Reliable router security-wise

Discussion in 'other firewalls' started by Seishin, Aug 23, 2006.

Thread Status:
Not open for further replies.
  1. Seishin

    Seishin Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    204
    I was looking for some opinions about routers as I've tried a couple so far: Zyxel P334 and P335WT.

    The first one was good in terms of connectivity and reliability but security-wise I think is so-and-so.

    My machine didn't like the second one at all. It drop connectivity all the time and the box hanged at shutdown forcing me to turn the switch off. What a pain. I know wireless routers require a lot of tuning but I am not very keen to do that kind of work when wired ones do a good job.

    Someone has recommended me the Zywall 2+ (Zyxel) as this one is very robust when it comes to protect your computer; unfortunately not available in the country where I live.

    Any other alternatives??

    BTW, I am a P2P user.

    Note: Only interested in broadband wired routers

    Cheers.
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
  3. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I have been useing a Linksys router for years until a firmware update killed it. It had given me good service well past what I expected time wise. But until that time it was extremely reliable and had no conflicts with anything that I know of. I replaced the Linksys with a "Network everywhere" router which is a linksys. And it is turning out to be just like my first one, very reliable firewall is pretty configurable it was inexpensive. I would fully recomend it.

    http://www.networkeverywhere.com/



    The network everywhere router is a linksys all the way through it is just rebranded in a different case.
     
  4. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Aside from ZyXel, which I use as my main router, I've found both Linksys and Buffalo Technology to be quite good. In general, I opt for wireless models even if I am using it only in a wired context since:
    • The price differential is nonexistent if purchased on sale. A Buffalo Tech WHR-G54S can be had for ~$35-40 US.
    • Future flexibility - I know you said you're interested ony in wired solutions - given product pricing, positioning, and development efforts, I'd recommend you reassess this stance.
    • These are the platforms where virtually all Linux based 3rd party firmware development is occurring. This can be a driver even if only interested in the wired end of things.
    In addition to my ZyXel ZyWall 10W, I run a mix of Linksys WRT54GS and Buffalo Tech WHR-G54S systems running a combination of Sveasoft Talisman and DD-WRT standard firmware packages. There are other 3rd party firmware options out there, including some interesting ones just starting.

    Blue
     
  5. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    They're actually a bit different...and from my experience, not well liked on most broadband forums...I've come across a few on the job...and myself had not had a good experience with them (port forwarding acting a bit screwy..something I can normally do in my sleep with any other brand router).

    Linksys won't really admit that it's their product. According to my Linksys regional rep (I'm a direct VAR for Linksys) They made a huuuuge whitebox order of an inexpensive router for an ISP as CPE, the ISP went belly up, and Linksys was stuck with all these oddball units. They made this sidelabel..and sell them under that label.

    The warranty is less
    The support is only 9-5
    The NetworkEverywhere website is a clone of the Linksys website from over 5 years ago.
    You'll not see a mention of this product on the main Linksys site, not will their support touch it.
     
  6. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma

    That is most likely true, But the Network everywhere I have had for a while now works flawlessly even the port forwarding works as it should. And all of the documentation in the box has Linksys printed all over it and the router GUI has a large Linksys logo right on the front page. And the box Has the Manafactured by linksys logo on it. They can't be totaly disassociated from it. It has a years warranty and they actually have quite a few products and different router packages.
     
    Last edited: Aug 23, 2006
  7. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    It depends on what features you're looking for. For "security"...just about all home grade broadband routers are alike...NAT is NAT. You're not going to have intrusion detection, or outbound filtering, on most of the ones you'll come across for the home market.

    There seems to be 2 things you're looking for, above what traditional home grade routers will provide for you. Extra security...and the horsepower to deal with P2P traffic.

    Extra security...as mentioned, traditional home market broadband routers provide NAT..which protects you from inbound. If you want outbound, and other features...you won't get that. You'll have to step up to business grade products..such as entry level Linksys/Cisco RV0 series and some of their "just being released this month" series business line, to the more well known products such as Cisco PIX and Sonicwall products. Those may well be above what you planned on spending. You're starting at between 300-400 US..and easily going twice and three times that amount.

    The other part you mention..is P2P usage. Now outside the dangers that brings to your PC (which is outside the topic of this thread)..I'll focus on how routers handle that. Most home grade routers do not handle P2P traffic very well. They simply do not have the horsepower..typically under 200MHz for a CPU, and usually under 16 megs of RAM..actually most are under 8 megs if more than a year old. P2P traffic puts an insane amount of stress on routers..because they have to deal with many many concurrent connections. You can spend mere minutes on Google searching across various broadband forums to see I'm not making this up. You'll find many threads about "when I use Limewire or bittorrent..my internet slows to a crawl and I have to power cycle my router", or "when my brother runs his kazaa..the rest of our family can't surf the web..." etc etc

    In the past year..many newer routers have emerged on the market with more "horsepower under the hood". This is because most ISPs are deploying much higher speed broadband..here in the States many cable ISPs are deploying 10 meg connections, we have fiber being deployed at 15 megs, DSL2 ramping up for 24 megs, other ISPs implementing insane brief periods of bursting, such as Comcasts "PowerBoost", etc. I have that, and I can burst into 80,000 range.
    ==>clicky for a screenshot http://www.speedguide.net/~brian/powerboost2.JPG

    Older routers could barely muster about 5-8 megs of routing throughput..so use one of those on todays faster connection...and it's a bottleneck. Even routers only a year or two old would become a bottleneck on some of the faster package.

    My first suggestion...would be to combine security, protection, with performance. I'd recommend building a linux based router with certain features. Easiest is IPCop..with an add-on packaged called Copfilter. Or another distro that I've been running lately, called Endian.
    http://www.ipcop.org/
    http://www.endian.it/en/community/
    Now..just click on the following link..and look at the features that Copfilter adds to IPCop. Antivirus/antispam/antiphishing/anti-browser-exploits/ad-popup blocking/intrusion detection
    http://www.copfilter.org/docu.php#intro

    All things that someone who deals with P2P apps would be at high risk of.

    Now for the horsepower part of it. As mentioned...P2P apps bog down most consumer grade routers.

    By building your own linux router, you can take an old P3 of say near a GHz or higher, 384 or 512 megs of RAM, a pair of NICs..and build yourself a strong performing router/security appliance that can handle anything you throw at it. Even taking a mid-range P3 in the 700-ish MHz range with 256 megs..it will still run circles around just about any retail router product you can purchase. Never dealt with Linux before? No problem..these distros come in very easy to install setups..you download an ISO, burn to CD, run a quick install that's very easy, once done...you manage them through a web browser just like any retail router product for the home.

    Not into trying a linux based router? Wish to stick with a boxed retail product? OK, we've seen routers of much higher performance come out during the past year. If you want something that will do well with P2P traffic...I'll refer you to lots of heavy testing of router performance, done by Tim Higgins over at TomsNetworking.com. Yeah yeah a lot of people don't like TomsHardware..but I've communicated with Tim Higgins on 'n off going back quite a few years to when he ran his own PracticallyNetworked site...and he does a good job at things, his tests of router performance is done quite well using solid tools (Ixia).

    From the list of popular home broadband routers...I'm not normally a fan of DLink..but they hit a home run with their 4x00 line of routers, as you can see in the charts listed below..they do quite well, with near 100 megs of throughput.

    The only really strong Linksys wired performer these days is their RV0 line..which is a bit higher in price (I have a RV082, and have installed around 40 of them and the RV016 units..very good product). Their wrt54gx (SRX) line is good..but you state you don't want wireless. Although you can disable the wireless component. Their older wrt54g line is..well...gotten long in the tooth. I know the 3rd party firmware helps them a bit..so for a budget router..they do OK, I have a few of them, I've used Hyper-WRT and DD-WRT. ZyXel has done well, they seem to equip their units with a good amount of horsepower. It's a good thing they didn't follow Netgear down the tubes (they were cousin companies with Netgear tied in with Bay Networks quite a few years back). I'm not fond of Netgear lately, used to love them years ago. But they do have some models that perform well lately, as you can see in the charts linked below.

    Anyways...links below will give you some perspective...

    http://www.tomsnetworking.com/2006/07/05/cheap_router_roundup/

    http://www.tomsnetworking.com/2006/06/16/hardware_router_chart_june_2006/

    http://www.tomsnetworking.com/2006/06/08/linksys_wrt54g_v5_really_is_a_lousy_router/

    And one you should definitely read...
    http://www.tomsnetworking.com/2006/04/19/which_router_for_p2p/
     
  8. Seishin

    Seishin Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    204
    OK. Thx a lot for all your replies. Well, I was considering another option: using a Linux-based FW. However my OS is XP SP2 (hope is not an issue).

    I was thinking of the following:

    1. Smoothwall

    2. IPCop (as YOS suggested)

    3. m0n0wall

    I am a single home user so which of these three would be ideal for me (please bear in mind that I am no IT pro, just learning).

    Cheers.
     
  9. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    If you're seriously considering a linux based router...I do strongly encourage it.

    I've poked around several of them, I ran IPCop for a while, then PFSense, then Endian..which I'm currently still with.

    For me...the advantage of running a linux based router..is some of the features that a couple of them give. And those features are the "UTM" features..."Unified Threat Management". Not all of them have these options...I know there's an add on module for IPCop..called Copfilter. And Endian runs it out of the box. To me...there's no advantage to running a plain linux router distro without these features...else I'd have a Sonicwall or RV082 or whatever router I feel like dusting off and using again.

    I've mentioned these here a few times on these boards...with this crowd..which one could safely say (without being insulting)...can be considered quite higher than average as far as worrying about the security of their PCs...combined with performance, I'm surprised it's not more popular.

    Those extra virus scanning and threat scanning features are priceless, it's an extra layer that protects the entire network..and runs on the router...so no performance hit on your PC by an added application. I'm only a beginner at linux routers...AKAIK so far...IPCop and Endian are the only ones that have those transparent proxy scanning features. Maybe ClarkConnect. AKAIK Smoothwall and m0n0wall do not have those options...but worth checking to be sure.

    You'll often read that you can take a linux router distro and install it on any old box..and get blazing performance. Well..if you use one of the newer ones, with the transparent proxy features enabled..that's not true. The first one I built was IPCop on an old Compaq EN small form factor desktop...I think it had a 733 or 866 P3..with 256 megs. Onboard Intel Pro 10/100, and I stuck a 3COM 905 in the PCI riser board. Takes about 30 minutes to install IPCop. Got it up and running rather quickly. After a few weeks, I tried PFSense...looked newer and slicker. I then found out about the Copfilter add-on...and went back to IPCop..installed the add-on (again..I don't really have experience with linux..but if you can fiddle with computers a bit..just follow the instrux..it's not bad). The feature were cool..but I noticed it ran a hair slow. I then came across another newer small form factor Compaq from a client upgrade, an Evo d510sff. Similar chassis, P4 2.4 with 512 megs. Same onboard Intel Pro 10/100, somewhat similar Intel chipset, I stuck the 3COM 905 in it's riser board, moved my hard drive from the older Compaq to this one...booted up just fine...and runs smooth as butter. And as you can see by my bandwidth screenie way up above...it'll handle at least what I throw at it bandwidth wise.

    IPCop is built on top of Smoothwall..and Endian is built on top of IPCop combined with Copfilter.
     
  10. Seishin

    Seishin Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    204
    YOS,

    I was thinking of installing Endian. It looks okay to install, I mean reasonably easy to follow.

    Now, is this product more than a software firewall? Kind of a NAT router.

    Can I use it with the software FW I am currently using, Sygate Personal Ed.?

    Is this the version you're using?:

    http://sourceforge.net/project/showfiles.php?group_id=132104
    http://www.endian.it/fileadmin/documentation/efw-admin-guide/en/efw-admin-guide.html

    Which files do I need to download? Platform independent or i386?

    Thx.
     
  11. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Yup I'm running the latest community version, 2.0. I updated it when that came out..prior to that was running a Pre-2.0 beta.

    It's a very clean interface..and they have quite a roadmap ahead of them. Plus they have a commercial product (paid for) for business setups...with full support, I'm strongly considering becoming a reseller.

    One thing I will state, the installation isn't quite as intuitive as IPCop was. Similar..but missing a few features.

    IPCop...the install routine let you see which NICs the install saw..and assign which NIC to which interface. And enable DHCP on the LAN interface upon the install routine, after you gave it the LAN IP address (something like 192.168.1.1)

    With Endian..it only allowed you to assign the LAN IP address of an interface (you don't know which one), and DHCP was disabled..no option to turn it on during the install. So...you had to remember which IP you assigned the LAN interface, then assign you PC a fixed IP in that same range...and power cycle router with your PC til you could pull up the web admin. Trying one NIC..then trying the other if you didn't get it on the first one. Then log in..enable DHCP...configure the second NIC to your WAN interface...and tell it how to log on (obtain, PPPoE, etc).

    Once up and running, it's slick...rock solid. However, if you're not familiar with IP in your head..don't work with networks much....the initial up and running might take a bit. IPCop I'll admit was much easier, almost fully plug 'n play on setup. You just have to add that Copfilter manually...install the plugin...which all in all wasn't hard. IPCop also can update itself when a new version comes out..sorta like Windows Update. Migrates your settings. Endian doesn't have that feature yet.

    Definitely fun if you like to tinker with PCs a bit. :thumb:

    Yes they run NAT...2x NICs..one with a pub IP and one with a private IP...so like routers, you have your port forwarding in stuff. You can certainly keep your software firewall with it. By default, IPCop will act like a home grade router and allow everything outbound. You can however block outgoing traffic. Endian by default only allows outbound web traffic..all others (such as IM) are blocked outbound by default. You can disable the outbound blocking with one setting.
     
  12. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Hey, BigC, we have the network everywhere router on our cable setup and we have 2 open ports. Telnet and http ports (23 and 80) are both open according to the security scans I've run. We also use software firewalls for backup, so no problem. Just curious if you've run into the same problem and if you've found a way to correct it.

    Even with those ports being open, we've had no problems, so maybe it isn't a big deal.
     
  13. Seishin

    Seishin Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    204
    YOS,

    Thx for the info. I might shoot for IPCop instead.

    :)
     
  14. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    If they point to a running service answering on that port...it can be if that service is not secured. If they point to a dead end..then no big deal IMO.

    Some people would freak out over it..."OMG...an open port..someone might find it! :eek: " But again..IMO...if it's a dead end...it's nothing to lose sleep over.

    So if your remote management of the router secured with a non-default password?
     
  15. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Just a bit of a clarification is needed here since units are mixed..., the 80,000 value quoted above is in kbps, whereas all other numbers are in Mbps, so we can drop 3 orders of magnitude from the start - it's still a very high number, and a lot higher than quoted by Comcast itself for a residential connection, which would be the typical scenario here. They tend to state that the bursts will be of the order of 12-16 Mbps on a normal 6 Mbps connection, but it's not really that germane to p2p users. I realize the measurement indicates much higher, but there are ways to introduce anomalies into these tests.

    I only mention it to note that typical SOHO hardware routers have absolutely no problem achieving the rates the vast majority of users have, even the ones found wanting in test evaluations. I realize simultaneous connections can be another matter altogether, but most of the SOHO routers have plenty of horsepower for current users. Personally, I wouldn't worry about my own router being a bottleneck unless my sustained (not burst) download speed exceeded 25 Mbps in my own case using a relatively aged ZyWall 10W. Naturally, this threshold is router specific.

    If you do have a spare PC laying around and want to delve into the hardware and software details, going with a Linux based approach does have a lot of merit, I don't want to discourage that route as it is a very good option regardless of speed issues.

    Blue
     
  16. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Right...it's in kbps..I figured the picture illustrated that on the bottom. 80,000 megs would certainly be a bit cost prohibitive, no? :blink:

    I agree...the Comcast Powerboost is hard to measure...as it really varies, I heard that it's all available bandwidth at your local node for a brief period...if that's the case, certainly varies according to time of day, and density of your node. I have several friends who also have Comcast in my area..and they can all easily replicate exceptionally high bursts, if they have equipment to handle it. I'm sure it's all relative to what region you're in.

    My main point is...higher speed broadband is rolling out very heavily this year, all of the US. I just got an IM from a colleague who's upgrading his 6 meg DSL to 30/2 meg optimum online cable. He's an hour away from me. Lucky dude. 15 meg fiber is also rolling out in my state. And I can't talk straight when I read about some of the insane ultra high speed connections they have in parts of Asia and Europe.

    I maintain that most older "home grade" routers will not let these connections perform at their best. Some "SOHO" grade...some..yes..as soho is a notch above plain home grade. But get more than a couple of years old, the average home grade models simply don't have the throughput...they will be a bottleneck. Your router is an exceptional one (ZyXel)..they've always stood above the crowd..packed a little more RAM than average also.

    Spend some time at various broadband forums, amongst the many other complaints...you'll see 2x common ones.
    1)My router bogs down or kicks us off if I run P2P programs, what's wrong? 2) I upgraded my ISP package from 3 megs to 10 megs...but I'm still only getting 5 megs....what's wrong?

    You'll see a common denominator in the solution some people will provide..because they've gone out, and done their homework.

    If you're ever curious..it's quite easy to run tests to see what the basic raw throughput of your router is...Ixia provides a network performance tool you can download for free...you setup a PC on the WAN port, configure the WAN interface, then DMZ a PC on the LAN interface..and run it. That's just raw throughput of 1x connection. They have other tools which can simulate more "real world" traffic. Plus..if you have more than 1x user behind your router...you start entering a divider in your routers throughput. This is the factor that P2P programs really cripple routers with....it's all just math in the routing tables based on memory and CPU.

    Sorry I know I get long winded on posts about routers 'n stuff...you guys here at Wilders focus on antivirus 'n the like, routers and networks is where my experience is..so I get pretty excited about them. You should see me at the office when a new line of products comes out..and I'm unwrapping some demo unit for the first time...you'd swear my face looks like a kid on XMas morning.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I want to ask a linux based FW( like smoothWall) is more secure or a router?
     
  18. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma

    my router had all ports stealthed except port 113. so I just forwarded port 113 to it self and that stealthed it. so all ports are now stealthed.
     
  19. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Well many router's implement linux as there os so it would be similar ;) . However, the customability of *nix based firewalls on a standalone pc is much more than on a router due to limited hardware. So i can put openbsd, pf, snort, snort-sam, a squid, squid-guard, openvpn, openssh, etc. all on my openbsd based firewall which I want to make but only can have basic nat and spi with a router due to hardware.

    Cheers,

    Alphalutra1
     
  20. ESQ_ERRANT

    ESQ_ERRANT Registered Member

    Joined:
    Jul 13, 2006
    Posts:
    72
    Response:

    I use a Netgear (Cable/DSL) ProSafe VPN Firewall (Model FVS 318 ) router, connected to three computers. I have used it for a few years now and have never had a problem with it.
     
  21. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    but imagine what it would be like, something akin to the entire Internet on a big RAM drive.... :)

    Blue
     
Loading...
Thread Status:
Not open for further replies.