Modem: bridged or routed?

Discussion in 'hardware' started by dragoon, Apr 27, 2011.

Thread Status:
Not open for further replies.
  1. dragoon

    dragoon Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    1
    Hello,

    I've been using my modem in "bridged mode" for years. However, recently I've read people telling how I should switch to "router mode" , because there is built-in firewall and it's safer. My question is: Is it really necessary? I know that while bridged, your computer connects directly to the internet. I've always used a software firewall and so far, never had any problems. So is there enough reason to change? I only have one PC, no wireless. Any tips, or a list of pro and cons would be welcome.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,265
    Location:
    Nebraska, USA
    I agree with Cudni but would like to clear up one thing. While some routers do indeed run firewall software on them, most routers are not, and do not have any firewall features. What they do have, however, is network address translation, or NAT. And NAT is a "firewall-like" feature that can help hide your attached computers from the outside - and that is a very good thing as that provides a significant layer of security, without impacting performance.
     
  4. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well... two things:

    1/ You must have some weird routers at hand, frankly, have not seen one without a firewall for ages, be it iptables, pf or whatever similar depending on what the firmware is based on.

    2/ NAT does not replace firewall, nor is it meant as a security measure. NAT is also dead when it comes to IPv6.
     
  5. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    "2/ NAT does not replace firewall, nor is it meant as a security measure. NAT is also dead when it comes to IPv6."

    Leaving us with what options now for routers?
    Thanks.
    Hugger
     
  6. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Nothing changes there. You need a proper firewall in place, NAT is not a firewall. So, you need a router with IPv6 support and IPv6-capable firewall.
     
  7. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,265
    Location:
    Nebraska, USA
    Then sorry, but you are not looking. Basic, entry-level routers, which is what most "normal" users buy, do not have advanced firewall features. This is easily verified by simply looking at Newegg. But even with that, don't confuse a home cable/DSL router that claims to have a firewall, with a real firewall, as found on a corporate network.

    Never said it did. I said, "NAT is a "firewall-like" feature that can help hide your attached computers from the outside"
    I disagree, wholeheartedly! While NAT was initially created to prevent running out of IP addresses, NAT has a side benefit and adds a HUGE security measure by not allowing any computer outside your network to initiate a connection with a computer on your side of the router. That is a HUGE security measure. Whether that was the initial intended purpose or not, buying a router with NAT, even on networks of just one computer is frequently recommended just for that security measure.

    As far as needing IPv6 now, if you currently have an IP address from your ISP, you won't lose it when your area converts, if it has not already. It will be awhile before residential areas will require it. I note of the 100s of routers Newegg has, only a handful of very expensive models support IPv6. Nevertheless, it will be up to the modem anyway - not the router - even if integrated in the same box as the modem.
     
  8. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Eh, this is just a myth. You can connect to computers behind NAT (Google "source routing"). If you do not have a firewall in place, NAT will fail miserably. Also, NAT will not do anything with when it comes to DoS attacks. Once again, NAT is not a security feature.
     
  9. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,265
    Location:
    Nebraska, USA
    If by "in place" you mean a firewall program running on your router, that is totally incorrect and could be fear-inciting if others mistakenly believe that too and suddenly think their network is exposed. This suggests millions and millions - the majority of home routers ever made over the last 10+ years (since most don't have firewall software running on them) are useless at thwarting even wannabe hackers, and nosy neighbors. We all know that is simply not true.

    If you are saying regardless if you have NAT or not, you still need a firewall on your computer "in place", then no argument there. Since routers, by their very nature, see everything on the "trusted side" as "trusted", you still need a local firewall to protect you from other computers on your own network - and from threats from the outside, perhaps initiated by cookies and/or spyware on your system.

    Plain and simple, a basic home DSL/cable router with NAT will provide a major layer of security over no router at all. To suggest otherwise indicates a misunderstanding of home (different from "real" corporate) routers. A higher-end router with enhanced security features, including a firewall application may provide more security, but those fancy extra features are only incremental compared to that provided by any basic DSL/cable Ethernet router with NAT enabled.

    It may be semantics but you first said, security "measure." NAT, while not intentionally designed as a "security feature", does have the significant side benefit or side effect of providing a "measure" (a step, a procedure, a layer) of defense one can take to increase security significantly on their home network. It does indeed effectively block access from all but a determined and experienced hacker actively seeking out you or your computer specifically. Semantics maybe, but a distinction readers need to understand.

    NAT is not infallible and I did not mean to suggest or imply it is. But it is no simple task to by-pass a router with NAT enabled. It takes a determined, and very experienced hacker seeking you out to by-pass a home router and crack into a home network. It is not fair to use an extreme, very rare and remote example to dismiss a significant layer of security! That's like saying don't use a deadbolt on your door because a badguy can still kick it open.

    Hackers, wannabes and malicious juveniles are like common thieves who commit crimes of opportunity. They go for the "easy pickin's" and move on as fast as they can. They don't know who you are and don't care. They are not going to spend time trying to breech extra layers of your defenses when they know the guy next door leaves his front door open. The best way to ensure your computer is safe from compromise is don't let it be easy to pick.

    If someone is targeting you or your network specifically, that is not a hacker - it is a stalker using hacking as one of his tools. Just as you cannot ensure your house or business cannot be broken into, you cannot ensure your network won't either. But neither is reason to dismiss such a readily available and easy to use security "measure" as setting up NAT in a basic router.

    And of course, if you allow wireless access into your network, that greatly increases your exposure, even if properly secured. The sad and scary part of someone hacking into the wireless side of your network is you know it is someone physically nearby. :doubt:

    Was NAT designed as a security feature? No.
    Can NAT be implemented as a significant security measure? Absolutely!
    Even if I only have one computer? Yes!
    Even if my router is a simple Ethernet router with NAT but no built-in firewall? Yes!
    Do I still need a software based firewall on all my computers? Yes!
    Is NAT perfect? No. ​
     
Loading...
Thread Status:
Not open for further replies.