Router firewall? VPN

Discussion in 'other firewalls' started by Ledsr40, Mar 30, 2009.

Thread Status:
Not open for further replies.
  1. Ledsr40

    Ledsr40 Registered Member

    Joined:
    Mar 6, 2006
    Posts:
    52
    Is it a good idea to get a hardware router firewall and not use a software firewall? I mean, the router firewall will not get updated, because it's hardware.

    Also, what is a VPN firewall router? I know that it's something that is supposed to hide your IP address, but I see "VPN endpoint" "VPN", "VPN passthrough" advertised on different routers, what's the difference?

    Also, does the brand of routers matter? Like linksys seems to be much more expensive than other brands like netgear or USrobotics.

    Thanks.
     
  2. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hi there!

    Well there is absolutely no "NEED" for you to get a hardware firewall,
    if you got a software FW.

    I bought a Router too split up my Fiber connection so i would be able to connect more computers to the Net.
    And the router included a firewall, and MANY of the routers out there does inclued a SPI (Stateful Packet Inspection) firewall.

    And I acctually do feel more secure now then before with only the software one, and the hardware firewall takes the first hit and if the threat pass the HD one, the i got the software firewall in case !-)

    But as i said there is absoluterly NO "NEED" to get a hardware firewall,
    if you allready got a software firewall!

    However the price on the router's often depends on the feauters included,
    some got VPN some not, some got DoS protection, some got Web content filtering etc...

    I did buy a DrayTek router since they allways got high quality on their Routers!
    http://draytek.com/user/PdInfoDetail.php?Id=18 <<

    Hope this helps you a little !-)

    SweX
     
  3. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    far from true, this culd turn into another huge discussion but im gunna leave it simple and say u do need a hardware firewall, its definetly a place u shuld start with any security. so u are wrong about the "NO NEED"...
     
  4. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Well i've been using a software firewall ONLY for many many years,
    without problems. So "No Need" for a hardware one that's just MY experience my friend :rolleyes:

    And why don't you tell us what you know about it instead
    of saying it's not true:(
     
  5. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    i didnt go into detail cuz thers another thread discussing it, i dont want to take over this thread with another discussion about it :doubt: u can check the other thread if ud like to know...
     
  6. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    .
    Routers have NAT - network address translation. The benefit of NAT is it assigns a private IP (such as 192.168.x.x) to your PC and hides it from the internet. A router also drops unsolicited packets, can be set to not respond to ping (stealth mode for ports) and many include SPI (stateful packet inspection). This all adds up to more security then a personal firewall installed on the host PC can provide. A personal firewall can be used along with the router to provide additional security. That combination is optimal IMHO.
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    .
    Regarding your other questions:
    I believe a VPN router supports the option of connecting to the PC behind the router over the internet. For instance, you could use a laptop while you're sipping in Starbucks to connect to your home PC over a secure connection (VPN connections are encrypted). I don't have a need to do that and don't keep my home PC running while I'm away so I haven't played with that feature, but it has obvious uses.

    I've used Netgear, D-link, and Linksys routers and currently prefer Netgear, but they've all pretty much done the job. If I were buying today I would focus on getting the most advanced security and performance features first and consider the brand second.
     
  8. Ledsr40

    Ledsr40 Registered Member

    Joined:
    Mar 6, 2006
    Posts:
    52
    I thought it's something like Tor or Ghostsurf, which hides you identity on the internet.

    Yes, but most routers list the same features, and have very different prices because they are from different brands.

    My current Linksys router is always having IP collisions, it didn't use to be like that. I have to reset it every few days, or some computers can't go onto the internet, always having IP problems and can't connect. Is that a sign that the router is going bad?
     
    Last edited: Mar 31, 2009
  9. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    It's safest to use a combination of a router and a software firewall.
    I have my doubt about inbound protection offered by routers. Quite complicated, let me put it this way: once you have established a connection, how do you know if the incoming bytes are what you want to come in ? I even doubt claims about 'Full SPI'. See also 'OSI model' on Wikipedia for more information about firewalls.

    If you have a good router it is likely to be more stable than a software firewall. I'm not a technical expert, but a good router can handle a DDOS attack better than a software firewall.

    A good software firewall can do much more (except what I mentioned in the previous paragraph) than just a router. See my reference to the 'OSI model'.

    IMO, a combination of a router plus software firewall is the best, although I know many people who use only a software firewall without apparent problems.

    A software firewall can provide outbound protection, while routers cannot (for as far as I know).
     
  10. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    There is a difference between hiding the internal LAN IP using NAT and surfing anonymously. I don't know enough about services like Tor and Ghostsurf to comment on them.

    Regarding the IP problems you're having, a simple fix is to assign a fixed IP to each computer and turn off DHCP in the router. That will eliminate the problem of the router trying to assign the same IP to more then one PC.
     
  11. NoIos

    NoIos Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    607
    All recent routers include a firewall (SPI). Unfortunately these allow basic firewall configuration. Instead a dedicated hardware firewall ( I mean those above 200 € ) will allow better and more detailed configuration. This does not mean that the integrated firewall that we find in routers does not protect you.

    The combination of a router's firewall and a software firewall is absolutely necessary if you care about outbound traffic too and immediate control of applications that access the net.

    NAT combined with DHCP ( not using static ips ) adds for sure extra protection.

    Most common error of users is that leave their routers with the factory username and password for the admin area.

    I personally plug a gateway on the router instead of plugging directly on the router my machines. Then I also use an unmanaged gigabit switch.
     
  12. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    hello

    router firewall will add security to your software firewall


    and answer to your hardware firewall they do update their firmware(operating system) but 1-3 times in a year depending on upon security vulnerabilities....


    as for hardware firewall vs software and what is firewall you can read

    https://www.wilderssecurity.com/showthread.php?t=45816

    http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/firewall_types.asp

    http://www.howstuffworks.com/firewall.htm




    and for vpn please check

    http://www.howstuffworks.com/vpn.htm


    if you have old computer you can make your own decated firewall which is free of cost and very good indeed

    please refer to my old thread i have old pc and i tried all of them i will sugest you to try endian firewall its easy and one of best firewall indeed.


    https://www.wilderssecurity.com/showthread.php?t=228779

    https://www.wilderssecurity.com/showthread.php?t=198186
     
  13. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Software firewalls can get corrupted and not run, or malware can shut them down.

    A routers NAT won't get shut down. Routers can get updated...new firmware.

    I always insist any/all computers I am in charge of, are behind NAT routers.
     
  14. wat0114

    wat0114 Guest

    I fully endorse this approach for home computers, at least. The router handles the inbound garbage to take the load off the software fw, while the latter controls outbound application traffic.
     
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello,

    While I agree a router can add basic filtering and block unsolicited etc etc, I still have concerns as to what the router is connecting to. For example, my ISP cable provider connects me through one of their gateways and this shows as my being on a LAN, currently this is 80.193.*.*/255.255.255.0. Due that fact I need to filter and control ARP, I also prefer to filter all DHCP, I know of no home router that will give me that ability.
    So on my own setup (and there will be many more on a similar ISP connection) adding a typical home router as a gateway would in fact lessen my security.

    - Stem
     
  16. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Stem:

    Couple of questions comments for you when you have time. No doubt I've missed or forgotten something fundamental again:oops:


    1) If the users SW FW can filter control ARP/DHCP does this mean that that this feature is nullified by the existence of a router?

    2) As just 1 user, I need to hook up to the other PC's here so as to share the ISP service connection, so I can't see how to scrap the router to allow the ARP/DHCP filtering.

    3) If the user (as I do) has an extra HW FW in my case an alphashield does this also lessen security?

    4) If I unhook the alphshield and router and then connect direct through the cable companies webstar box will I be able to "see" the ip and mask as you have and them confirm that they have me on a massive LAN? What else should they do connection wise with millions of customers?

    5) Should / can these ISP's do to provide ARP and other security protection for us?
     
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Escalader,

    1) A basic answer is Yes.
    When you have a router as gateway, then it is the gateway that will perform DHCP for your public/wan address, it will also control any ARP if connected to a LAN. So any filtering (such as DHCP/ARP) on the PC will only be filtering what is on your own private LAN behind the router.

    2) My own setup consists of a PC as gateway, this PC contains 2 NIC cards, one of which connects to the Internet, the other NIC I use to connect to either a router or switch which then allows other PCs to connect through the gateway. (you could set up windows ICS to make that work, or use a proxy server on the gateway)

    3) An Alpha shield is a filter/pass through, it does not control DHCP or ARP, so the etra filtering adds to the protection.

    4) You should see your public IP and any gateway used in the router. It is normally found on the "Status" screen (or similar wording)

    5) It would depend on the country the ISP is in, as they will be regulated.

    On my own setup, I have no problems with my ISP, My MAC is bound to my IP by my ISP (this I can change by changing my MAC address then re-booting the modem, which will then force an IP change), but my ISP gateway does not require my allowing or replying to ARP. In fact on my setup I could block all ARP and use a static ARP entry for the ISP gateway.


    My main point is the fact a router will not always add protection, so anyone simply stating to a user that it will add protection without knowing what that users setup is, is actually short sighted.

    - Stem
     
  18. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    But an awfully long time in the IT business has shown me a very clear correlation between the health of computers that are behind NAT boxes, and between those that aren't behind anything..just plugged right into the broadband modem sitting exposed on a public IP address.

    I've seen it too many times, home computers plugged right into that cable modem are bound to be a mess. I won't support those anymore...it's a guaranteed headache.
     
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Exposed? Windows XP firewall will block unsolicited inbound, the main problems arise due to exposed services.

    As I put forward, it depends on setup. If you had a setup where you where connecting to an untrusted LAN, then simply placing a typical home router in between the PC and LAN will only transfer a need for protection of such possible attacks as DHCP/ARP poisonig from the PC to the router, and I dont see that type of protection in those types of routers. So although the PC may appear in good health, all traffic could be being diverted through another node on LAN and you would not know.
     
  20. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Stem:

    Thanks, I have always viewed the router as well only only a sharing the ISP connection device but one that added some protection for users.

    My alpha shield sits in front of the router so all PC's get the benefit of it's protection.

    In the case of a gateway being a PC does that mean that ALL security SW be it 3rd party or say the windows FW free up all the PC's downstream from needing those SW tools?

    In other words my SW FW, my AV my ASW is all in one PC and thus the other PC's can run with no extra's relying 100% on the gateway? It strikes me as not applying to HIPS protection? :doubt:
     
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Escalader,

    I basically just use a PC instead of a router as gateway. I still set up the PCs behind the gateway as I would setting up behind a router with security software on each node.(usually one PC is set up testing a firewall )
    On my setup, the gateway does filter all packets for the LAN, but that is mainly for NAT.
    I still use the gateway as a normal PC and run various applications.

    I have had this (or very similar) setup for about 3 years with no problems.


    - Stem
     
  22. SKA

    SKA Registered Member

    Joined:
    Aug 2, 2002
    Posts:
    154
    Dear Stem/ others

    Surely there must be one brand (or more) of router/HW firewall which has such feature to manage DHCP/ARP ?

    Anyone know of any brands / models (apart from Cisco) ?

    Hopefully
    SKA
     
  23. zen_usuario

    zen_usuario Registered Member

    Joined:
    Dec 7, 2008
    Posts:
    153
    I've used (in the past) a VPN with my D-Link router. But not was for increment my security.
    Exactly was for allow inbound connections for some ports (rules) when eMule or BitTorrent (Azureus) or another P2P client was started.
    The D-Link router rules configuration for VPN (some profiles preinstalled also, most for gaming) permited me edit "allow permissions" for protocol, IP's, ports and clients (soft) installed, hosted in my pc.
     
  24. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    You've never seen the XP firewall get corrupted or shut off huh? ;)
     
  25. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    You may want to read up on what it really is (and importantly....what it isn't as far as anything to really lose sleep over) for the home user. Read from some good technical sites, not tin foil hat sites like Gibsons. You'll see it's really not something the home user has to worry about.
     
Loading...
Thread Status:
Not open for further replies.