Time for a hardware firewall?

Discussion in 'other firewalls' started by frustirrations, Apr 1, 2007.

Thread Status:
Not open for further replies.
  1. frustirrations

    frustirrations Registered Member

    Joined:
    Apr 1, 2007
    Posts:
    3
    Hello. I hope this is the best place for this post.

    I recently became aware of repeated hacking attempts against our little home lan one day when I checked the zone alarm logs on one of our machines.

    As this was an older copy of zone alarm sitting in an unpatched windows ME installation (as microsoft doesn't support it anymore), I was not comfortable with having it be the only line of defense.

    So I put a smoothwall (www.smoothwall.org I believe) between us and the net. Worked great. Bugged the hell out of people having another machine hanging around making noise though, and there wasn't any good place to put it away.

    So now besides the software solutions, all we have is our linksys router with a strong password and nat enabled, blocking wan requests, etc, doing the firewalling for us. Problem is it's just...I mean...Flaky. I've tried upgrading the firmware, etc, but it refuses to log anything but outgoing connections, and it doesn't do that for long. I know it's blocking the incoming traffic because nothing's showing up in our firewall logs. But I can't see what the traffic is, nor do I know how easy it is to hack/defeat.

    They are willing to invest in a hardware firewall. I am not a networking or a security expert, but I found one for around $100 that looked good. However, the only info I was able to find about it besides the sales listings was one review that looked like it may have been written by someone who was paid to make it look good.

    The following are my questions:

    1. Under these circumstances, when it's known that someone is actively trying to hack you, would you rely on a linksys router's firewalling capabilities to keep them out? Anyone have any information/opinion about how easy or difficult they are to defeat?

    2. If they are not trustworthy, would a hardware firewall, if someone was willing to pay for a cheap one, be a reasonable investment? And if so, is there one in the >$120 range you would recommend?

    Frankly, I want them to get one, because at the very least...I hate not having any logs. I can't even tell when it's happening anymore. But furthermore, I'm more or less responsible for things not getting jacked around here, and it'd make me feel better. But while they can afford it, they'd prefer not to spend the money if not really necessary.

    Thank you.
     
  2. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    If your router has a proper firewall built into it then you should be fine as long as the rules are correctly set up. If its just simple NAT then you may want to look for one which has full on firewall capabilities.

    I got my bipac 741-ge firewalled router for a cheap $30 off ebay.
     
  3. frustirrations

    frustirrations Registered Member

    Joined:
    Apr 1, 2007
    Posts:
    3
    Yeah, that's the thing. It's a Linksys BEFSR41. It has some firewall-ish options, but they don't go very far.
    I'd be cool with a router that had more in the way of true firewall functionality. Wouldn't have to be a dedicated firewall. But this router...Ehh...I just don't know enough to know how much I can depend on it to keep people out.
     
  4. SqueekyGeek

    SqueekyGeek Registered Member

    Joined:
    Mar 20, 2007
    Posts:
    5
    Location:
    down South, USA
    The IT guys at work installed a hardware firewall called SonicWall for our small network and I believe it was a little over $100 -- they really like its reports.

    This may not be the right forum, but you were talking about router firewalls. I bought one that has WPA2 encryption because I heard from someone it was the strongest, but someone else then told me WEP encryption was better. Anyone know which someones is right?

    kc
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    WPA2>WPA>WEP (from strongest to weakest)
    WEP is easily crackable.
     
  6. SqueekyGeek

    SqueekyGeek Registered Member

    Joined:
    Mar 20, 2007
    Posts:
    5
    Location:
    down South, USA
    Thanks, Lucas1985:)
    I'm happy I got the right one:D
     
  7. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    @frustirrations,
    you can still get the old windows updates for windows ME to be a bit safer i got them for windows ME about 10 days ago so i know it works.
    sometimes you load windows update and what loads says it only works on windows based systems.
    but if you close it and try again it does sometimes load and you can get the updates microsoft realeased before they stopped support.
    you cant lost anything by trying to get the old windows updates for windows ME.
    lodore
     
  8. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    frustirrations - I would recommend dumping the BEFSR41, I have heard horror stories in regards to these guys.
    Personally I use WRT54GS V1.1 with Tomato firmware, it is very easy to administer but also secured right "out of the box". If you are interested in Tomato have a look at the supported models and you may be able to pick one up cheap online.

    But any router from DLink, Netgear, or Linksys with a SPI/NAT capability should more than suffice.
     
  9. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    If you really meant >$120 in your post (and not the other way around), then a soekris board with OpenBSD would make one of the best firewalls out their (stable and secure as anything, with a great packet filter (pf) that is soooo easy to configure and write rules for). And if you have any extra cash, just send one over to me as well :D .

    If you aren't as adventerous, installing pfsense would work as well (freebsd w/ pf packet filter already preconfigured with a fancy smancy GUI and web administration). I think if you want the best one it will cost you mid- 200's (although you won't need all the power).

    However, if you meant it the other way around (<120), then a Linksys WRT54GL would be the way to go and add either the Thibor firmware or the DD-WRT firmware.

    Cheers,

    Alphalutra1
     
  10. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    I would never have any of my PCs, or clients PCs, without one. Will not support anything unless it's behind NAT. One exception being behind ISA server.
     
  11. frustirrations

    frustirrations Registered Member

    Joined:
    Apr 1, 2007
    Posts:
    3
    Didn't know that it was still possible to get ME updates. I'll have to give that a shot.

    Well, it's official: this router is crap. In so far as I know, from the way I have it configured, it shouldn't be letting anything through. But I can see from my firewall logs that this is not the case. I'm not shocked, since so many other functions on it are broken.

    Thanks a lot for everyone's suggestions. I'll be giving them a look and hopefully end up with something that provides the functionality I need without too much money spent or too many headaches caused. We'll see. Or I could just tie all the computers to the back of the car and take a ride down the interstate o_O. Nah...I think I'll stay marginally reasonable for at least a little while longer. Anyway, I'm babbling. Thanks again.
     
  12. herbalist

    herbalist Guest

    You might also take a look at MDGx. Too much available to describe.
    Rick
     
  13. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I have a Linksys ethernet cable dsl router SR41 as well. BUT I put an AlphaShield in front of it. So the LAN is stealthed.
     
  14. coolbluewater

    coolbluewater Registered Member

    Joined:
    Feb 10, 2007
    Posts:
    268
    Location:
    next door to Redmond
    I'll second this - a truly outstanding value, and you definitely won't be disappointed :thumb:
     
  15. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England

    One note to the OP......you went as far as trying a linux distro router. You're almost there in having almost the best thing you can possibly have for your network. Take a nice sort of older PC, small form factor chassis. Something like a mid-range P3 or higher with 256 megs or 512 megs. Have a pair of good network cards in it, like an Intel Pro, or 3COM 90x series. Install a linux distro router.

    Don't know linux? Don't let it scare you. The distros are downloaded, you burn them to CD. You set the PC to boot from cd-rom. Booting from the cd-rom...you go into an easy install wizard...follow the prompts, follow the very easily laid out instructions...jotting down notes as you go along. Notes? Yeah...the IP address you gave it, the root password, and the web admin password. (you'll have 2x passwords). Once it's done...set it up on your system....and log into it using your web browser...just like any old home grade router...the web admin is just as easy.

    Now you can enjoy performance the will blow the doors off of any router you've had, and pretty much any router you'd be able to purchase for less than a thousand dollars. I'm talking performance that will match, or exceed, many enterprise grade routers that cost in the thousands. Does several people online gaming at the same time bog down your current router? Won't bog this down. If you run those P2P programs..do they bog down your routers? Won't bog this down...won't even break a sweat. Talk about handling a high amount of concurrent TCP connections..even a basic rig with only 256 megs of RAM will handle way more than you can throw at it.

    Now are you ready for some really cool features? How about deep SPI, Intrusion Detection via SNORT, antivirus/antispam/antimalware filtering for any POP3/SMTP/HTTP/FTP traffic that passes through the router. Yes...the router can scan your traffic at the router itself if you have a distro that supports this.

    Adblocking!
    Many VPN options
    Secure zones for your wireless, even secondary wireless security such as captive portal for another door to pass through.

    I'd love to see more mention of these here at Wilders...I mean...so many people here wanting security for the PCs/networks....layered security. Here's a great way to introduce it...right at the gateway, these don't even bog down your PC with more bloated programs, it's all done at the gateway itself.

    These distros can have very cool features....some are pretty much what I'd call true UTM devices. Unified Threat Management. If you look at UTM appliances for business networks...you're looking at spending $5,000.00 and up. Products like Fortinet, Juniper, Sonicwall, etc. These linux distros can bring you those features...for free. All you need is a decent running older PC...midrange P3 or so. Blow the doors off of your usual home market routers, and match or exceed high end products. And I work with Sonicwalls and Juniper routers as part of my job..so I'm familiar with them.

    One of the most popular distros...with a huge support community and many add-ons...
    http://ipcop.org/
    Need to install the add-on called "Copfilter" to get antivirus scanning.

    My favorite one....more "business grade", even has a reseller program..you can purchase it installed on 1U appliances. Or do it for free on your own rig.
    http://www.endian.it/
    Pretty much all the features you need built right into it...very nicely groomed. Check out the screenshots.

    Another good one
    http://www.pfsense.com/

    Some others....
    http://m0n0.ch/wall/
    http://www.smoothwall.org/

    One designed for businesses...a sort of Linux version of Microsoft Small Business Server...gateway, firewall, e-mail, VPN, file and print, etc
    http://www.clarkconnect.com/
     
  16. beads

    beads Registered Member

    Joined:
    Jun 1, 2005
    Posts:
    49
    The one advantage of using a smaller home based appliance over say a linux distro would be less electricity, i.e. a few watts vs. 200 watts, etc. Not to mention the space involved. A small appliance would easily fit in one hand.

    Watchguard, SonicWall and NetScreen all make appliances that would serve you well until you decide that you want to host VPNs and websites from home. Actually, a basic VPN might worth considering for many folks but thats another question all together, isn't it?

    Any of these would be fairly easy to setup and maintain. If you feeling a bit courageous you could explore how much bad traffic your getting with a couple of really safe IP blocks to turn off. Generally eastern Asia, say 60.0.0.0/8 and 61.0.0.0/8 (/8 = 255.0.0.0) This will tell you if your blocking ports are working properly and I'm sure you'd be surprised how often these two blocks in general come up.

    No, I have nothing against the owners of these two blocks and if your reading your SYSLOG information at all you'll recognize of whom I am writing. Well, other than I take 1000s of hits daily from those two blocks and have no business relationships with them save Singapore and Hong Kong based clients. But if someone wants to check there firewall configurations for blocking its an excellent way in which to do such.

    Hopefully, I won't have offended anyone with the above.

    - beads
     
  17. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Why wouldn't they serve well even when the person decides to host stuff from home? Even a cheap old home grade router will allow VPNs and websites 'n whatever to be hosted. The only possible issue I can think of is it might be against the TOS with the ISP..but that's not the appliances fault.

    Spacewise..yeah, a true off the shelf router is smaller. You can get small 1U appliances to install your *nix distro on through. Electricity use isn't much...since they sit there basically never lifting the CPU up past 3% utilization, hard drive doesn't get used much either.
     
Loading...
Thread Status:
Not open for further replies.