Hardware Firewall - Advice Needed

Discussion in 'other firewalls' started by RiverLights, Oct 5, 2006.

Thread Status:
Not open for further replies.
  1. RiverLights

    RiverLights Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    54
    Location:
    Maryland
    Hi Folks

    I know nothing of routers or hardware firewalls. But am interested in adding some variation of one to my very simple security setup. (Kaspersky 6 suite and Spysweeper, regular XP updates of course).

    My broadband connection is 20M downloads, 2.1M up. Only one computer on the line.

    Just want something that will not slow down the connection (though actually I don't do a whole lot of downloading, but the speed helps make for very quick and wide ranging surfing).

    Any comments and/or suggestions would be greatly appreciated.

    Thanks in advance.
     
  2. mfenech

    mfenech Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    46
    Ok...I'm jealous. :'(
     
  3. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi RiverLights,

    The first thing would be to find out if your broadband modem includes a NAT router or hardware firewall.
    Many of the newer models include a NAT router.
    What is the brand and model number of the modem?
     
  4. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    RiverLights,

    You're going to want routing throughput which exceeds your current download speeds by a reasonable margin to allow potential growth over the next few years. You can get a snapshot of performance here. My personal favorites are ZyXel ZyWalls, with a ZyWall 2 Plus being a rather good deal for the price (~ $160-170), although a fairly common Linksys WRT54G would actually be fine as well for about half that. I've also used Buffalo Tech WR-HP-G54 (or WHR-G54S) routers, they're fine as well.

    Figure out what type of capabilities you want, verify that routing performance exceeds the likely limits of your connection for a reasonable timeframe (look at the speeds for higher tier options on your broadband service, that's where you'll likely migrate to eventually), and make the call based on those points. ZyXel, Linksys, Netgear, Buffalo Tech, D-Link, etc., are all reasonable choices - those are just on the top of my head and I've used all successfully (except for D-Link which I haven't owned as yet, but forum reports are generally favorable).

    Blue
     
  5. screamer

    screamer Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    921
    Location:
    Big Apple USA
    Riverlights,

    My ISP advertised speeds are 30Mbps / 2Mbps using a Motorola SBV5120 modem.
    I've been through two NetGear routers w/ NAT & SPI. Neither one worked exceptionally well on my wireless laptop. I bought a Belkin Pre-N router w/ NAT & SPI. With all hardware and software security running my D/L 23606kbps U/L 2588kbps. This is my wired connection. Haven't checked wireless in a while. But, in any case, try a router that has a 30Day Return Policy. In fact, buy a few at one time, try 'em and keep the one that works best for you. You'll save yourself some time and aggravation in the long run.

    ...screamer

    btw: don't forget to tweak your tcp/ip settings. TCP Optimizer @ SpeedGuide.net
     
    Last edited: Oct 6, 2006
  6. RiverLights

    RiverLights Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    54
    Location:
    Maryland
    LOL..don't be, mfenech.

    I have learned my practical speed is still at the mercy of the weakest link between me and whatever I am trying to reach. For instance, I live on the east coast of the US and if I am trying to connect with just the west coast, I am lucky to get 3 or 4M much of the time. But when it is cooking, it's nice.

    Also have learned...through a whole bunch of trial and error... that the very solid Kaspersky suite truncates the upload speed by about 70%. (oddly enough it doesn't do much at all to the download speed). By changing settings and then testing, I have discovered ( I am pretty sure anyway - their tech is presently studying the phenomenon for me) that it is primarily K's excelllent on the fly web buffering scan that chops the upload. I could switch to their streaming scan instead and get some of the upload speed back; but they themselves say that the change would significantly reduce the scans' security impact. I do not upload often, so am more than willing to live with the slower upload speed if the return is a more secure computer (and it is).
     
  7. RiverLights

    RiverLights Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    54
    Location:
    Maryland
    I have a fairly old Motorola SB5100, Devinco. It does not have a NAT firewall ( and I am so damn ignorant about this particular stuff that I am gonna have to google to find out what the NAT acronym stands for <g>).

    In a quick , not comprehensive, check last night I saw that one of the wireless Motorola modems does have an integrated firewall.

    Even though I only have one computer, is a wireless firewalled modem or router something I might consider? ( again - completely ignorant)

    Thanks for your reply, and again for any and all replies from all posters. Your time, knowledge, and patience are appreciated.
     
  8. RiverLights

    RiverLights Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    54
    Location:
    Maryland
    Blue, Thanks. Comprehensive advice. Makes sense.

    Great site. Very informative. So I want to look at WAN to LAN. And/Or LAN to WAN. (can't help but think of a 1950s rocknroll song LammaLammadingdong)

    ;)
     
  9. RiverLights

    RiverLights Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    54
    Location:
    Maryland
    Thanks Screamer.

    ( I have tweaked the settings, but an excelllent reminder)
     
  10. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Both - total simulataneous throughput. Also look at max simultaneous connections, especially if you game, etc.

    Blue
     
  11. RiverLights

    RiverLights Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    54
    Location:
    Maryland
    Thanks you, Blue. Extremely helpful.
     
  12. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    They now call it KIS 6 Kaspersky Internet Security 6.0. It integrates the KAH (Kapersky Anti-Hacker) software firewall.
    While you don't absolutely need a hardware firewall (or a NAT router), you do need some type of firewall to keep the angry horde at bay. The integrated KAH in KIS 6, if activated, is what is currently protecting your computer from inbound and outbound attacks.

    Having said that, a hardware firewall (at least a basic NAT Router) is highly recommended by a lot of people.
    It is a different type of firewall, so it will not conflict with KAH.
    It will take the burden of blocking the inbound attacks from the internet off KAH and your computer.
    It will not slow down your connection. By freeing up your computer (especially processing all the logs that a directly connected inbound software firewall might generate), it can only help.
    Should your software firewall crash for any reason, or while you are first installing windows, your NAT router will still protect you.
    A NAT router offers many other benefits like isolating your computer's IP address from the internet. You will still have a public IP address, but it will be the router that is directly connected to the internet, not your computer. A NAT router can also allow you to share one internet connection with many computers.
    A NAT router is definitely a good investment even for one computer on a broadband connection.

    You are correct, the Motorola SB5100 does not use NAT, it does not contain a router, and it does not have a firewall. It is just a cable modem. It acts as a "bridge" for all the internet traffic and passes it unfiltered directly to your computer where KAH deals with it right now.
    Your current security setup will benefit with the addition of a router.
    NAT stands for Network Address Translation.
    If you don't find what you need to learn on google, you will find Wikipedia to be a gold mine, especially for technical terms and acronyms.

    You are referring to the SBG900 Wireless Cable Modem Gateway. I like the basic firewall features of that model, however, I have usually found the feature set to be better in stand alone routers rather than an all in one cable modem gateway. The combined modem/router models are improving lately, but I still think you can have a more flexible setup with the modem separate from the router. A good way to research a model you are interested in is to visit forums that discuss routers all the time (dslreports, or the manufacturer's forum for example). You will then see the type of problems you are likely to have with a particular product.

    The main question here is wireless or wired? You will need to answer for yourself the following...
    Does the idea of using your laptop poolside or on a LazyBoy recliner sound good?
    Are running cables from where the cable comes in to where your computer is placed not possible?
    If the answers are yes, then you should consider wireless.
    If you think there is no need to keep moving the computer around and it would be more comfortable in one place set up just for the computer, then go wired.

    If you decide to go wireless, then I would avoid the SBG900 because it only supports the weak WEP wireless security. Better to go for one that supports the IEEE 802.11i standard, which is also called WPA2 (WiFi Protected Access). This is currently the most secure wireless standard.
     
    Last edited: Oct 7, 2006
  13. RiverLights

    RiverLights Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    54
    Location:
    Maryland
    Thanks very much, Devinco. And to all for your thoughts, shared experiences, and overviews.

    Especially appreciate that you and Blue pointed out some very educational sites. Can't ask for more than that.

    I know my way around software security fairly well; but as I said, I knew nothing about hardware firewalls and routers. Still a ton to learn, but, thanks to reponses here, headed in the right direction.

    Wired is definitely the way to go for me, Devinco. I was curious as to whether a wireless modem or router with attractive features might have a "wired usage" option....but now that question is academic only.

    Made a choice.

    The D Link DGL-4100. (identical in all other ways to its wireless sibling, the 4300). It is fast.

    Of 43 combined user reviews that I read about the 4100 and 4300, 40 folks liked it. A couple experienced freezes that required hard resets...but that of course sometimes happpens to software too . Many said D Link support was not very good, so I hope I can muddle along without it.

    Once again, many thanks to all. ( good forum) :D
     
  14. ahinterl

    ahinterl Registered Member

    Joined:
    Oct 5, 2005
    Posts:
    31
    ZyWall 2 Plus has a big advantage: it can be run as a bridge, i.e. it has no real IP address which could be attacked and thus it needs no stealthing or such 'cause it's invisible by default.

    Relatively cheap and powerful, just don't know whether the frequent reboots I had with my older Zywall 2 (w/o the "Plus") are eliminated in the new piece...

    Andreas
     
  15. RiverLights

    RiverLights Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    54
    Location:
    Maryland
    Thanks Andreas. I believe that was Blue's current favorite too. Interesting point on running it as a "bridge" ( more googling for me to do) <g>.

    Gotta admit I have some doubts about how much extra security (over and above a good software firewall) a hardware firewall normally really adds. The bridge mode you speak of would answer those questions. ( with the proviso that I know so little about hardware firewalls, my questions may well make little real sense o_O )

    I appreciate the information, but for now it is a little too late. I ordered the D Link DGL-4100. For $115 (free shipping). Should arrive tomorrow. I'll take it for a spin and try not to screw up the setup.

    If I return it, I'll seriously consider the Zywall 2 Plus.
     
  16. RiverLights

    RiverLights Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    54
    Location:
    Maryland
    Whoa!...lol....after a moment's googling I am REALLY confused by your post, Andreas. You wrote


    I googled and


    So bridge mode is just a unrestrained pass through? As I only have one computer, and the only conceivable reason I would add a router is to utilize an extra layer of protection from the hardware firewall. And if the definition is accurate in that the firewall is also bypassed by bridge mode ....why in the world would I want bridge mode?
     
  17. ahinterl

    ahinterl Registered Member

    Joined:
    Oct 5, 2005
    Posts:
    31
    That's true, I was a little unspecific.

    To make full use of a bridged firewall, you would need some NAT device sitting in front of it (i.e. the side towards the public LAN (=Internet)). Don't know that exactly, I suggest you to download the Zywall 2 Plus manual and see for yourself.

    NAT alone is a neat protection, but with a bridged firewall behind it the firewall itself is like a pass-through device and completely invisible to hosts (like a repeater would be, that's simply the nature of a bridge).

    This adds a tremendous amount of additional security: though in bridged mode some filtering may not be accessible (because of the logical layer the bridge is located in the OSI model; you can read about this in detail in the FreeBSD manpages for instance), the "attack-proof" and "invisible" attributes are second to none.

    For not so complex environments, I consider a bridged firewall the non-plus-ultra, provided the private LAN is additionally secured from the outside by NAT.

    I was quite happy with my older Zywall 2 models (I'm using a Fortigate-60 now, a no-cost leftover from the company I work for), so I can only recomment the Zywall 2 Plus, there's simply nothing comparable in this price segment.

    If you're not planning to invest a lot more money, you can't go wrong with a Zywall 2 Plus.

    Andreas
     
  18. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Andreas,

    The Zywall 2 Plus looks like a nice Hardware Firewall/Router.
    The idea of a bridged firewall sounds good, but I don't see the practical application other than saving some LAN reconfiguration if you already have a NAT router.
    Let's say you have a NAT Router and behind it the Zywall in Bridged Mode.
    The firewall may be invisible, but the NAT router is not, and it is then the NAT Router that is doing all the heavy lifting protecting the LAN from inbound attacks at the front door.
    The firewall should be first in the line of fire, not second.
    Maybe I'm missing something, but I don't see the benefit of bridged mode.
    I read relevant parts of the manual, but it did not mention specifically whether the "bridged" firewall would go in front of an additional NAT router or behind it.
    Even if the ZyWall in bridge mode is put in front of the additional NAT router, the ZyWall will pass the IP of the NAT router through.

    Could someone explain why a bridged firewall with an additional NAT router (either in front of or behind the firewall) is better than just a hardware firewall (with built in NAT router)?

    In RiverLights case, with one computer, and a cable modem, I would set it up in NAT router mode (and enable the firewall).

    The D-Link DGL-4100 also looks like a good choice.
     
  19. RiverLights

    RiverLights Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    54
    Location:
    Maryland
    Thanks Andreas and Devinco for the additional elucidation.

    I'll post my router novice's adventures and any misadventures with the D-Link as soon as I get the time to set it up.

    ( PS I am really liking the Kaspersky Internet Security Suite...getting used to it )
     
  20. ahinterl

    ahinterl Registered Member

    Joined:
    Oct 5, 2005
    Posts:
    31

    A firewall not necessarily needs to be the 1st line of security IMHO.

    NAT is good, but has its weaknesses as well.

    To have a NAT device and a firewall behind it is better than only either of them alone ;-)

    And bridged is better than visible 'cause you can't put an attack onto something that "isn't there" ;-)

    The role of a hardware firewall usually is to protect you from attacks from the outside and possibly to let only specified protocols from the inside pass through to the Internet.

    This is what a piece like the Zywall 2 Plus perfectly does, no matter if it plays the role of NAT and firewall itself or only does firewalling and let NAT do another router.

    So, it's pretty unimportant how many other devices are in front of the Zywall, multiple lines of defence make a crackers life harder -- that's why I have Comodo with fully detailed configuration as well on my PCs, it's simply to put another level of protection in a line of protective measures from outside attacks or malware "calling home".

    Andreas
     
  21. RiverLights

    RiverLights Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    54
    Location:
    Maryland
    well any arrangement is bound to be better than my previous one.....I had just been stretching a jumbo condom over my computer tower and hoping that would work

    ;)
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I cannot understand how a Bridge can give extra security, as to me, a bridge is a switch, but uses broadcasts to set up a "tree" (network)

    Bridge:- A device that connects two LAN segments together, which may be of similar or dissimilar types, such as Ethernet and Token Ring. A bridge is inserted into a network to segment it and keep traffic contained within the segments to improve performance.
    Bridges with more than two ports (multiport bridges) perform a switching function. Today's LAN switches are really multiport bridges that can switch at full wire speed.

    If the bridge as a firewall, then the firewall would intercept IP packets, all others would pass through.

    I am also unclear as to you ref:- "like a repeater would be":-

    repeater:-A communications device that amplifies (analog) or regenerates (digital) the data signal in order to extend the transmission distance. Available for both electronic and optical signals, repeaters are used extensively in long distance transmission. They are also used to tie two LANs of the same type together. Repeaters work at layer 1 of the OSI model
     
  23. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks for the answers Andreas.

    But is a NAT device and a firewall behind it better than a firewall WITH a NAT device included? Why?
    With the former, the firewall may be "invisible" but the NAT device is left somewhat less protected without the firewall.
    While the latter may not be "invisible" it guards the entire LAN including the NAT router, so no foothold can be gained in the network.
    A lot of mischief can happen with a compromised router.

    So I guess I still don't understand the benefit over a combined NAT router/firewall.
     
  24. RiverLights

    RiverLights Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    54
    Location:
    Maryland
    Finally setting up the router. Acronyms flying at me from all directions.....

    Anyone know what I should set for the MTU? I think the default is 1500.....wait I googled and see that windows xp has a default setting of 1480. To change it I'd have to change the registry. Guess I should set my router for 1480 then? o_O

    Also encountered an odd little problem unrleated to the setup. When I try and run

    ipconfig

    the window only stays open for a fraction of an instant then vanishes. Fairly weird.

    But all seems to be running fairly smoothly so far. Checked my Kaspersky firewall log, and all of a sudden nothing is happening. So though I remain uncertain about just how much extra difficulty the hardware firewall addition to the security mix really poses for intrusion attempts, it does take the load off of the software firewall. And the two do not, so far, seem to clash in any way. Guess an extra levee can't hurt.
     
    Last edited: Oct 12, 2006
  25. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    I would leave it at 1500, the maximum allowable on ethernet networks.

    Also, as you would with a software firewall, set a strong password on the configuration.
    And, if you don't need remote adminstration or VPN, turn those features off.
     
Loading...
Thread Status:
Not open for further replies.