that can disable aspects of your router, or your anti-virus, or other systems in-place for defense. Which was my point initially.

I think we're agreeing with each other, just using different wordings, so I'll leave it at that. NO offense intended, but too often technical discussions fall into a "I know more than you" mode, and I would like to think we won't get into that.

IN short, I agree with most of your points, I did not know the home routers had adavanced as far as they have in recent years, and most of my comments were as much for the audience (and the original poster) as anything else. Trying to keep comments more-or-less simple, and get acrss the idea that no security is attack-proof.
 
Just as a small question, I need to know something about routers.

Do most routers for home use have issues with needing to be "reset" all the time? I swear I've gone through about 4 routers now and all of them seem to "die" over time, and in the meantime, I can't actually get a "always on" connection. Every now and then, meaning every few weeks, the thing just up and disconnects and needs resetting. Sometimes it actually happens repeatedly over a few days. Oddly enough, I've actually tested tested and retested certain sites that actually seem, from the testing I've done, to ALWAYS instantly cause my router to crash the second I attempt to visit them.

Is router instability a well recognized problem or am I "doing it wrong"?
 
You must log in or register to reply here.

Back
Top Bottom