Is a NAT Router Suggested?

Discussion in 'other firewalls' started by Gabriolone, Nov 12, 2012.

Thread Status:
Not open for further replies.
  1. Gabriolone

    Gabriolone Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    28
    Hello.

    We have one pc at home and we don't use Wi Fi. The current configuration we have is the following:

    1. Emisoft Internet Security Pack (Trial),
    2. Malwarebytes Pro, and
    3. DefenseWall

    We still use Windows XP Home.

    Can anyone say if a NAT router would be suggested? If so, the NAT router wouldn't replace the software firewall, would it?

    (I don't know much about Personal Computers).

    Thank you again.
     
  2. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    It is a matter of comfort level. With your setup probably not, but I run both a NAT router and software firewall. Both are password protected. The router provides some added protection and takes the load off my software firewall. I just feel more secure with both.
     
  3. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Adding a router adds a firewall along with NAT - extra security for not much $$. Just remember to change the router settings password and either turn on security for the wifi or turn the wifi radio off. And yes, keep using the software firewall on the PC.
     
  4. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Yep, a router is a good idea. When I got mine back in 2006 I dropped the software firewalls and haven't missed them ever since.
     
  5. Gabriolone

    Gabriolone Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    28
    Thank you all for your responses, I appreciate them.

    I'll start looking into NAT routers. I hope the Administrator doesn't block this question when I ask, Can anyone give me some suggested brands for NAT Routers?

    Thank you again.

    (And again, we don't use WiFi)
     
  6. Spiedbot

    Spiedbot Guest



    Salut,


    You have two antivirus/anti malwares, risk of conflict of drivers, keep Emisoft.

    You have three behavioural blockers, keep Emisoft.



    You must have a hardware firewall and a software firewall, they protect from external (internet) and internal attacks (local area network).
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    There are a number of good brands. I currently use a "Buffalo" router, but I've also used Linksys, Netgear and Dlink. Have a look at features. For instance the more expensive ones have gigabyte ports, and connections for usb printer sharing. Don't buy features you don't need, but don't buy at the very bottom either. I feel the $50 price point is right for a basic router. Look at frys.com or newegg.com. It's unlikely you will find something without wifi, but you can turn off the radio in the settings.
     
  8. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Is a NAT Router Suggested?

    A NAT/SPI router is more than suggested.
    It is the 1st line of your Security Setup.
    Add a reliable DNS Service (e.g. Norton, Comodo, Open etc.)

    NETGEAR and LINKSYS are my favorite Routers.
     
  9. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    I own several wired routers.
    My favorite is the LINKSYS BEFSR41. Usually you can locate them at very good prices on eBay (currently about 8 pages of them). Make sure to get the highest version number (4.3) which will then support the most recent firmware upgrade. Lower version numbers only allow you to upgrade to older firmware versions. I had to ask some eBay sellers to check the version number before I would consider purchasing. The LINKSYS (now Cisco) is a tried and true router.
    I also think the TP-LINK TL-R402M is a good, inexpensive wired router, which can be had at Newegg for around 20 dollars. I own one and keep it in case I need a backup for the BEFSR41.
    As others have advised, be sure to change the default password right away.
    I wouldn't think of accessing the web without being behind a router. :thumb:
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    There appears to be some confusion here that NAT is a security feature. Per se, it is not. Read this .pdf from University of Michigan for clarification: http://safecomputing.umich.edu/tools/download/nat_security.pdf.

    SPI or Statefull Packet Inspection is a security feature. Note that many retail routers so not have this feature. On commercial routers that have it, most have it set off by default. Therefore using the routers default configuration that many people do, leaves one vulnerable. It has to be manually enabled on the router.

    Note that many software firewalls have SPI. Most notably, the WIN 7 firewall. In the WIN 7 firewall rule inbound details, the options dealing with "edge transversal" are SPI.
     
    Last edited: Nov 15, 2012
  11. Ring0

    Ring0 Registered Member

    Joined:
    Aug 9, 2010
    Posts:
    66

    I do not know where this idea comes from, but it's not true what you're saying ?

    http://www.freepatentsonline.com/20090007251.pdf
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Attached is the default WIN 7 inbound firewall rule for DHCP. Note the edge transversal setting is block. This means no inbound UDP port 67 traffic will be allowed unless it is in response to a previously issued outbound udp port 67 request.

    Why is this required? Because UDP is a "stateless" protocol.

    TCP on the other hand is a "statefull" protocol. Hence not need for separate inbound rules for TCP connections such as your browser.

    In reality, there are virtually no retail software firewalls that are 100% statefull. To be so, a packet id needs to assigned on all outgoing traffic and matched on inbound traffic. The NIS firewall does a partial implementation of this. Outpost Pro might assign packet ids but not sure of that.
     

    Attached Files:

    Last edited: Nov 15, 2012
  13. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    From the PDF:

    These addresses are not routable across the Internet but are within an organization's boundary. When working as expected, the internal hosts are not directly addressable from unsolicited connections outside of the NAT device. While NAT does have a useful purpose, it is too often incorrectly regarded as a security feature. ITSS and ITCom do not recommend using NAT as a network protection mechanism.


    Saying NAT is not a security feature seems like semantics. The internal LAN IPs are not discoverable from the internet - only the router IP faces the net. That provides a layer of security IMHO.

    What is the belief that SPI is not available on many retail routers based on? I've often noticed it in retail router firewall options, but I agree it shouldn't be taken for granted. In general default settings shouldn't be trusted as optimal - it's necessary to go through them.
     
    Last edited: Nov 15, 2012
  14. jaodsvuda

    jaodsvuda Registered Member

    Joined:
    Feb 27, 2011
    Posts:
    146
    Gabriolone,if your DefenseWall is a DW Personal Firewall (with HIPS) edition,that´s all you´ll ever need for your WinXP (x86).Add some AV ( MBAM is already there),and you´ll be (almost) bulletproof .
     
  15. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    That's why I wrote about a NAT/SPI Router at Post #8 ...;)
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Is there an easy way to find out if a specific router model supports SPI? The packaging doesn't usually mention SPI. Seems like you would have to dig into a manual on the manufacturer's website.
     
  17. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
  18. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    The Netgear N600 I picked up a short while back has.....
    WPA/WPA2 and WEP as well as SPI + NAT Firewall.
    I have yet to encounter any problems, quite easy to setup.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Everything you want to know about routers including performance charts can be found at this site: http://www.smallnetbuilder.com/.

    From the list provided by Amazon, looks like best choice would be Netgear FVS318 but only if it was the "N" model. Amazon doesn't show what model it is.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Most of the routers mentioned so far in this thread are small business class ones.

    Retail routers are the single port "cheapos" provided by the ISPs.

    Speaking of - OP's new router selection must be compatiable with his ISP or he will have to use his existing router and configure it for "pass through mode" to the new router.

    Or the OP can just buy a stand alone firewall device. Not cheap however: http://www.newegg.com/Firewalls/SubCategory/ID-529. I do notice the NetGear FVS318N is on sale for $159.
     
  21. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    The Netgear WNR2000 N300 WIRELESS ROUTER also has NAT and SPI - can be had for around $40.00
     
  22. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Would you consider the Netgear WNR2000 N300 WIRELESS ROUTER - priced around $40.00 - business class?

    A call beforehand to the ISP to talk about router compatibility might be helpful ( it also might not :) ), but in my experience the router setup wizards work quite well now. I install routers regularly and I can't remember the last time I had to consult ISP or the router manufacturer's support to get one working.
     
    Last edited: Nov 16, 2012
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    The Netgear FVS318 Prosafe appears to be a good if dated choice with two major issues:

    1. Doesn't appear to support IPv6.
    2. Won't support over 10Mbps on the WAN connection.

    The Netgear FVS318N that doesn't have the above issues but isn't rated very high by users.
     
  24. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    It is based on the fact that the term "SPI" is used quite loosely IMO. In home grade routers it refers to ability to filter out only the most common types of attacks. For example, the suggested Netgear FVS318 will have


    So if that's all that is marketed as SPI, then I can see where the confusion stems from.
    A packet filter must be able to filter out all invalid packets (packets that does not belong to any of the existing connections, and not just common attack vectors) to conform to SPI standards.

    NAT will simply translate addresses in headers of all packets and pass them through. It will not look deep into packet headers (beyond IP and port values) and therefore can not tell if a packet belongs to a given connection or not.
    So I agree, NAT is not a security feature.
     
  25. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Seer, thanks for the reply. It makes sense that there is only a limited implementation of SPI in the inexpensive home routers. What level of hardware more fully implements SPI? Do you need a standalone firewall device such as a Sonicwall, and are any of these scaled down for small, home networks?

    Regarding NAT I thought there was some added security in the fact that the PC IP does not directly face the internet - is that incorrect?
     
Thread Status:
Not open for further replies.