Is a NAT Router Suggested?

Hello.

We have one pc at home and we don't use Wi Fi. The current configuration we have is the following:

1. Emisoft Internet Security Pack (Trial),
2. Malwarebytes Pro, and
3. DefenseWall

We still use Windows XP Home.

Can anyone say if a NAT router would be suggested? If so, the NAT router wouldn't replace the software firewall, would it?

(I don't know much about Personal Computers).

Thank you again.

 

It is a matter of comfort level. With your setup probably not, but I run both a NAT router and software firewall. Both are password protected. The router provides some added protection and takes the load off my software firewall. I just feel more secure with both.

 

Adding a router adds a firewall along with NAT - extra security for not much $$. Just remember to change the router settings password and either turn on security for the wifi or turn the wifi radio off. And yes, keep using the software firewall on the PC.

 

Yep, a router is a good idea. When I got mine back in 2006 I dropped the software firewalls and haven't missed them ever since.

 

Thank you all for your responses, I appreciate them.

I'll start looking into NAT routers. I hope the Administrator doesn't block this question when I ask, Can anyone give me some suggested brands for NAT Routers?

Thank you again.

(And again, we don't use WiFi)

 

Salut,


You have two antivirus/anti malwares, risk of conflict of drivers, keep Emisoft.

You have three behavioural blockers, keep Emisoft.



You must have a hardware firewall and a software firewall, they protect from external (internet) and internal attacks (local area network).

 

There are a number of good brands. I currently use a "Buffalo" router, but I've also used Linksys, Netgear and Dlink. Have a look at features. For instance the more expensive ones have gigabyte ports, and connections for usb printer sharing. Don't buy features you don't need, but don't buy at the very bottom either. I feel the $50 price point is right for a basic router. Look at frys.com or newegg.com. It's unlikely you will find something without wifi, but you can turn off the radio in the settings.

 

Is a NAT Router Suggested?

A NAT/SPI router is more than suggested.
It is the 1st line of your Security Setup.
Add a reliable DNS Service (e.g. Norton, Comodo, Open etc.)

NETGEAR and LINKSYS are my favorite Routers.

 

I own several wired routers.
My favorite is the LINKSYS BEFSR41. Usually you can locate them at very good prices on eBay (currently about 8 pages of them). Make sure to get the highest version number (4.3) which will then support the most recent firmware upgrade. Lower version numbers only allow you to upgrade to older firmware versions. I had to ask some eBay sellers to check the version number before I would consider purchasing. The LINKSYS (now Cisco) is a tried and true router.
I also think the TP-LINK TL-R402M is a good, inexpensive wired router, which can be had at Newegg for around 20 dollars. I own one and keep it in case I need a backup for the BEFSR41.
As others have advised, be sure to change the default password right away.
I wouldn't think of accessing the web without being behind a router.

 

There appears to be some confusion here that NAT is a security feature. Per se, it is not. Read this .pdf from University of Michigan for clarification: http://safecomputing.umich.edu/tools/download/nat_security.pdf.

SPI or Statefull Packet Inspection is a security feature. Note that many retail routers so not have this feature. On commercial routers that have it, most have it set off by default. Therefore using the routers default configuration that many people do, leaves one vulnerable. It has to be manually enabled on the router.

Note that many software firewalls have SPI. Most notably, the WIN 7 firewall. In the WIN 7 firewall rule inbound details, the options dealing with "edge transversal" are SPI.

 

I do not know where this idea comes from, but it's not true what you're saying ?

http://www.freepatentsonline.com/20090007251.pdf

 

Attached is the default WIN 7 inbound firewall rule for DHCP. Note the edge transversal setting is block. This means no inbound UDP port 67 traffic will be allowed unless it is in response to a previously issued outbound udp port 67 request.

Why is this required? Because UDP is a "stateless" protocol.

TCP on the other hand is a "statefull" protocol. Hence not need for separate inbound rules for TCP connections such as your browser.

In reality, there are virtually no retail software firewalls that are 100% statefull. To be so, a packet id needs to assigned on all outgoing traffic and matched on inbound traffic. The NIS firewall does a partial implementation of this. Outpost Pro might assign packet ids but not sure of that.

 

From the PDF:

These addresses are not routable across the Internet but are within an organization's boundary. When working as expected, the internal hosts are not directly addressable from unsolicited connections outside of the NAT device. While NAT does have a useful purpose, it is too often incorrectly regarded as a security feature. ITSS and ITCom do not recommend using NAT as a network protection mechanism.


Saying NAT is not a security feature seems like semantics. The internal LAN IPs are not discoverable from the internet - only the router IP faces the net. That provides a layer of security IMHO.

What is the belief that SPI is not available on many retail routers based on? I've often noticed it in retail router firewall options, but I agree it shouldn't be taken for granted. In general default settings shouldn't be trusted as optimal - it's necessary to go through them.

 

Gabriolone,if your DefenseWall is a DW Personal Firewall (with HIPS) edition,that´s all you´ll ever need for your WinXP (x86).Add some AV ( MBAM is already there),and you´ll be (almost) bulletproof .

 

That's why I wrote about a NAT/SPI Router at Post #8 ...

 

Is there an easy way to find out if a specific router model supports SPI? The packaging doesn't usually mention SPI. Seems like you would have to dig into a manual on the manufacturer's website.

 

The Netgear N600 I picked up a short while back has.....
WPA/WPA2 and WEP as well as SPI + NAT Firewall.
I have yet to encounter any problems, quite easy to setup.

 

Everything you want to know about routers including performance charts can be found at this site: http://www.smallnetbuilder.com/.

From the list provided by Amazon, looks like best choice would be Netgear FVS318 but only if it was the "N" model. Amazon doesn't show what model it is.

 

Most of the routers mentioned so far in this thread are small business class ones.

Retail routers are the single port "cheapos" provided by the ISPs.

Speaking of - OP's new router selection must be compatiable with his ISP or he will have to use his existing router and configure it for "pass through mode" to the new router.

Or the OP can just buy a stand alone firewall device. Not cheap however: http://www.newegg.com/Firewalls/SubCategory/ID-529. I do notice the NetGear FVS318N is on sale for $159.

 

The Netgear WNR2000 N300 WIRELESS ROUTER also has NAT and SPI - can be had for around $40.00

 

Would you consider the Netgear WNR2000 N300 WIRELESS ROUTER - priced around $40.00 - business class?

A call beforehand to the ISP to talk about router compatibility might be helpful ( it also might not ), but in my experience the router setup wizards work quite well now. I install routers regularly and I can't remember the last time I had to consult ISP or the router manufacturer's support to get one working.

 

The Netgear FVS318 Prosafe appears to be a good if dated choice with two major issues:

1. Doesn't appear to support IPv6.
2. Won't support over 10Mbps on the WAN connection.

The Netgear FVS318N that doesn't have the above issues but isn't rated very high by users.

 

It is based on the fact that the term "SPI" is used quite loosely IMO. In home grade routers it refers to ability to filter out only the most common types of attacks. For example, the suggested Netgear FVS318 will have

So if that's all that is marketed as SPI, then I can see where the confusion stems from.
A packet filter must be able to filter out all invalid packets (packets that does not belong to any of the existing connections, and not just common attack vectors) to conform to SPI standards.

NAT will simply translate addresses in headers of all packets and pass them through. It will not look deep into packet headers (beyond IP and port values) and therefore can not tell if a packet belongs to a given connection or not.
So I agree, NAT is not a security feature.

 

Seer, thanks for the reply. It makes sense that there is only a limited implementation of SPI in the inexpensive home routers. What level of hardware more fully implements SPI? Do you need a standalone firewall device such as a Sonicwall, and are any of these scaled down for small, home networks?

Regarding NAT I thought there was some added security in the fact that the PC IP does not directly face the internet - is that incorrect?