Hi, I keep hearing that using a hardware firewall is a very good security investment. But what exactly type of hardware firewall is a good amount of protection (excluding setting up a spare computer as a dedicated firewall to the outside). Is a router with NAT and DHCP what people mean by a router firewall? Also, I see more expensive routers that provide extra features like VPN. Is that really necessary? Thanks
Hi linger, It depends on what you are trying to protect. If it's a company server or a web server that receives a lot of traffic, you need different equipment then when you are trying to protect your computers at home. I'm using a Linksys Wireless ADSL-gateway with a build-in firewall and I'm happy with it. DHCP is about providing IP addresses to your computers. NAT is about forwarding ports from the internet, to a single computer. In my case, my NAT is disabled so all my ports are completely stealth. But if I want to, let's say, run a FTP-server, I could easily open up port 21 and make my PC accessible at port 21. Since I know what programs I'm running on my computer, I don't use a software firewall. Although it can give extra protection, I don’t find it necessary so I can use my resources for other things. Although most people I would recommend installing a software firewall also.
Hi eagle creek, I'm sorry, I should have been clearer. I'm just a home user. I'm running a normal router right now (that is, one that doesn't provide features like VPN I've seen on more expensive models). Ah ok, I believe I have NAT set up on my computer. I was running a music server on my machine that I could access from work by forwarding the correct port to the music server. It seems if I disable the port forwarding, I cannot access the server from the outside, so I assume my router is blocking all requests then? So, I suppose, my question is: is running my machines behind a 'normal' router provide a good amount of additional protection for a normal home user?
Yes..by default, all home grade broadband routers and gateway appliaces (combo modem/routers) run NAT. If your computer has a private IP address (such as 192.168.1.100)....you're behind NAT. By default, all 65,000 plus ports are closed...your computer is behind a tall brick wall.
Couldn't agree more. You can check if your ports are stealth, closed or opened at this site. (Proceed -> Test all service ports). This will give you a nice indication .
There are a couple of additional features which your router may support. Go into it's configuration menu with a browser and look at the firewall options. Current generation routers have SPI (stateful packet inspection) implemented. If the router supports SPI make sure it's enabled. Also, you may want to turn OFF UPnP (universal plug & play). See this article to learn about the Flash/UPnP issue. http://www.dslreports.com/forum/r19804960-UPnP-strikes-again Make sure you're not using the default password for accessing your router's configuration. The default passwords for routers are public! And does your router support wireless access? If so, make sure the wireless security is enabled (by default it's OFF). Hope this helps.
This number (64K ports) is shocking to me. I would never have imagined there could be so many openings!! I am now elated to have added a hardware router. A thick brick wall seems absolutely essential given the amount of ports in existence.
Well, yes there are. But usually only the first 1056 ports are used. As far as I know, programmers are free to choose any port they like, as long as it isn't being used by any known applications (80: http, 21: FTP, 25: SMTP, 110: POP3, etc..). Torrent programs are known for requesting ports in the higher range. utorrent, for example, uses port 58595.