Which is the BEST hardware Router/Firewall to monitor in/out traffic?

Discussion in 'other firewalls' started by Mr. Y, Jan 23, 2008.

Thread Status:
Not open for further replies.
  1. Mr. Y

    Mr. Y Registered Member

    Joined:
    Jan 11, 2006
    Posts:
    257
    Just wondering which is the BEST hardware Router/Firewall to monitor inbound/outbound traffic?

    I am looking for one that is resistant to unauthorized reprogramming.
     
  2. ProSecurity

    ProSecurity Registered Member

    Joined:
    Dec 13, 2007
    Posts:
    123
    My vote goes for an old PIII machine with m0n0wall.
     
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    great suggestion

    m0n0wall
     
  4. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
  5. ProSecurity

    ProSecurity Registered Member

    Joined:
    Dec 13, 2007
    Posts:
    123
  6. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Plus pfSense is better than m0n0wall :D. PC Engines ALIX is really small complete motherboard. Just add case, power and wifi card if you like. Price is around 150€ without wifi and 200€ with one wifi.
     
  7. ProSecurity

    ProSecurity Registered Member

    Joined:
    Dec 13, 2007
    Posts:
    123
    pfSense has more features but I would hardly make this kind of blanket statement.

    Uhh... yeah.
    150€ for only a motherboard when a used complete PIII pc with 256mb of ram can be had for 80€.
    Right. :cautious:
    The only benefit would be reduced power consumption with the ALIX.
     
  8. ethernal

    ethernal Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    132
    Location:
    Stockholm, Sweden
    snort + snortsam + barnyard + fail2ban + oinkmaster

    *rawr* :D
     
  9. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    150€ is complete system price.
     
  10. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Try SmoothWall Express
    It's Free, will run on any old pc on hand, it's secure and it works!!!

    Time to Build your own... Check out http://www.smoothwall.org/
     
  11. Mr. Y

    Mr. Y Registered Member

    Joined:
    Jan 11, 2006
    Posts:
    257
    Thankyou for all the replies!

    Are all of these hardware Router/ Firewall choices resistant to themselves being HACKED?
     
  12. Mr. Y

    Mr. Y Registered Member

    Joined:
    Jan 11, 2006
    Posts:
    257
    I am a Home Computer User that uses one computer although I do have enough excess parts to build one of the above mentioned firewalls.
     
  13. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Unless you live in outer space inside a Teflon bubble you are at risk of being hacked! :rolleyes:

    Sorry but nothing is impenetrable or impossible to crack! The best you could hope for is that most might not know how to get through your defenses.
    Jokes aside, these are as good as any...
     
  14. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    "Best"? Do you have at least 30 thousand dollars to pickup a high end Juniper?

    "Best for my home and budget of ___?" may help.

    I don't think you'll find any home grade broadband routers which will do what you want very well with stock firmware, you can get some of what you're looking for by purchasing certain Linksys, Buffalo, and Asus routers...which support a 3rd party firmware called DD-WRT.

    Or if you want something with a bit more power, build yourself a *nix distro router...take a mid-range P3 or higher, with 2x NICs...and install one of the many *nix router distros out there.

    There are many of them out there...some stronger in certain areas than others, and a growing number that bring full UTM features (Unified Threat Management). These UTM features are the ones I'm really interesting in..and using at a few clients with good success. The UTM distros add antivirus scanning of all web, mail, and ftp traffic, as well as spam removal of web traffic. Some add ad/spyware blocking of browser traffic as well. And beefier intrusion detection via Snort.

    Some of the basic *nix router distros....

    IPCop...one of the more popular ones, has a big development/support community with lots of add-on packages.
    http://www.ipcop.org/
    You can add UTM functionality to it with the add-on called Copfilter
    http://www.copfilter.org/

    m0n0wall
    http://m0n0.ch/wall/

    Smoothwall
    http://www.smoothwall.org/

    pfSense...built on m0n0wall...with stronger QoS features
    http://www.pfsense.com/

    Clark Connect is a cool distro for a small business, sort of an open source *nix version of Microsoft Small Business Server
    http://www.clarkconnect.com/

    vyatta
    http://www.vyatta.com/

    For some of the UTM distros....in addition to the Copfilter build of IPCop listed above....

    Endian...one of my favorites..built on top of IPCop..with the features of Copfilter...bundled into one tight package
    http://www.endian.com/en/community/

    Comixwall
    http://comixwall.org/

    Astaro
    http://www.astaro.com/

    Untangle...this one is fantastic...I've built a few...using them in production...very powerful. Lots of features...even blocking of IM traffic and peer to peer traffic.
    http://www.untangle.com/

    On the basic distros...all you need is an older PC...P2 or so, moderate RAM, a pair of NICs..and you're good to go. For the UTM distros..you want a bit more power...mid range or higher P3, 512 megs of RAM...Untangle likes to go above 1.0GHz and a gig of RAM.
     
  15. Mr. Y

    Mr. Y Registered Member

    Joined:
    Jan 11, 2006
    Posts:
    257
    Yes, I should have been more specific.

    I will give an example:

    I have Alpha Shield which monitors all incoming traffic according to preset hardwired rules. It is the basic $20 Radio Shack model that has all the firmware hardwired into it.

    To the best of my knowledge it can not be hacked because everything is hardwired into it.

    Unfortunately I am unable to monitor and control outgoing traffic with it (heck it was only $20).

    Thus I am looking for a "turn-key" hardware Router/Firewall that allows me to monitor and control outgoing (and incoming) traffic. It would have a hardwired design that would make it difficult to hack.

    Is there such a beast?
     
  16. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    To be frank... for best results you are better building your own...

    SmoothWall & Untangle would provide superior protection than any of the "Store" bought boxes under $200.00

    These devices are ok, since most users already have a software firewall on their pc's. In fact that is all you really need, a good software firewall...

    Those boxes are only really useful for the easy sharing & interconnectivity they provide via the consolidation of the WAN, LAN and Wireless features as it's all rolled into one device... That is the real strength of these not the integrated firewall if you ask me.
     
  17. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England

    I prefer the other way around...I'd rather have, matter of fact, I insist any clients that I will support....be behind NAT..a hardware firewall. IMO the biggest threats to computers are those that freely spread around the internet. Any PC that is plugged directly into a pure broadband modem..thus obtaining a public IP address, gets hit within seconds by threats trying to spread. If a computer is behind a NAT firewall..thus having a private IP address..the WAN interface of the router..by default blocking all 65,000 plus ports...stop unwanted incoming traffic from molesting the PCs. No end-user intervention to deal with.

    By default..NAT never breaks..it's always there for you hiding your PC. Software firewalls can have issues, a service might not start, some of the popular ones...some malware is designed to attack a vulnerability of them and knock them out...virtually dropping the pants of your computer and exposing it.

    A long history in supporting home and small business networks has shown me over and over and over...computers plugged directly into a broadband modem with a public IP have had far more issues than those PCs hiding behind a NAT box.
     
  18. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    There are a couple of other items of note:
    • Load balancing - inbound junk is filtered without loading the resources of an in-use PC
    • They provide a base starting point that requires some active manipulation to misconfigure. They are very sound as a plug in and go basic appliance (via NAT)
    but these strengths are also not dependent on the integrated firewall.

    Blue
     
  19. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    hey... I didn't say they didn't work... I said they are not entirely necessary.

    I use them extensively at customer sites as well, have done so for many years.

    My comment was that building your own such as with a smoothwall box or even better using a full featured Untangle setup is superior to these devices, by a long margin...

    As for nat, it is only partially true. If the front end device distributing the NAT's IP's is compromised the entire setup is compromised... NAT's strengths considered, it is still only as strong as the firewall built into the router. The NAT device requires it's own Host table to operate. Compromise that and you compromise every node on that table...
     
    Last edited: Jan 25, 2008
  20. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    You are right... The problem I see with these devices is not so much that they are being hacked so much as they are simply left wide open on the network with the default password. Usually with the wireless enabled but WEP or even WPA disabled...

    Here is a good example of the risks involved: https://www.wilderssecurity.com/showthread.php?t=198319
     
  21. Mr. Y

    Mr. Y Registered Member

    Joined:
    Jan 11, 2006
    Posts:
    257
    Which is the best NAT firewall to buy? Will it let me monitor outbound connections?
     
  22. ethernal

    ethernal Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    132
    Location:
    Stockholm, Sweden
    hi mr. y and yeoldstonecat.

    NAT per se isn't a firewall.. it's used on the router. by using Network Adress Translating, it just keeps one ip adress to the outside world, and many on the inside. then it just remembers who wanted what when the replies come back from the internet :)

    many many router manufacturers have for some reason added this to the firewall capabilities of their advertisment stuff. so i fully understand why you would make this (small, and very irrelevant) faulty assumption.

    i've been using a dog old netgear router for years, no exploit has been made available (to attack it from the outside) so it's rock solid in regards to NAT'ing me.

    your best bet if you want a cheap firewall+nat capable router in a hardware box, is to get a normal broadband router. the d-link exploit for routers that recently made the news was kind of FUD, since the exploitable service by default didn't listen to the wan interface. you could only exploit it from the inside.
     
  23. Mr. Y

    Mr. Y Registered Member

    Joined:
    Jan 11, 2006
    Posts:
    257
    Thankyou!
     
Loading...
Thread Status:
Not open for further replies.