Is it a good idea to get a hardware router firewall and not use a software firewall? I mean, the router firewall will not get updated, because it's hardware.

Also, what is a VPN firewall router? I know that it's something that is supposed to hide your IP address, but I see "VPN endpoint" "VPN", "VPN passthrough" advertised on different routers, what's the difference?

Also, does the brand of routers matter? Like linksys seems to be much more expensive than other brands like netgear or USrobotics.

Thanks.

Hi there!

Well there is absolutely no "NEED" for you to get a hardware firewall,
if you got a software FW.

I bought a Router too split up my Fiber connection so i would be able to connect more computers to the Net.
And the router included a firewall, and MANY of the routers out there does inclued a SPI (Stateful Packet Inspection) firewall.

And I acctually do feel more secure now then before with only the software one, and the hardware firewall takes the first hit and if the threat pass the HD one, the i got the software firewall in case !-)

But as i said there is absoluterly NO "NEED" to get a hardware firewall,
if you allready got a software firewall!

However the price on the router's often depends on the feauters included,
some got VPN some not, some got DoS protection, some got Web content filtering etc...

I did buy a DrayTek router since they allways got high quality on their Routers!
http://draytek.com/user/PdInfoDetail.php?Id=18 <<

Hope this helps you a little !-)

SweX

-{ Quote: "Hi there!

Well there is absolutely no "NEED" for you to get a hardware firewall,
if you got a software FW.

I bought a Router too split up my Fiber connection so i would be able to connect more computers to the Net.
And the router included a firewall, and MANY of the routers out there does inclued a SPI (Stateful Packet Inspection) firewall.

And I acctually do feel more secure now then before with only the software one, and the hardware firewall takes the first hit and if the threat pass the HD one, the i got the software firewall in case !-)

But as i said there is absoluterly NO "NEED" to get a hardware firewall,
if you allready got a software firewall!

However the price on the router's often depends on the feauters included,
some got VPN some not, some got DoS protection, some got Web content filtering etc...

I did buy a DrayTek router since they allways got high quality on their Routers!
http://draytek.com/user/PdInfoDetail.php?Id=18 <<

Hope this helps you a little !-)

SweX" }-

far from true, this culd turn into another huge discussion but im gunna leave it simple and say u do need a hardware firewall, its definetly a place u shuld start with any security. so u are wrong about the "NO NEED"...

Well i've been using a software firewall ONLY for many many years,
without problems. So "No Need" for a hardware one that's just MY experience my friend ::)

And why don't you tell us what you know about it instead
of saying it's not true:(

-{ Quote: "Well i've been using a software firewall ONLY for many many years,
without problems. So "No Need" for a hardware one that's just MY experience my friend ::)

And why don't you tell us what you know about it instead
of saying it's not true:(" }-

i didnt go into detail cuz thers another thread discussing it, i dont want to take over this thread with another discussion about it :-\ u can check the other thread if ud like to know...

-{ Quote: "Is it a good idea to get a hardware router firewall and not use a software firewall? I mean, the router firewall will not get updated, because it's hardware.

Also, what is a VPN firewall router? I know that it's something that is supposed to hide your IP address, but I see "VPN endpoint" "VPN", "VPN passthrough" advertised on different routers, what's the difference?

Also, does the brand of routers matter? Like linksys seems to be much more expensive than other brands like netgear or USrobotics.

Thanks." }-
.
Routers have NAT - network address translation. The benefit of NAT is it assigns a private IP (such as 192.168.x.x) to your PC and hides it from the internet. A router also drops unsolicited packets, can be set to not respond to ping (stealth mode for ports) and many include SPI (stateful packet inspection). This all adds up to more security then a personal firewall installed on the host PC can provide. A personal firewall can be used along with the router to provide additional security. That combination is optimal IMHO.

-{ Quote: "Is it a good idea to get a hardware router firewall and not use a software firewall? I mean, the router firewall will not get updated, because it's hardware.

Also, what is a VPN firewall router? I know that it's something that is supposed to hide your IP address, but I see "VPN endpoint" "VPN", "VPN passthrough" advertised on different routers, what's the difference?

Also, does the brand of routers matter? Like linksys seems to be much more expensive than other brands like netgear or USrobotics.

Thanks." }-
.
Regarding your other questions:
I believe a VPN router supports the option of connecting to the PC behind the router over the internet. For instance, you could use a laptop while you're sipping in Starbucks to connect to your home PC over a secure connection (VPN connections are encrypted). I don't have a need to do that and don't keep my home PC running while I'm away so I haven't played with that feature, but it has obvious uses.

I've used Netgear, D-link, and Linksys routers and currently prefer Netgear, but they've all pretty much done the job. If I were buying today I would focus on getting the most advanced security and performance features first and consider the brand second.

-{ Quote: ".
Regarding your other questions:
I believe a VPN router supports the option of connecting to the PC behind the router over the internet. For instance, you could use a laptop while you're sipping in Starbucks to connect to your home PC over a secure connection (VPN connections are encrypted). I don't have a need to do that and don't keep my home PC running while I'm away so I haven't played with that feature, but it has obvious uses.
" }-

I thought it's something like Tor or Ghostsurf, which hides you identity on the internet.

-{ Quote: "
I've used Netgear, D-link, and Linksys routers and currently prefer Netgear, but they've all pretty much done the job. If I were buying today I would focus on getting the most advanced security and performance features first and consider the brand second." }-
Yes, but most routers list the same features, and have very different prices because they are from different brands.

My current Linksys router is always having IP collisions, it didn't use to be like that. I have to reset it every few days, or some computers can't go onto the internet, always having IP problems and can't connect. Is that a sign that the router is going bad?

-{ Quote: "Is it a good idea to get a hardware router firewall and not use a software firewall? I mean, the router firewall will not get updated, because it's hardware.

Also, what is a VPN firewall router? I know that it's something that is supposed to hide your IP address, but I see "VPN endpoint" "VPN", "VPN passthrough" advertised on different routers, what's the difference?

Also, does the brand of routers matter? Like linksys seems to be much more expensive than other brands like netgear or USrobotics.

Thanks." }-

It's safest to use a combination of a router and a software firewall.
I have my doubt about inbound protection offered by routers. Quite complicated, let me put it this way: once you have established a connection, how do you know if the incoming bytes are what you want to come in ? I even doubt claims about 'Full SPI'. See also 'OSI model' on Wikipedia for more information about firewalls.

If you have a good router it is likely to be more stable than a software firewall. I'm not a technical expert, but a good router can handle a DDOS attack better than a software firewall.

A good software firewall can do much more (except what I mentioned in the previous paragraph) than just a router. See my reference to the 'OSI model'.

IMO, a combination of a router plus software firewall is the best, although I know many people who use only a software firewall without apparent problems.

A software firewall can provide outbound protection, while routers cannot (for as far as I know).

-{ Quote: "I thought it's something like Tor or Ghostsurf, which hides you identity on the internet.


Yes, but most routers list the same features, and have very different prices because they are from different brands.

My current Linksys router is always having IP collisions, it didn't use to be like that. I have to reset it every few days, or some computers can't go onto the internet, always having IP problems and can't connect. Is that a sign that the router is going bad?" }-

There is a difference between hiding the internal LAN IP using NAT and surfing anonymously. I don't know enough about services like Tor and Ghostsurf to comment on them.

Regarding the IP problems you're having, a simple fix is to assign a fixed IP to each computer and turn off DHCP in the router. That will eliminate the problem of the router trying to assign the same IP to more then one PC.

All recent routers include a firewall (SPI). Unfortunately these allow basic firewall configuration. Instead a dedicated hardware firewall ( I mean those above 200 € ) will allow better and more detailed configuration. This does not mean that the integrated firewall that we find in routers does not protect you.

The combination of a router's firewall and a software firewall is absolutely necessary if you care about outbound traffic too and immediate control of applications that access the net.

NAT combined with DHCP ( not using static ips ) adds for sure extra protection.

Most common error of users is that leave their routers with the factory username and password for the admin area.

I personally plug a gateway on the router instead of plugging directly on the router my machines. Then I also use an unmanaged gigabit switch.

hello

router firewall will add security to your software firewall


and answer to your hardware firewall they do update their firmware(operating system) but 1-3 times in a year depending on upon security vulnerabilities....


as for hardware firewall vs software and what is firewall you can read

http://www.wilderssecurity.com/showthread.php?t=45816

http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/firewall_types.asp

http://www.howstuffworks.com/firewall.htm




and for vpn please check

http://www.howstuffworks.com/vpn.htm


if you have old computer you can make your own decated firewall which is free of cost and very good indeed

please refer to my old thread i have old pc and i tried all of them i will sugest you to try endian firewall its easy and one of best firewall indeed.


http://www.wilderssecurity.com/showthread.php?t=228779

http://www.wilderssecurity.com/showthread.php?t=198186

Software firewalls can get corrupted and not run, or malware can shut them down.

A routers NAT won't get shut down. Routers can get updated...new firmware.

I always insist any/all computers I am in charge of, are behind NAT routers.

-{ Quote: "
IMO, a combination of a router plus software firewall is the best, although I know many people who use only a software firewall without apparent problems.

A software firewall can provide outbound protection, while routers cannot (for as far as I know)." }-

I fully endorse this approach for home computers, at least. The router handles the inbound garbage to take the load off the software fw, while the latter controls outbound application traffic.

Hello,

While I agree a router can add basic filtering and block unsolicited etc etc, I still have concerns as to what the router is connecting to. For example, my ISP cable provider connects me through one of their gateways and this shows as my being on a LAN, currently this is 80.193.*.*/255.255.255.0. Due that fact I need to filter and control ARP, I also prefer to filter all DHCP, I know of no home router that will give me that ability.
So on my own setup (and there will be many more on a similar ISP connection) adding a typical home router as a gateway would in fact lessen my security.

- Stem

-{ Quote: "Hello,

While I agree a router can add basic filtering and block unsolicited etc etc, I still have concerns as to what the router is connecting to. For example, my ISP cable provider connects me through one of their gateways and this shows as my being on a LAN, currently this is 80.193.*.*/255.255.255.0. Due that fact I need to filter and control ARP, I also prefer to filter all DHCP, I know of no home router that will give me that ability.
So on my own setup (and there will be many more on a similar ISP connection) adding a typical home router as a gateway would in fact lessen my security.

- Stem" }-
Hi Stem:

Couple of questions comments for you when you have time. No doubt I've missed or forgotten something fundamental again:-[


1) If the users SW FW can filter control ARP/DHCP does this mean that that this feature is nullified by the existence of a router?

2) As just 1 user, I need to hook up to the other PC's here so as to share the ISP service connection, so I can't see how to scrap the router to allow the ARP/DHCP filtering.

3) If the user (as I do) has an extra HW FW in my case an alphashield does this also lessen security?

4) If I unhook the alphshield and router and then connect direct through the cable companies webstar box will I be able to "see" the ip and mask as you have and them confirm that they have me on a massive LAN? What else should they do connection wise with millions of customers?

5) Should / can these ISP's do to provide ARP and other security protection for us?

Hi Escalader,

1) A basic answer is Yes.
When you have a router as gateway, then it is the gateway that will perform DHCP for your public/wan address, it will also control any ARP if connected to a LAN. So any filtering (such as DHCP/ARP) on the PC will only be filtering what is on your own private LAN behind the router.

2) My own setup consists of a PC as gateway, this PC contains 2 NIC cards, one of which connects to the Internet, the other NIC I use to connect to either a router or switch which then allows other PCs to connect through the gateway. (you could set up windows ICS to make that work, or use a proxy server on the gateway)

3) An Alpha shield is a filter/pass through, it does not control DHCP or ARP, so the etra filtering adds to the protection.

4) You should see your public IP and any gateway used in the router. It is normally found on the "Status" screen (or similar wording)

5) It would depend on the country the ISP is in, as they will be regulated.

On my own setup, I have no problems with my ISP, My MAC is bound to my IP by my ISP (this I can change by changing my MAC address then re-booting the modem, which will then force an IP change), but my ISP gateway does not require my allowing or replying to ARP. In fact on my setup I could block all ARP and use a static ARP entry for the ISP gateway.


My main point is the fact a router will not always add protection, so anyone simply stating to a user that it will add protection without knowing what that users setup is, is actually short sighted.

- Stem

-{ Quote: "

My main point is the fact a router will not always add protection, so anyone simply stating to a user that it will add protection without knowing what that users setup is, is actually short sighted.

- Stem" }-
But an awfully long time in the IT business has shown me a very clear correlation between the health of computers that are behind NAT boxes, and between those that aren't behind anything..just plugged right into the broadband modem sitting exposed on a public IP address.

I've seen it too many times, home computers plugged right into that cable modem are bound to be a mess. I won't support those anymore...it's a guaranteed headache.

-{ Quote: "But an awfully long time in the IT business has shown me a very clear correlation between the health of computers that are behind NAT boxes, and between those that aren't behind anything..just plugged right into the broadband modem sitting exposed on a public IP address." }-Exposed? Windows XP firewall will block unsolicited inbound, the main problems arise due to exposed services.

As I put forward, it depends on setup. If you had a setup where you where connecting to an untrusted LAN, then simply placing a typical home router in between the PC and LAN will only transfer a need for protection of such possible attacks as DHCP/ARP poisonig from the PC to the router, and I dont see that type of protection in those types of routers. So although the PC may appear in good health, all traffic could be being diverted through another node on LAN and you would not know.

-{ Quote: "Hi Escalader,

1) A basic answer is Yes.
When you have a router as gateway, then it is the gateway that will perform DHCP for your public/wan address, it will also control any ARP if connected to a LAN. So any filtering (such as DHCP/ARP) on the PC will only be filtering what is on your own private LAN behind the router.

2) My own setup consists of a PC as gateway, this PC contains 2 NIC cards, one of which connects to the Internet, the other NIC I use to connect to either a router or switch which then allows other PCs to connect through the gateway. (you could set up windows ICS to make that work, or use a proxy server on the gateway)

3) An Alpha shield is a filter/pass through, it does not control DHCP or ARP, so the etra filtering adds to the protection.

4) You should see your public IP and any gateway used in the router. It is normally found on the "Status" screen (or similar wording)

5) It would depend on the country the ISP is in, as they will be regulated.

On my own setup, I have no problems with my ISP, My MAC is bound to my IP by my ISP (this I can change by changing my MAC address then re-booting the modem, which will then force an IP change), but my ISP gateway does not require my allowing or replying to ARP. In fact on my setup I could block all ARP and use a static ARP entry for the ISP gateway.


My main point is the fact a router will not always add protection, so anyone simply stating to a user that it will add protection without knowing what that users setup is, is actually short sighted.

- Stem" }-

Hi Stem:

Thanks, I have always viewed the router as well only only a sharing the ISP connection device but one that added some protection for users.

My alpha shield sits in front of the router so all PC's get the benefit of it's protection.

In the case of a gateway being a PC does that mean that ALL security SW be it 3rd party or say the windows FW free up all the PC's downstream from needing those SW tools?

In other words my SW FW, my AV my ASW is all in one PC and thus the other PC's can run with no extra's relying 100% on the gateway? It strikes me as not applying to HIPS protection? :-\

-{ Quote: "In other words my SW FW, my AV my ASW is all in one PC and thus the other PC's can run with no extra's relying 100% on the gateway? It strikes me as not applying to HIPS protection? :-\" }-

Hi Escalader,

I basically just use a PC instead of a router as gateway. I still set up the PCs behind the gateway as I would setting up behind a router with security software on each node.(usually one PC is set up testing a firewall )
On my setup, the gateway does filter all packets for the LAN, but that is mainly for NAT.
I still use the gateway as a normal PC and run various applications.

I have had this (or very similar) setup for about 3 years with no problems.


- Stem

Dear Stem/ others

Surely there must be one brand (or more) of router/HW firewall which has such feature to manage DHCP/ARP ?

Anyone know of any brands / models (apart from Cisco) ?

Hopefully
SKA

I've used (in the past) a VPN with my D-Link router. But not was for increment my security.
Exactly was for allow inbound connections for some ports (rules) when eMule or BitTorrent (Azureus) or another P2P client was started.
The D-Link router rules configuration for VPN (some profiles preinstalled also, most for gaming) permited me edit "allow permissions" for protocol, IP's, ports and clients (soft) installed, hosted in my pc.

-{ Quote: "Exposed? Windows XP firewall will block unsolicited inbound, the main problems arise due to exposed services." }-

You've never seen the XP firewall get corrupted or shut off huh? ;)

-{ Quote: "
Surely there must be one brand (or more) of router/HW firewall which has such feature to manage DHCP/ARP ?

Anyone know of any brands / models (apart from Cisco) ?" }-

You may want to read up on what it really is (and importantly....what it isn't as far as anything to really lose sleep over) for the home user. Read from some good technical sites, not tin foil hat sites like Gibsons. You'll see it's really not something the home user has to worry about.

-{ Quote: "You've never seen the XP firewall get corrupted or shut off huh? ;)" }-

I have personally never seen on any of my setups the windows firewall fail to start, or get disabled unintentionally or by viri.
Of course precautions would be in place to help prevent such events ;)

-{ Quote: "The benefit of NAT is it assigns a private IP (such as 192.168.x.x) to your PC and hides it from the internet.
" }-

Victek123 - just for understanding:
I'm behind a NAT router and assumed that the private ips of my boxes were hidden. Tonight I went to the JonDos.de anonymity test page and my internal ip is listed. I thought only the router's public ip would be shown.

Why is this?

Thanks in advance

philby

There's no "hiding" anyways. Your router's WAN-side ip is known by your ISP, so they can always find where you've been, so to speak, unless you use an anonymizing proxy. Just don't do anything illegal and you have nothing to worry about ;D

-{ Quote: "You may want to read up on what it really is (and importantly....what it isn't as far as anything to really lose sleep over) for the home user. Read from some good technical sites, not tin foil hat sites like Gibsons. You'll see it's really not something the home user has to worry about." }-

Hey YeOldeStonecat:

I like the term "tin foil hat sites" with your permission of course can I use it;D

Seriously, your post hints at a list/ links to good technical sites so can you provide your list? I for one am always open to good techical sources ?

-{ Quote: "Victek123 - just for understanding:
I'm behind a NAT router and assumed that the private ips of my boxes were hidden. Tonight I went to the JonDos.de anonymity test page and my internal ip is listed. I thought only the router's public ip would be shown.

Why is this?" }-
Hi,

I have just checked the site. I connected from a PC behind my gateway(PC), only my public IP shows.

I am not sure what the actual test does as it is over HTTPS.


- Stem

-{ Quote: "Victek123 - just for understanding:
I'm behind a NAT router and assumed that the private ips of my boxes were hidden. Tonight I went to the JonDos.de anonymity test page and my internal ip is listed. I thought only the router's public ip would be shown.

Why is this?

philby" }-
.
I just tried it and the test only sees my public IP. Have you gone through your router's settings?

Interesting, or possibly alarming...?

The private IP only comes up on one of three machines (Toshiba notebook). I have a Dell d/t and an old HP notebook as well and, if I run the test from these, only my public IP is shown.

I'm only running Prevx 3 on the Toshiba, while the other two machines have ESS on board. Could this be related?

I have a Netgear DG834GT set as follows:


SSID hidden
DHCP off
The three machines behind the router each have a fixed private IP and only these three are allowed in the router ip-range settings
OpenDNS servers are set
The boxes' MAC addresses have been listed under MAC address filtering
Router Firewall is on

I think I must be missing something...

Thanks for responding, by the way.

philby

OK, I've found that the private 192 IP is only shown using Opera on the Toshiba.

The Anontest states that having Java enabled affects anonymity.

Both Java script and Java are enabled in Opera 10 by default, so is this a bad thing, given that my internal IP can be read?

Thanks again

philby

Well, I'm subscribing to find out the answer myself. I tried what you did, Philby, and it also revealed my private IP. I've only tested one machine of the six I have running. This machine is wired behind a Netgear FVS318 router.

I won't get into settings details right now unless someone asks but I do want to know, like you, if this is a real or potential problem.

-{ Quote: "I do want to know, like you, if this is a real or potential problem" }-

Thanks for confirming the 'issue' - I wasn't sure if I'd overlooked something.

Does it only happen in Opera?

philby

I was using IE7 when it got mine.

It gets weirder...

In Opera:
I have Java enabled
Anontest confirms Java is enabled
Private IP is shown

In IE7:
I have Java enabled
Anontest says Java is not enabled
Private IP is not shown

I don't get this at all.

More importantly, I'd really like to know the risk of having a readable private IP.

philby

@ Philby

Someone more qualified should comment as I haven't had time to research it but, IIRC, these private address blocks are reserved by IANA and are NOT "addressable" from outside of your LAN.

Exactly how that prevents knowledge of your private IP being useful to an intruder/hacker/criminal, I'm not sure but it not being "addressable" seems like a good start.*puppy*


P.S. I spent some time earlier today going through my router logs. Most of the suspicious data dropped by my router, according to a whois lookup, came from IP addresses originating in the People's Republic of China, usually blocks assigned to one institution or another - they seem to be just hammering away at me.:lurking: I guess that's not really news to those in the know. I was curious to see who's been knocking at my door, or rattling the knob at least, anyways.

-{ Quote: "it not being "addressable" seems like a good start." }-

Thanks for that - mind more at ease now but still perplexed...

philby

Ah, I was composing the postscript to my prior post as you posted.:)

The internal ip address is not, afaik, routable. My internal and router's WAN-side ip addresses display on that JonDos site. Java is enabled in IE7 so as expected the "java trick" aids to display the internal ip. The router's is difficult to hide unless you use an anonymizing serivce. It is this such service JonDos is trying to sell you. That's all it is, so nothing to be concerned about. They are using scare tactics in hopes of reeling in fish. If you are a Joe Average everyday surfer, you don't need it.

Thank you.

-{ Quote: "The router's is difficult to hide unless you use an anonymizing serivce
" }-
Thinking about what you said, I'm now wondering why it's my machine's private IP + the Wan-side IP that are showing up.
Shouldn't it be, at worst, the router's IP / default gateway + the Wan side IP?

Excuse ignorance.

philby

-{ Quote: "Thank you.


Thinking about what you said, I'm now wondering why it's my machine's private IP + the Wan-side IP that are showing up.
Shouldn't it be, at worst, the router's IP / default gateway + the Wan side IP?

Excuse ignorance.

philby" }-

No worries. Few of us understand this stuff thoroughly, including myself. Try this:

Start-> Run -> type in "cmd" (without the quotes), then hit <Enter> key.

type: "ipconfig /all" (without quotes) <Enter>. You will see a story regarding the status of your Windows ip configuration and your Local area connection.

You should see that your default gateway is your router's LAN-side ip address of 192.168.0or1.1. The default gateway for your router's WAN-side ip address will not be shown here but you can probably find it in your router's config menu somewhere, probably under the "Status" tab, and it will be that of your ISP's server your modem is connected to. The "Physical address" is a unique 6 octet address built into your network adapter card that is a hardware identifier.

Of course you will also see your machine's internal ip address assigned to it by the router, the DHCP server address (should also be 192.168.0/1.1) and the DNS server ip address(es); this could also be 192.168.0/1.1 if your router is setup with DNS relay or your ISP's (probably two of them). That's most of what you'll see and there's other minor info as well.

Your internal ip address shows because of a java 'trick", of which I really don't know how it works, but if you disable Java your surfing experience will become exceedingly boring because a lot of site content needs Java enabled to display properly, though you could enable it on a per site basis, but this is cumbersome and time-consuming to do. I don't believe the remote host can "see" this internal ip address. Only you can see it but it doesn't really matter because your router's WAN-side ip address is visible, especially to your ISP so that is why earlier I stated there is no hiding. The anonymizing software can probably do a lot to mask your surfing habits, but unless you are dealing in espionage or other ilicit activity punishable by the FBI and something that will make headlines, there is no need for it.

You could surf using an alternative browser or at least keep IE fully patched. If your surfing habits are that of the average person, you should have nothing to worry about regarding anyone spying on you. The router, even a home unit, is an excellent addition to a computer's security arsenal.

Thanks wat0114.

philby