Hi Folks

I know nothing of routers or hardware firewalls. But am interested in adding some variation of one to my very simple security setup. (Kaspersky 6 suite and Spysweeper, regular XP updates of course).

My broadband connection is 20M downloads, 2.1M up. Only one computer on the line.

Just want something that will not slow down the connection (though actually I don't do a whole lot of downloading, but the speed helps make for very quick and wide ranging surfing).

Any comments and/or suggestions would be greatly appreciated.

Thanks in advance.

-{ Quote: " My broadband connection is 20M downloads, 2.1M up. " }-
Ok...I'm jealous. :'(

Hi RiverLights,

The first thing would be to find out if your broadband modem includes a NAT router or hardware firewall.
Many of the newer models include a NAT router.
What is the brand and model number of the modem?

-{ Quote: "Any comments and/or suggestions would be greatly appreciated." }-RiverLights,

You're going to want routing throughput which exceeds your current download speeds by a reasonable margin to allow potential growth over the next few years. You can get a snapshot of performance here (http://www.tomsnetworking.com/lans_routers/charts/index.html?chart=119). My personal favorites are ZyXel ZyWalls, with a ZyWall 2 Plus being a rather good deal for the price (~ $160-170), although a fairly common Linksys WRT54G would actually be fine as well for about half that. I've also used Buffalo Tech WR-HP-G54 (or WHR-G54S) routers, they're fine as well.

Figure out what type of capabilities you want, verify that routing performance exceeds the likely limits of your connection for a reasonable timeframe (look at the speeds for higher tier options on your broadband service, that's where you'll likely migrate to eventually), and make the call based on those points. ZyXel, Linksys, Netgear, Buffalo Tech, D-Link, etc., are all reasonable choices - those are just on the top of my head and I've used all successfully (except for D-Link which I haven't owned as yet, but forum reports are generally favorable).

Blue

Riverlights,

My ISP advertised speeds are 30Mbps / 2Mbps using a Motorola SBV5120 modem.
I've been through two NetGear routers w/ NAT & SPI. Neither one worked exceptionally well on my wireless laptop. I bought a Belkin Pre-N router w/ NAT & SPI. With all hardware and software security running my D/L 23606kbps U/L 2588kbps. This is my wired connection. Haven't checked wireless in a while. But, in any case, try a router that has a 30Day Return Policy. In fact, buy a few at one time, try 'em and keep the one that works best for you. You'll save yourself some time and aggravation in the long run.

...screamer

btw: don't forget to tweak your tcp/ip settings. TCP Optimizer @ SpeedGuide.net

-{ Quote: "Ok...I'm jealous. " }-

LOL..don't be, mfenech.

I have learned my practical speed is still at the mercy of the weakest link between me and whatever I am trying to reach. For instance, I live on the east coast of the US and if I am trying to connect with just the west coast, I am lucky to get 3 or 4M much of the time. But when it is cooking, it's nice.

Also have learned...through a whole bunch of trial and error... that the very solid Kaspersky suite truncates the upload speed by about 70%. (oddly enough it doesn't do much at all to the download speed). By changing settings and then testing, I have discovered ( I am pretty sure anyway - their tech is presently studying the phenomenon for me) that it is primarily K's excelllent on the fly web buffering scan that chops the upload. I could switch to their streaming scan instead and get some of the upload speed back; but they themselves say that the change would significantly reduce the scans' security impact. I do not upload often, so am more than willing to live with the slower upload speed if the return is a more secure computer (and it is).

-{ Quote: "The first thing would be to find out if your broadband modem includes a NAT router or hardware firewall.
Many of the newer models include a NAT router.
What is the brand and model number of the modem?" }-

I have a fairly old Motorola SB5100, Devinco. It does not have a NAT firewall ( and I am so damn ignorant about this particular stuff that I am gonna have to google to find out what the NAT acronym stands for <g>).

In a quick , not comprehensive, check last night I saw that one of the wireless Motorola modems does have an integrated firewall.

Even though I only have one computer, is a wireless firewalled modem or router something I might consider? ( again - completely ignorant)

Thanks for your reply, and again for any and all replies from all posters. Your time, knowledge, and patience are appreciated.

-{ Quote: "You're going to want routing throughput which exceeds your current download speeds by a reasonable margin to allow potential growth over the next few years. You can get a snapshot of performance here. My personal favorites are ZyXel ZyWalls, with a ZyWall 2 Plus being a rather good deal for the price (~ $160-170), although a fairly common Linksys WRT54G would actually be fine as well for about half that. I've also used Buffalo Tech WR-HP-G54 (or WHR-G54S) routers, they're fine as well.

Figure out what type of capabilities you want, verify that routing performance exceeds the likely limits of your connection for a reasonable timeframe (look at the speeds for higher tier options on your broadband service, that's where you'll likely migrate to eventually), and make the call based on those points. ZyXel, Linksys, Netgear, Buffalo Tech, D-Link, etc., are all reasonable choices - those are just on the top of my head and I've used all successfully (except for D-Link which I haven't owned as yet, but forum reports are generally favorable)." }-

Blue, Thanks. Comprehensive advice. Makes sense.

Great site. Very informative. So I want to look at WAN to LAN. And/Or LAN to WAN. (can't help but think of a 1950s rocknroll song LammaLammadingdong)

;)

-{ Quote: "My ISP advertised speeds are 30Mbps / 2Mbps using a Motorola SBV5120 modem.
I've been through two NetGear routers w/ NAT & SPI. Neither one worked exceptionally well on my wireless laptop. I bought a Belkin Pre-N router w/ NAT & SPI. With all hardware and software security running my D/L 23606kbps U/L 2588kbps. This is my wired connection. Haven't checked wireless in a while. But, in any case, try a router that has a 30Day Return Policy. In fact, buy a few at one time, try 'em and keep the one that works best for you. You'll save yourself some time and aggravation in the long run.

...screamer

btw: don't forget to tweak your tcp/ip settings. TCP Optimizer @ SpeedGuide.net" }-

Thanks Screamer.

( I have tweaked the settings, but an excelllent reminder)

-{ Quote: "Great site. Very informative. So I want to look at WAN to LAN. And/Or LAN to WAN. (can't help but think of a 1950s rocknroll song LammaLammadingdong)

;)" }-Both - total simulataneous throughput. Also look at max simultaneous connections, especially if you game, etc.

Blue

-{ Quote: "total simulataneous throughput. Also look at max simultaneous connections, especially if you game, etc." }-

Thanks you, Blue. Extremely helpful.

-{ Quote: "But am interested in adding some variation of one to my very simple security setup. (Kaspersky 6 suite and Spysweeper, regular XP updates of course)." }-
They now call it KIS 6 Kaspersky Internet Security 6.0 (http://usa.kaspersky.com/products/internet-security.php). It integrates the KAH (Kapersky Anti-Hacker) software firewall.
While you don't absolutely need a hardware firewall (or a NAT router), you do need some type of firewall to keep the angry horde at bay. The integrated KAH in KIS 6, if activated, is what is currently protecting your computer from inbound and outbound attacks.

Having said that, a hardware firewall (at least a basic NAT Router) is highly recommended by a lot of people.
It is a different type of firewall, so it will not conflict with KAH.
It will take the burden of blocking the inbound attacks from the internet off KAH and your computer.
It will not slow down your connection. By freeing up your computer (especially processing all the logs that a directly connected inbound software firewall might generate), it can only help.
Should your software firewall crash for any reason, or while you are first installing windows, your NAT router will still protect you.
A NAT router offers many other benefits like isolating your computer's IP address from the internet. You will still have a public IP address, but it will be the router that is directly connected to the internet, not your computer. A NAT router can also allow you to share one internet connection with many computers.
A NAT router is definitely a good investment even for one computer on a broadband connection.

-{ Quote: "I have a fairly old Motorola SB5100, Devinco. It does not have a NAT firewall ( and I am so damn ignorant about this particular stuff that I am gonna have to google to find out what the NAT acronym stands for <g>)." }-You are correct, the Motorola SB5100 does not use NAT, it does not contain a router, and it does not have a firewall. It is just a cable modem. It acts as a "bridge" for all the internet traffic and passes it unfiltered directly to your computer where KAH deals with it right now.
Your current security setup will benefit with the addition of a router.
NAT stands for Network Address Translation (http://en.wikipedia.org/wiki/Network_address_translation).
If you don't find what you need to learn on google, you will find Wikipedia (http://www.wikipedia.org/) to be a gold mine, especially for technical terms and acronyms.

-{ Quote: "In a quick , not comprehensive, check last night I saw that one of the wireless Motorola modems does have an integrated firewall." }-
You are referring to the SBG900 Wireless Cable Modem Gateway (http://broadband.motorola.com/consumers/products/sbg900/). I like the basic firewall features of that model, however, I have usually found the feature set to be better in stand alone routers rather than an all in one cable modem gateway. The combined modem/router models are improving lately, but I still think you can have a more flexible setup with the modem separate from the router. A good way to research a model you are interested in is to visit forums that discuss routers all the time (dslreports, or the manufacturer's forum for example). You will then see the type of problems you are likely to have with a particular product.

-{ Quote: "Even though I only have one computer, is a wireless firewalled modem or router something I might consider? ( again - completely ignorant)" }-
The main question here is wireless or wired? You will need to answer for yourself the following...
Does the idea of using your laptop poolside or on a LazyBoy recliner sound good?
Are running cables from where the cable comes in to where your computer is placed not possible?
If the answers are yes, then you should consider wireless.
If you think there is no need to keep moving the computer around and it would be more comfortable in one place set up just for the computer, then go wired.

If you decide to go wireless, then I would avoid the SBG900 because it only supports the weak WEP wireless security. Better to go for one that supports the IEEE 802.11i standard, which is also called WPA2 (WiFi Protected Access). This is currently the most secure wireless standard.

Thanks very much, Devinco. And to all for your thoughts, shared experiences, and overviews.

Especially appreciate that you and Blue pointed out some very educational sites. Can't ask for more than that.

I know my way around software security fairly well; but as I said, I knew nothing about hardware firewalls and routers. Still a ton to learn, but, thanks to reponses here, headed in the right direction.

Wired is definitely the way to go for me, Devinco. I was curious as to whether a wireless modem or router with attractive features might have a "wired usage" option....but now that question is academic only.

Made a choice.

The D Link DGL-4100. (identical in all other ways to its wireless sibling, the 4300). It is fast.

Of 43 combined user reviews that I read about the 4100 and 4300, 40 folks liked it. A couple experienced freezes that required hard resets...but that of course sometimes happpens to software too . Many said D Link support was not very good, so I hope I can muddle along without it.

Once again, many thanks to all. ( good forum) ;D

ZyWall 2 Plus has a big advantage: it can be run as a bridge, i.e. it has no real IP address which could be attacked and thus it needs no stealthing or such 'cause it's invisible by default.

Relatively cheap and powerful, just don't know whether the frequent reboots I had with my older Zywall 2 (w/o the "Plus") are eliminated in the new piece...

Andreas

Thanks Andreas. I believe that was Blue's current favorite too. Interesting point on running it as a "bridge" ( more googling for me to do) <g>.

Gotta admit I have some doubts about how much extra security (over and above a good software firewall) a hardware firewall normally really adds. The bridge mode you speak of would answer those questions. ( with the proviso that I know so little about hardware firewalls, my questions may well make little real sense :wacko: )

I appreciate the information, but for now it is a little too late. I ordered the D Link DGL-4100. For $115 (free shipping). Should arrive tomorrow. I'll take it for a spin and try not to screw up the setup.

If I return it, I'll seriously consider the Zywall 2 Plus.

Whoa!...lol....after a moment's googling I am REALLY confused by your post, Andreas. You wrote

-{ Quote: "ZyWall 2 Plus has a big advantage: it can be run as a bridge, i.e. it has no real IP address which could be attacked and thus it needs no stealthing or such 'cause it's invisible by default." }-


I googled and


-{ Quote: "When configured in Bridge Mode, the Cayman will act as a pass-through device and allow the workstations on your LAN to have public addresses directly on the internet. NOTE: In this mode the Cayman is providing NO firewall protection as is afforded by NAT. Also, only the workstations that have a public address can access the internet. This can be useful when you need to use all five of your static public IP's on the LAN." }-

So bridge mode is just a unrestrained pass through? As I only have one computer, and the only conceivable reason I would add a router is to utilize an extra layer of protection from the hardware firewall. And if the definition is accurate in that the firewall is also bypassed by bridge mode ....why in the world would I want bridge mode?

That's true, I was a little unspecific.

To make full use of a bridged firewall, you would need some NAT device sitting in front of it (i.e. the side towards the public LAN (=Internet)). Don't know that exactly, I suggest you to download the Zywall 2 Plus manual and see for yourself.

NAT alone is a neat protection, but with a bridged firewall behind it the firewall itself is like a pass-through device and completely invisible to hosts (like a repeater would be, that's simply the nature of a bridge).

This adds a tremendous amount of additional security: though in bridged mode some filtering may not be accessible (because of the logical layer the bridge is located in the OSI model; you can read about this in detail in the FreeBSD manpages for instance), the "attack-proof" and "invisible" attributes are second to none.

For not so complex environments, I consider a bridged firewall the non-plus-ultra, provided the private LAN is additionally secured from the outside by NAT.

I was quite happy with my older Zywall 2 models (I'm using a Fortigate-60 now, a no-cost leftover from the company I work for), so I can only recomment the Zywall 2 Plus, there's simply nothing comparable in this price segment.

If you're not planning to invest a lot more money, you can't go wrong with a Zywall 2 Plus.

Andreas

-{ Quote: "To make full use of a bridged firewall, you would need some NAT device sitting in front of it (i.e. the side towards the public LAN (=Internet)). Don't know that exactly, I suggest you to download the Zywall 2 Plus manual and see for yourself.

NAT alone is a neat protection, but with a bridged firewall behind it the firewall itself is like a pass-through device and completely invisible to hosts (like a repeater would be, that's simply the nature of a bridge).

This adds a tremendous amount of additional security: though in bridged mode some filtering may not be accessible (because of the logical layer the bridge is located in the OSI model; you can read about this in detail in the FreeBSD manpages for instance), the "attack-proof" and "invisible" attributes are second to none.

For not so complex environments, I consider a bridged firewall the non-plus-ultra, provided the private LAN is additionally secured from the outside by NAT.

I was quite happy with my older Zywall 2 models (I'm using a Fortigate-60 now, a no-cost leftover from the company I work for), so I can only recomment the Zywall 2 Plus, there's simply nothing comparable in this price segment.

If you're not planning to invest a lot more money, you can't go wrong with a Zywall 2 Plus.

Andreas" }-
Hi Andreas,

The Zywall 2 Plus looks like a nice Hardware Firewall/Router.
The idea of a bridged firewall sounds good, but I don't see the practical application other than saving some LAN reconfiguration if you already have a NAT router.
Let's say you have a NAT Router and behind it the Zywall in Bridged Mode.
The firewall may be invisible, but the NAT router is not, and it is then the NAT Router that is doing all the heavy lifting protecting the LAN from inbound attacks at the front door.
The firewall should be first in the line of fire, not second.
Maybe I'm missing something, but I don't see the benefit of bridged mode.
I read relevant parts of the manual, but it did not mention specifically whether the "bridged" firewall would go in front of an additional NAT router or behind it.
Even if the ZyWall in bridge mode is put in front of the additional NAT router, the ZyWall will pass the IP of the NAT router through.

Could someone explain why a bridged firewall with an additional NAT router (either in front of or behind the firewall) is better than just a hardware firewall (with built in NAT router)?

In RiverLights case, with one computer, and a cable modem, I would set it up in NAT router mode (and enable the firewall).

The D-Link DGL-4100 also looks like a good choice.

Thanks Andreas and Devinco for the additional elucidation.

I'll post my router novice's adventures and any misadventures with the D-Link as soon as I get the time to set it up.

( PS I am really liking the Kaspersky Internet Security Suite...getting used to it )

-{ Quote: "Hi Andreas,

The Zywall 2 Plus looks like a nice Hardware Firewall/Router.
The idea of a bridged firewall sounds good, but I don't see the practical application other than saving some LAN reconfiguration if you already have a NAT router.
Let's say you have a NAT Router and behind it the Zywall in Bridged Mode.
The firewall may be invisible, but the NAT router is not, and it is then the NAT Router that is doing all the heavy lifting protecting the LAN from inbound attacks at the front door.
The firewall should be first in the line of fire, not second.
Maybe I'm missing something, but I don't see the benefit of bridged mode.
I read relevant parts of the manual, but it did not mention specifically whether the "bridged" firewall would go in front of an additional NAT router or behind it.
Even if the ZyWall in bridge mode is put in front of the additional NAT router, the ZyWall will pass the IP of the NAT router through.

Could someone explain why a bridged firewall with an additional NAT router (either in front of or behind the firewall) is better than just a hardware firewall (with built in NAT router)?

In RiverLights case, with one computer, and a cable modem, I would set it up in NAT router mode (and enable the firewall).

The D-Link DGL-4100 also looks like a good choice." }-


A firewall not necessarily needs to be the 1st line of security IMHO.

NAT is good, but has its weaknesses as well.

To have a NAT device and a firewall behind it is better than only either of them alone ;-)

And bridged is better than visible 'cause you can't put an attack onto something that "isn't there" ;-)

The role of a hardware firewall usually is to protect you from attacks from the outside and possibly to let only specified protocols from the inside pass through to the Internet.

This is what a piece like the Zywall 2 Plus perfectly does, no matter if it plays the role of NAT and firewall itself or only does firewalling and let NAT do another router.

So, it's pretty unimportant how many other devices are in front of the Zywall, multiple lines of defence make a crackers life harder -- that's why I have Comodo with fully detailed configuration as well on my PCs, it's simply to put another level of protection in a line of protective measures from outside attacks or malware "calling home".

Andreas

well any arrangement is bound to be better than my previous one.....I had just been stretching a jumbo condom over my computer tower and hoping that would work

;)

-{ Quote: "NAT alone is a neat protection, but with a bridged firewall behind it the firewall itself is like a pass-through device and completely invisible to hosts (like a repeater would be, that's simply the nature of a bridge).

This adds a tremendous amount of additional security: though in bridged mode some filtering may not be accessible (because of the logical layer the bridge is located in the OSI model; you can read about this in detail in the FreeBSD manpages for instance), the "attack-proof" and "invisible" attributes are second to none." }-I cannot understand how a Bridge can give extra security, as to me, a bridge is a switch, but uses broadcasts to set up a "tree" (network)

Bridge:- A device that connects two LAN segments together, which may be of similar or dissimilar types, such as Ethernet and Token Ring. A bridge is inserted into a network to segment it and keep traffic contained within the segments to improve performance.
Bridges with more than two ports (multiport bridges) perform a switching function. Today's LAN switches are really multiport bridges that can switch at full wire speed.

If the bridge as a firewall, then the firewall would intercept IP packets, all others would pass through.

I am also unclear as to you ref:- "like a repeater would be":-

repeater:-A communications device that amplifies (analog) or regenerates (digital) the data signal in order to extend the transmission distance. Available for both electronic and optical signals, repeaters are used extensively in long distance transmission. They are also used to tie two LANs of the same type together. Repeaters work at layer 1 of the OSI model

-{ Quote: "To have a NAT device and a firewall behind it is better than only either of them alone ;-)

And bridged is better than visible 'cause you can't put an attack onto something that "isn't there" ;-)" }-
Thanks for the answers Andreas.

But is a NAT device and a firewall behind it better than a firewall WITH a NAT device included? Why?
With the former, the firewall may be "invisible" but the NAT device is left somewhat less protected without the firewall.
While the latter may not be "invisible" it guards the entire LAN including the NAT router, so no foothold can be gained in the network.
A lot of mischief can happen with a compromised router.

So I guess I still don't understand the benefit over a combined NAT router/firewall.

Finally setting up the router. Acronyms flying at me from all directions.....

Anyone know what I should set for the MTU? I think the default is 1500.....wait I googled and see that windows xp has a default setting of 1480. To change it I'd have to change the registry. Guess I should set my router for 1480 then? :wacko:

Also encountered an odd little problem unrleated to the setup. When I try and run

ipconfig

the window only stays open for a fraction of an instant then vanishes. Fairly weird.

But all seems to be running fairly smoothly so far. Checked my Kaspersky firewall log, and all of a sudden nothing is happening. So though I remain uncertain about just how much extra difficulty the hardware firewall addition to the security mix really poses for intrusion attempts, it does take the load off of the software firewall. And the two do not, so far, seem to clash in any way. Guess an extra levee can't hurt.

-{ Quote: "Finally setting up the router. Acronyms flying at me from all directions.....

Anyone know what I should set for the MTU? I think the default is 1500.....wait I googled and see that windows xp has a default setting of 1480. To change it I'd have to change the registry. Guess I should set my router for 1480 then? :wacko:" }-
I would leave it at 1500, the maximum allowable on ethernet networks.

Also, as you would with a software firewall, set a strong password on the configuration.
And, if you don't need remote adminstration or VPN, turn those features off.

Thanks, Devinco.

Folks, I guess there are some misconceptions and misunderstandings here, so let me explain:

Firstly: NAT device with built-in firewall is in no means more secure than one without a firewall. NAT has per se nothing to do with firewalling but rather is a method of translating IP addresses from one address space to ones of another and to provide routing in both directions.

That said: don't worry whether you have a NAT device in front of your firewall, it simply doesn't matter. And, there's no benefit in putting a firewall into the same device that does NAT. Fact is that there's simply no "NAT alone" device but you'll find a NAT thing always with some kind of firewall built in - so if you have a NAT device, that piece of hardware in almost all cases already HAS a firewall built in - but I suggest to disable it anyway to make administration easier (it's easier to administer 1 firewall that 2, but if you're concerned you can let it stay on of course, it has no impact on the firewalls behind the NAT device).

Secondly, a bridged firewall has two big advantages:
You don't need to give it IP addresses (except one for remote administration), so you can plug it into any network configuration without the hassle to re-configure something, it's "pug and play". And, because it has no IP addresses (like a hub doesn't too), how could someone attack that thing?

And to make your concerns about that "bridge only" argument go away: even in bridged mode, the Zywall is a full blown firewall which wouldn't let pass anything you deny through.

You see, bridged mode has some advantages over the conventional set ups. But there are some drawbacks as well, in bridged mode, some filter methods cannot be applied because of the pure nature of a bridge: it logically sits at a certain layer of the ISO model and therefore simply hasn't access to anything outside that layer (i.e. things at higher levels). But I bet you wouldn't see any difference. Usually, these disadvantages only come into play in complex network environments, which at home aren't present.

Again, I recommend a bridge setup and the Zywall 2 Plus, it's so much cheaper than other firewalls (and, all others cook with water too, the expensive firewalls usually don't do anything better in firewalling than cheaper ones do, they have additional features a home user normally doesn't need anyway) and it's ZyNOS operating system is very powerful.

Andreas

-{ Quote: "Folks, I guess there are some misconceptions and misunderstandings here, so let me explain:

Firstly: NAT device with built-in firewall is in no means more secure than one without a firewall. NAT has per se nothing to do with firewalling but rather is a method of translating IP addresses from one address space to ones of another and to provide routing in both directions.

That said: don't worry whether you have a NAT device in front of your firewall, it simply doesn't matter. And, there's no benefit in putting a firewall into the same device that does NAT. Fact is that there's simply no "NAT alone" device but you'll find a NAT thing always with some kind of firewall built in - so if you have a NAT device, that piece of hardware in almost all cases already HAS a firewall built in - but I suggest to disable it anyway to make administration easier (it's easier to administer 1 firewall that 2, but if you're concerned you can let it stay on of course, it has no impact on the firewalls behind the NAT device)." }-
You bring up an important point here that is supported by Steve Gibson and many others.
Specifically here is an article about just that: NAT Router Firewalls (http://www.grc.com/sn/SN-003.htm). Another related article about DDoS Attacks (http://www.grc.com/sn/SN-008.htm) sheds more light.
Basically, the primary protective "firewall" feature of any NAT Router is that it drops unsolicited packets.
That is, any data that someone within the LAN didn't ask for is ignored.
The "extra" firewall features (like protection from DOS attacks) in a NAT router don't add much if any real protection.
They are primarily marketing tools.
I have noticed that routers that include these "extra" firewall features usually have other useful configuration features that a lesser router might not have.

However, the fact that you don't need a firewall in the NAT router to be secure also means that you don't need a bridged firewall behind a NAT router to be secure either.
It is the NAT router that is providing the real security, so nothing else is needed.

-{ Quote: "Secondly, a bridged firewall has two big advantages:
You don't need to give it IP addresses (except one for remote administration), so you can plug it into any network configuration without the hassle to re-configure something, it's "pug and play". And, because it has no IP addresses (like a hub doesn't too), how could someone attack that thing?

And to make your concerns about that "bridge only" argument go away: even in bridged mode, the Zywall is a full blown firewall which wouldn't let pass anything you deny through.

You see, bridged mode has some advantages over the conventional set ups. But there are some drawbacks as well, in bridged mode, some filter methods cannot be applied because of the pure nature of a bridge: it logically sits at a certain layer of the ISO model and therefore simply hasn't access to anything outside that layer (i.e. things at higher levels). But I bet you wouldn't see any difference. Usually, these disadvantages only come into play in complex network environments, which at home aren't present.

Again, I recommend a bridge setup and the Zywall 2 Plus, it's so much cheaper than other firewalls (and, all others cook with water too, the expensive firewalls usually don't do anything better in firewalling than cheaper ones do, they have additional features a home user normally doesn't need anyway) and it's ZyNOS operating system is very powerful." }-
The Zywall does appear to have a lot of "bang for the buck" (feature to dollar ratio).

I think I understand now the reason why one would consider a bridged firewall.
The NAT router is what is providing the real security for the LAN.
But, if you are concerned that the NAT router would be compromised, then the bridged firewall would be an additional barrier to entry into the LAN just as a second NAT router would be. In this case, the bridged firewall would be better than a second NAT router because it would not need additional configuration (just drop it into the network).
But if your first NAT router is compromised, plenty of mischief can still happen like DNS redirection and probably other things too.

So if you are looking into a dual NAT router setup as explained in the Steve Gibson article, the bridged firewall looks like a good alternative.
But for most users, I think just a NAT router would be sufficient.

Thank you Andreas for all the explanations. :)

I always prefer hardware over software. I don't care if I'm invisible or not....what I prefer (and insist for all my clients), is hardware NAT on the outside. So what...if you can see me. Just because you're standing in front of Ft Knox does not mean you can break in and steal all the gold. Stare at it all day long for all I care.

NAT does not "break"..by default, it's setup secure, all ports shut..nothing from outside is coming in. I don't care about outbound stopping....but that's a personal preference.

Software firewalls can break, vulnerabilities can (and have) come out against them to disable them, services can hang or not start, it can become corrupted and not start, etc. One day you boot up...you "think" you're protected..you're not. 5 seconds later on a public IP address..well...get out your Windows CD and format/reinstall.


-{ Quote: "Thanks for the answers Andreas.

But is a NAT device and a firewall behind it better than a firewall WITH a NAT device included? Why?
With the former, the firewall may be "invisible" but the NAT device is left somewhat less protected without the firewall.
While the latter may not be "invisible" it guards the entire LAN including the NAT router, so no foothold can be gained in the network.
A lot of mischief can happen with a compromised router.

So I guess I still don't understand the benefit over a combined NAT router/firewall." }-

Imposing on your exceptional generosity with time once again....

Settings.

Swimming in my router ignorance, I chose to clone the MAC address of my modem to the router. Then when I updated the firmware I noted that it did not do that by default so I manually set it to clone once again. ( I do not actually know if that is necessary for my ISP to function properly yet...I just guessed).

Should I undo that clone.

And on the 10/100 setting......it is auto detect by default. Left it at that. My BB speed is 20M on downloads. Should I manually set it to 100 to be on the safe side, or might that cause some problems.

Again, grateful for the time and expertise of all posters....any and all comments most welcome...I am trying to learn...

-{ Quote: "Also encountered an odd little problem unrleated to the setup. When I try and run

ipconfig

the window only stays open for a fraction of an instant then vanishes. Fairly weird." }-Sound like you used Start>Run typed in ipconfig<Enter>.

You need to open an active command window (Start>All Programs>Accessories>Command Prompt) and then enter ipconfig from the command line in that window.

Blue

-{ Quote: "Sound like you used Start>Run typed in ipconfig<Enter>.

You need to open an active command window (Start>All Programs>Accessories>Command Prompt) and then enter ipconfig from the command line in that window.

Blue" }-

Precisely right. Thanks, Blue.

-{ Quote: "I guess there are some misconceptions and misunderstandings here," }-Not at all,.. maybe on different pages.

Most attacks are usually against software, be it services or user software when that service/software makes connections out, once the software is compromised, a nat router will not block the returned packets to the software, and the compromised sofware could download any other program. It would not matter how many NAT devices (transparent or not) you had in between the internet and you PC under these circumstancies, as the packets would simply be routed through due to the current outbound.

-{ Quote: "Swimming in my router ignorance, I chose to clone the MAC address of my modem to the router. Then when I updated the firmware I noted that it did not do that by default so I manually set it to clone once again. ( I do not actually know if that is necessary for my ISP to function properly yet...I just guessed).

Should I undo that clone." }-
Yes, I think you should.
Only if your ISP has locked the account to your computer's MAC address would you need to clone the MAC address of your computer's network card.
This is unlikely though.
In any case, you wouldn't clone the modem's MAC, you would clone the MAC address of the NIC (Network Interface Card) in the computer.
Undo the clone and see how it works.
ARP (address resolution protocol) works on ethernet and uses MAC addresses to associate devices with IP addresses.
It works better when each device has its own unique MAC address.

-{ Quote: "And on the 10/100 setting......it is auto detect by default. Left it at that. My BB speed is 20M on downloads. Should I manually set it to 100 to be on the safe side, or might that cause some problems." }-
I would leave it on auto.
It should detect the correct speed of the connected device just fine.
When you say 20M, it is not clear.
To be clear, 1Mbps = .125 MBps.
Your ISP is providing 20 Mbps (Megabits per second) not 20 MBps (Megabytes per second).
20Mbps = 2.5MBps.
Your modem is capable of 38 Mbps download.
Your router is capable of 100Mbps (100 Base-T).
Your computer's NIC is either 10, 100, or 1000Mbps.

You might also want to disable your router's uPnP (Universal Plug 'n Play).

Thanks very much, Devinco. For all the tips.

Sorry for using imprecise shorthand on the speed. Yes the download speed of my ISP connection (nominally) is 20Mbps....but if you know an ISP that provides 20MBps at a reasonable price I would certainly be an interested customer <g>.

-{ Quote: "Most attacks are usually against software, be it services or user software when that service/software makes connections out, once the software is compromised, a nat router will not block the returned packets to the software, and the compromised sofware could download any other program. It would not matter how many NAT devices (transparent or not) you had in between the internet and you PC under these circumstancies, as the packets would simply be routed through due to the current outbound." }-

No question about it.

A poster I have read here signs with something like

the only 100% secure computer is unplugged

that must be axiomatic; but I think even the unplugged computer is slightly below 100% secure - after all somebody can break in to a home or business and steal the hard drive.

Of course with security measures and careful behavior anyone can tilt the balance heavily in the favor of defense... from my point of view I'll try and tilt until the titlting itself carries me into more troubles than various forms of malware normally create.

But, for my purposes, I like my present and really simple arrangement. Hope it serves me adequately, with minimal maintenance, for a long time.

Again I am very grateful for all the help.

-{ Quote: "but I think even the unplugged computer is slightly below 100% secure - after all somebody can break in to a home or business and steal the hard drive." }-Only in fun...
For those paranoid enough to unplug their computers for security (not counting during a thunderstorm), there is something far worse that could happen.
The burglar could break in, plug in the computer, and leave, taking nothing. :lurking:

-{ Quote: "Only in fun...
For those paranoid enough to unplug their computers for security (not counting during a thunderstorm), there is something far worse that could happen.
The burglar could break in, plug in the computer, and leave, taking nothing. " }-

LOL


that reminds me of a story, but I'll spare ya....

As a postscript....

After trying several, I am now using the 2007 Norton Internet Security suite behind the D-Link firewall.

To my amazement, I like the Norton suite very much. And am glad I have the firewall as an extra levee against incoming.

Thanks once again to all for comments and assistance.

to add another postscript.

As a couple users on another forum had mentioned about the wireless version of my particular wired model (identical otherwise), the D Link router I have been using "freezes" every now and again. For no immediately obvious reason.

Has happened 2 or 3 times. Then I just reset ( by pushing in a little button on the back of the router with a paperclip) and then rehook and reconfigure. Then all is fine again. Irritsating, but it really does not take long.

So far tolerable I suppose....mainly because I do not leave the computer on all night to perform any really mammoth downloads. If a freeze happened when I did something like that would be a real aggravation. To the point where I would probably take the router out of the path for bodacious downloads.

So I will hang with it. I like the NAT feature, and I like the extra belt and suspenders protection against software firewall failure.

RiverLights,

I don't think that Router Freezing is acceptable.
I would complain to the manufacturer.
Find out if there is a firmware update.
Maybe there is some configuration setting that triggers the freezing.
Worst case return the defective router for a different brand/model that works.
Search available DLink forums / DSLReports to see what solutions people have for the freezing.
It shouldn't be freezing on you.

Thanks Devinco. Appreciate your comments.

To be more specific...by "freeze" I mean nothing gets through the router and/or firewall to my computer. Thus no internet connection. Take the router out of the path and all is fine.

Might have been firmware. In this last quick setup I discovered an upgrade had become available on November 2nd. Went ahead and upgraded. Will set up an automatic notification of available firmware upgrades via email.

Also traveled to their DGL 4100 knowledge base to check for wan to lan connection disruptions. They suggested reconfiguring the Windows XP ethernet card settings for 10Mbps full duplex. I had it on autodetect. My connection is 20Mbps (downloads), but I took that suggested setting for a spin anyway, and it immediately cut my download speed to 3Mbps. Presently giving a setting of 100Mbps full duplex a try...and so far so good. But not convinced there is any relationship between my autodetect setting and the "freezes". Just playing around a little.

If this becomes a frequent problem, I'll talk to tech and forums.

Thanks Again.

Just an update. Hardware router working fine ( pleased with the dlink 4100and pleased with NIS 2007).

Just a note....though this has probably been posted elsewhere. Know everyone that has replied to this thread already knows to set a tough router password...but just in case....to reiterate the importance of that password

http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html

Can you say T1? lol