Hardware Firewall - Advice Needed

Thanks, Devinco.

 

Folks, I guess there are some misconceptions and misunderstandings here, so let me explain:

Firstly: NAT device with built-in firewall is in no means more secure than one without a firewall. NAT has per se nothing to do with firewalling but rather is a method of translating IP addresses from one address space to ones of another and to provide routing in both directions.

That said: don't worry whether you have a NAT device in front of your firewall, it simply doesn't matter. And, there's no benefit in putting a firewall into the same device that does NAT. Fact is that there's simply no "NAT alone" device but you'll find a NAT thing always with some kind of firewall built in - so if you have a NAT device, that piece of hardware in almost all cases already HAS a firewall built in - but I suggest to disable it anyway to make administration easier (it's easier to administer 1 firewall that 2, but if you're concerned you can let it stay on of course, it has no impact on the firewalls behind the NAT device).

Secondly, a bridged firewall has two big advantages:
You don't need to give it IP addresses (except one for remote administration), so you can plug it into any network configuration without the hassle to re-configure something, it's "pug and play". And, because it has no IP addresses (like a hub doesn't too), how could someone attack that thing?

And to make your concerns about that "bridge only" argument go away: even in bridged mode, the Zywall is a full blown firewall which wouldn't let pass anything you deny through.

You see, bridged mode has some advantages over the conventional set ups. But there are some drawbacks as well, in bridged mode, some filter methods cannot be applied because of the pure nature of a bridge: it logically sits at a certain layer of the ISO model and therefore simply hasn't access to anything outside that layer (i.e. things at higher levels). But I bet you wouldn't see any difference. Usually, these disadvantages only come into play in complex network environments, which at home aren't present.

Again, I recommend a bridge setup and the Zywall 2 Plus, it's so much cheaper than other firewalls (and, all others cook with water too, the expensive firewalls usually don't do anything better in firewalling than cheaper ones do, they have additional features a home user normally doesn't need anyway) and it's ZyNOS operating system is very powerful.

Andreas

 

You bring up an important point here that is supported by Steve Gibson and many others.
Specifically here is an article about just that: NAT Router Firewalls. Another related article about DDoS Attacks sheds more light.
Basically, the primary protective "firewall" feature of any NAT Router is that it drops unsolicited packets.
That is, any data that someone within the LAN didn't ask for is ignored.
The "extra" firewall features (like protection from DOS attacks) in a NAT router don't add much if any real protection.
They are primarily marketing tools.
I have noticed that routers that include these "extra" firewall features usually have other useful configuration features that a lesser router might not have.

However, the fact that you don't need a firewall in the NAT router to be secure also means that you don't need a bridged firewall behind a NAT router to be secure either.
It is the NAT router that is providing the real security, so nothing else is needed.

The Zywall does appear to have a lot of "bang for the buck" (feature to dollar ratio).

I think I understand now the reason why one would consider a bridged firewall.
The NAT router is what is providing the real security for the LAN.
But, if you are concerned that the NAT router would be compromised, then the bridged firewall would be an additional barrier to entry into the LAN just as a second NAT router would be. In this case, the bridged firewall would be better than a second NAT router because it would not need additional configuration (just drop it into the network).
But if your first NAT router is compromised, plenty of mischief can still happen like DNS redirection and probably other things too.

So if you are looking into a dual NAT router setup as explained in the Steve Gibson article, the bridged firewall looks like a good alternative.
But for most users, I think just a NAT router would be sufficient.

Thank you Andreas for all the explanations.

 

I always prefer hardware over software. I don't care if I'm invisible or not....what I prefer (and insist for all my clients), is hardware NAT on the outside. So what...if you can see me. Just because you're standing in front of Ft Knox does not mean you can break in and steal all the gold. Stare at it all day long for all I care.

NAT does not "break"..by default, it's setup secure, all ports shut..nothing from outside is coming in. I don't care about outbound stopping....but that's a personal preference.

Software firewalls can break, vulnerabilities can (and have) come out against them to disable them, services can hang or not start, it can become corrupted and not start, etc. One day you boot up...you "think" you're protected..you're not. 5 seconds later on a public IP address..well...get out your Windows CD and format/reinstall.

 

Imposing on your exceptional generosity with time once again....

Settings.

Swimming in my router ignorance, I chose to clone the MAC address of my modem to the router. Then when I updated the firmware I noted that it did not do that by default so I manually set it to clone once again. ( I do not actually know if that is necessary for my ISP to function properly yet...I just guessed).

Should I undo that clone.

And on the 10/100 setting......it is auto detect by default. Left it at that. My BB speed is 20M on downloads. Should I manually set it to 100 to be on the safe side, or might that cause some problems.

Again, grateful for the time and expertise of all posters....any and all comments most welcome...I am trying to learn...

 

Sound like you used Start>Run typed in ipconfig<Enter>.

You need to open an active command window (Start>All Programs>Accessories>Command Prompt) and then enter ipconfig from the command line in that window.

Blue

 

Precisely right. Thanks, Blue.

 

Not at all,.. maybe on different pages.

Most attacks are usually against software, be it services or user software when that service/software makes connections out, once the software is compromised, a nat router will not block the returned packets to the software, and the compromised sofware could download any other program. It would not matter how many NAT devices (transparent or not) you had in between the internet and you PC under these circumstancies, as the packets would simply be routed through due to the current outbound.

 

Yes, I think you should.
Only if your ISP has locked the account to your computer's MAC address would you need to clone the MAC address of your computer's network card.
This is unlikely though.
In any case, you wouldn't clone the modem's MAC, you would clone the MAC address of the NIC (Network Interface Card) in the computer.
Undo the clone and see how it works.
ARP (address resolution protocol) works on ethernet and uses MAC addresses to associate devices with IP addresses.
It works better when each device has its own unique MAC address.

I would leave it on auto.
It should detect the correct speed of the connected device just fine.
When you say 20M, it is not clear.
To be clear, 1Mbps = .125 MBps.
Your ISP is providing 20 Mbps (Megabits per second) not 20 MBps (Megabytes per second).
20Mbps = 2.5MBps.
Your modem is capable of 38 Mbps download.
Your router is capable of 100Mbps (100 Base-T).
Your computer's NIC is either 10, 100, or 1000Mbps.

You might also want to disable your router's uPnP (Universal Plug 'n Play).

 

Thanks very much, Devinco. For all the tips.

Sorry for using imprecise shorthand on the speed. Yes the download speed of my ISP connection (nominally) is 20Mbps....but if you know an ISP that provides 20MBps at a reasonable price I would certainly be an interested customer <g>.

 

No question about it.

A poster I have read here signs with something like

the only 100% secure computer is unplugged

that must be axiomatic; but I think even the unplugged computer is slightly below 100% secure - after all somebody can break in to a home or business and steal the hard drive.

Of course with security measures and careful behavior anyone can tilt the balance heavily in the favor of defense... from my point of view I'll try and tilt until the titlting itself carries me into more troubles than various forms of malware normally create.

But, for my purposes, I like my present and really simple arrangement. Hope it serves me adequately, with minimal maintenance, for a long time.

Again I am very grateful for all the help.

 

Only in fun...
For those paranoid enough to unplug their computers for security (not counting during a thunderstorm), there is something far worse that could happen.
The burglar could break in, plug in the computer, and leave, taking nothing.

 

LOL


that reminds me of a story, but I'll spare ya....

 

As a postscript....

After trying several, I am now using the 2007 Norton Internet Security suite behind the D-Link firewall.

To my amazement, I like the Norton suite very much. And am glad I have the firewall as an extra levee against incoming.

Thanks once again to all for comments and assistance.

 

to add another postscript.

As a couple users on another forum had mentioned about the wireless version of my particular wired model (identical otherwise), the D Link router I have been using "freezes" every now and again. For no immediately obvious reason.

Has happened 2 or 3 times. Then I just reset ( by pushing in a little button on the back of the router with a paperclip) and then rehook and reconfigure. Then all is fine again. Irritsating, but it really does not take long.

So far tolerable I suppose....mainly because I do not leave the computer on all night to perform any really mammoth downloads. If a freeze happened when I did something like that would be a real aggravation. To the point where I would probably take the router out of the path for bodacious downloads.

So I will hang with it. I like the NAT feature, and I like the extra belt and suspenders protection against software firewall failure.

 

RiverLights,

I don't think that Router Freezing is acceptable.
I would complain to the manufacturer.
Find out if there is a firmware update.
Maybe there is some configuration setting that triggers the freezing.
Worst case return the defective router for a different brand/model that works.
Search available DLink forums / DSLReports to see what solutions people have for the freezing.
It shouldn't be freezing on you.

 

Thanks Devinco. Appreciate your comments.

To be more specific...by "freeze" I mean nothing gets through the router and/or firewall to my computer. Thus no internet connection. Take the router out of the path and all is fine.

Might have been firmware. In this last quick setup I discovered an upgrade had become available on November 2nd. Went ahead and upgraded. Will set up an automatic notification of available firmware upgrades via email.

Also traveled to their DGL 4100 knowledge base to check for wan to lan connection disruptions. They suggested reconfiguring the Windows XP ethernet card settings for 10Mbps full duplex. I had it on autodetect. My connection is 20Mbps (downloads), but I took that suggested setting for a spin anyway, and it immediately cut my download speed to 3Mbps. Presently giving a setting of 100Mbps full duplex a try...and so far so good. But not convinced there is any relationship between my autodetect setting and the "freezes". Just playing around a little.

If this becomes a frequent problem, I'll talk to tech and forums.

Thanks Again.

 

Just an update. Hardware router working fine ( pleased with the dlink 4100and pleased with NIS 2007).

Just a note....though this has probably been posted elsewhere. Know everyone that has replied to this thread already knows to set a tough router password...but just in case....to reiterate the importance of that password

http://www.symantec.com/enterprise/.../2007/02/driveby_pharming_how_clicking_1.html

 

Can you say T1? lol