Router firewall? VPN

Is it a good idea to get a hardware router firewall and not use a software firewall? I mean, the router firewall will not get updated, because it's hardware.

Also, what is a VPN firewall router? I know that it's something that is supposed to hide your IP address, but I see "VPN endpoint" "VPN", "VPN passthrough" advertised on different routers, what's the difference?

Also, does the brand of routers matter? Like linksys seems to be much more expensive than other brands like netgear or USrobotics.

Thanks.

 

Hi there!

Well there is absolutely no "NEED" for you to get a hardware firewall,
if you got a software FW.

I bought a Router too split up my Fiber connection so i would be able to connect more computers to the Net.
And the router included a firewall, and MANY of the routers out there does inclued a SPI (Stateful Packet Inspection) firewall.

And I acctually do feel more secure now then before with only the software one, and the hardware firewall takes the first hit and if the threat pass the HD one, the i got the software firewall in case !-)

But as i said there is absoluterly NO "NEED" to get a hardware firewall,
if you allready got a software firewall!

However the price on the router's often depends on the feauters included,
some got VPN some not, some got DoS protection, some got Web content filtering etc...

I did buy a DrayTek router since they allways got high quality on their Routers!
http://draytek.com/user/PdInfoDetail.php?Id=18 <<

Hope this helps you a little !-)

SweX

 

far from true, this culd turn into another huge discussion but im gunna leave it simple and say u do need a hardware firewall, its definetly a place u shuld start with any security. so u are wrong about the "NO NEED"...

 

Well i've been using a software firewall ONLY for many many years,
without problems. So "No Need" for a hardware one that's just MY experience my friend

And why don't you tell us what you know about it instead
of saying it's not true

 

i didnt go into detail cuz thers another thread discussing it, i dont want to take over this thread with another discussion about it u can check the other thread if ud like to know...

 

.
Routers have NAT - network address translation. The benefit of NAT is it assigns a private IP (such as 192.168.x.x) to your PC and hides it from the internet. A router also drops unsolicited packets, can be set to not respond to ping (stealth mode for ports) and many include SPI (stateful packet inspection). This all adds up to more security then a personal firewall installed on the host PC can provide. A personal firewall can be used along with the router to provide additional security. That combination is optimal IMHO.

 

.
Regarding your other questions:
I believe a VPN router supports the option of connecting to the PC behind the router over the internet. For instance, you could use a laptop while you're sipping in Starbucks to connect to your home PC over a secure connection (VPN connections are encrypted). I don't have a need to do that and don't keep my home PC running while I'm away so I haven't played with that feature, but it has obvious uses.

I've used Netgear, D-link, and Linksys routers and currently prefer Netgear, but they've all pretty much done the job. If I were buying today I would focus on getting the most advanced security and performance features first and consider the brand second.

 

I thought it's something like Tor or Ghostsurf, which hides you identity on the internet.

Yes, but most routers list the same features, and have very different prices because they are from different brands.

My current Linksys router is always having IP collisions, it didn't use to be like that. I have to reset it every few days, or some computers can't go onto the internet, always having IP problems and can't connect. Is that a sign that the router is going bad?

 

It's safest to use a combination of a router and a software firewall.
I have my doubt about inbound protection offered by routers. Quite complicated, let me put it this way: once you have established a connection, how do you know if the incoming bytes are what you want to come in ? I even doubt claims about 'Full SPI'. See also 'OSI model' on Wikipedia for more information about firewalls.

If you have a good router it is likely to be more stable than a software firewall. I'm not a technical expert, but a good router can handle a DDOS attack better than a software firewall.

A good software firewall can do much more (except what I mentioned in the previous paragraph) than just a router. See my reference to the 'OSI model'.

IMO, a combination of a router plus software firewall is the best, although I know many people who use only a software firewall without apparent problems.

A software firewall can provide outbound protection, while routers cannot (for as far as I know).

 

There is a difference between hiding the internal LAN IP using NAT and surfing anonymously. I don't know enough about services like Tor and Ghostsurf to comment on them.

Regarding the IP problems you're having, a simple fix is to assign a fixed IP to each computer and turn off DHCP in the router. That will eliminate the problem of the router trying to assign the same IP to more then one PC.

 

All recent routers include a firewall (SPI). Unfortunately these allow basic firewall configuration. Instead a dedicated hardware firewall ( I mean those above 200 € ) will allow better and more detailed configuration. This does not mean that the integrated firewall that we find in routers does not protect you.

The combination of a router's firewall and a software firewall is absolutely necessary if you care about outbound traffic too and immediate control of applications that access the net.

NAT combined with DHCP ( not using static ips ) adds for sure extra protection.

Most common error of users is that leave their routers with the factory username and password for the admin area.

I personally plug a gateway on the router instead of plugging directly on the router my machines. Then I also use an unmanaged gigabit switch.

 

hello

router firewall will add security to your software firewall


and answer to your hardware firewall they do update their firmware(operating system) but 1-3 times in a year depending on upon security vulnerabilities....


as for hardware firewall vs software and what is firewall you can read

https://www.wilderssecurity.com/showthread.php?t=45816

http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/firewall_types.asp

http://www.howstuffworks.com/firewall.htm




and for vpn please check

http://www.howstuffworks.com/vpn.htm


if you have old computer you can make your own decated firewall which is free of cost and very good indeed

please refer to my old thread i have old pc and i tried all of them i will sugest you to try endian firewall its easy and one of best firewall indeed.


https://www.wilderssecurity.com/showthread.php?t=228779

https://www.wilderssecurity.com/showthread.php?t=198186

 

Software firewalls can get corrupted and not run, or malware can shut them down.

A routers NAT won't get shut down. Routers can get updated...new firmware.

I always insist any/all computers I am in charge of, are behind NAT routers.

 

I fully endorse this approach for home computers, at least. The router handles the inbound garbage to take the load off the software fw, while the latter controls outbound application traffic.

 

Hello,

While I agree a router can add basic filtering and block unsolicited etc etc, I still have concerns as to what the router is connecting to. For example, my ISP cable provider connects me through one of their gateways and this shows as my being on a LAN, currently this is 80.193.*.*/255.255.255.0. Due that fact I need to filter and control ARP, I also prefer to filter all DHCP, I know of no home router that will give me that ability.
So on my own setup (and there will be many more on a similar ISP connection) adding a typical home router as a gateway would in fact lessen my security.

- Stem

 

Hi Stem:

Couple of questions comments for you when you have time. No doubt I've missed or forgotten something fundamental again


1) If the users SW FW can filter control ARP/DHCP does this mean that that this feature is nullified by the existence of a router?

2) As just 1 user, I need to hook up to the other PC's here so as to share the ISP service connection, so I can't see how to scrap the router to allow the ARP/DHCP filtering.

3) If the user (as I do) has an extra HW FW in my case an alphashield does this also lessen security?

4) If I unhook the alphshield and router and then connect direct through the cable companies webstar box will I be able to "see" the ip and mask as you have and them confirm that they have me on a massive LAN? What else should they do connection wise with millions of customers?

5) Should / can these ISP's do to provide ARP and other security protection for us?

 

Hi Escalader,

1) A basic answer is Yes.
When you have a router as gateway, then it is the gateway that will perform DHCP for your public/wan address, it will also control any ARP if connected to a LAN. So any filtering (such as DHCP/ARP) on the PC will only be filtering what is on your own private LAN behind the router.

2) My own setup consists of a PC as gateway, this PC contains 2 NIC cards, one of which connects to the Internet, the other NIC I use to connect to either a router or switch which then allows other PCs to connect through the gateway. (you could set up windows ICS to make that work, or use a proxy server on the gateway)

3) An Alpha shield is a filter/pass through, it does not control DHCP or ARP, so the etra filtering adds to the protection.

4) You should see your public IP and any gateway used in the router. It is normally found on the "Status" screen (or similar wording)

5) It would depend on the country the ISP is in, as they will be regulated.

On my own setup, I have no problems with my ISP, My MAC is bound to my IP by my ISP (this I can change by changing my MAC address then re-booting the modem, which will then force an IP change), but my ISP gateway does not require my allowing or replying to ARP. In fact on my setup I could block all ARP and use a static ARP entry for the ISP gateway.


My main point is the fact a router will not always add protection, so anyone simply stating to a user that it will add protection without knowing what that users setup is, is actually short sighted.

- Stem

 

But an awfully long time in the IT business has shown me a very clear correlation between the health of computers that are behind NAT boxes, and between those that aren't behind anything..just plugged right into the broadband modem sitting exposed on a public IP address.

I've seen it too many times, home computers plugged right into that cable modem are bound to be a mess. I won't support those anymore...it's a guaranteed headache.

 

Exposed? Windows XP firewall will block unsolicited inbound, the main problems arise due to exposed services.

As I put forward, it depends on setup. If you had a setup where you where connecting to an untrusted LAN, then simply placing a typical home router in between the PC and LAN will only transfer a need for protection of such possible attacks as DHCP/ARP poisonig from the PC to the router, and I dont see that type of protection in those types of routers. So although the PC may appear in good health, all traffic could be being diverted through another node on LAN and you would not know.

 

Hi Stem:

Thanks, I have always viewed the router as well only only a sharing the ISP connection device but one that added some protection for users.

My alpha shield sits in front of the router so all PC's get the benefit of it's protection.

In the case of a gateway being a PC does that mean that ALL security SW be it 3rd party or say the windows FW free up all the PC's downstream from needing those SW tools?

In other words my SW FW, my AV my ASW is all in one PC and thus the other PC's can run with no extra's relying 100% on the gateway? It strikes me as not applying to HIPS protection?

 

Hi Escalader,

I basically just use a PC instead of a router as gateway. I still set up the PCs behind the gateway as I would setting up behind a router with security software on each node.(usually one PC is set up testing a firewall )
On my setup, the gateway does filter all packets for the LAN, but that is mainly for NAT.
I still use the gateway as a normal PC and run various applications.

I have had this (or very similar) setup for about 3 years with no problems.


- Stem

 

Dear Stem/ others

Surely there must be one brand (or more) of router/HW firewall which has such feature to manage DHCP/ARP ?

Anyone know of any brands / models (apart from Cisco) ?

Hopefully
SKA

 

I've used (in the past) a VPN with my D-Link router. But not was for increment my security.
Exactly was for allow inbound connections for some ports (rules) when eMule or BitTorrent (Azureus) or another P2P client was started.
The D-Link router rules configuration for VPN (some profiles preinstalled also, most for gaming) permited me edit "allow permissions" for protocol, IP's, ports and clients (soft) installed, hosted in my pc.

 

You've never seen the XP firewall get corrupted or shut off huh?

 

You may want to read up on what it really is (and importantly....what it isn't as far as anything to really lose sleep over) for the home user. Read from some good technical sites, not tin foil hat sites like Gibsons. You'll see it's really not something the home user has to worry about.