Need Firewall with Router?

[William Clay]

Rob,

Isn't the automated process that is examining outgoing packets
essentially a form of firewall?

-- Bill

 

[djs]

I have the same Linksys firewall, and in my opinon that is good
enough.

And that's all that counts. As much as the self-proclaimed network
security gurus want to decry your simplistic approach, the fact is that
security involves compromise.

You seem to have chosen the security offerred by your router, foregoing
personal firewall software. The positive trade-off to this is that you
don't have to put up with the system overhead, slow-downs, upgrade
hassles, expense, and potential stability issues that go along with
personal firewall software. The "gurus" never seem to mention any of
that, do they? (Oh, I know; they've all had 100% positive experiences
with personal firewall software. Yeah, that's it.)

 

[Rob Schneider]

Bill,

Not really... It's just a monitoring process. It doesn't *do* anything
simply because the Linksys doesn't provide any capabilty to do this (to
my knowledge). Nothing in my setup will prevent an outbound connection.
But when they occur, I'll know about them.

The outbound packets aren't examined. I just know where they are going
by viewing the log.

I didn't use the right word to describe what I do. I have an automated
process which collects the access log information FROM the Linksys box.
Linksys sends the data to the designated IP address. On receiving
machine, the data is trapped in log files (which I keep for a few weeks)
using some software called "linksysmon". At intervals, I get an
automatic email of listing all the "out" and "in" bound traffic by
IP/Port. It's a filtered report to eliminate in-bound ports which are
protected, but attacked all the time anyway.

I guess a more powerful firewall would be to inspect all outbound
packets. Given my computing patterns and how security is currently set,
I'm not planning to do that, although some would disagree with that
position. When time comes to better inspect and act on outbound
packets, I would look towards setting up a secondary firewall behind the
Linksys based on iptables running on Linux (which was my firewall before
I stopped it to rely on the much-quieter and less electricity-hungry
Linksys box).

With iptables, you can pretty much do anything you want; but that's the
problem--choice is unlimited and it becomes a time-sink to setup and
fiddle with.

 

[CZ]

Not really... It's just a monitoring process. It doesn't *do* anything
simply because the Linksys doesn't provide any capabilty to do this (to
my knowledge). Nothing in my setup will prevent an outbound connection.


Rob:

That is one major reason why I have tried to encourage users to avoid
LinkSys routers.
IIRC, LinkSys does now have a router that can do packet filtering.

My two year old Netgear router does packet filtering via strong custom
rules.
And it was never hyped by mktg as having SPI.

 

[Rob Schneider]

simply because the Linksys doesn't provide any capabilty to do this (to
my knowledge). Nothing in my setup will prevent an outbound connection.


Rob:

That is one major reason why I have tried to encourage users to avoid
LinkSys routers.
IIRC, LinkSys does now have a router that can do packet filtering.

My two year old Netgear router does packet filtering via strong custom
rules.
And it was never hyped by mktg as having SPI.

I can understand your view on this. It's all a matter of risk --
perceived and real, and it depends on on the type of internet computing
that is done inside the network.

As I mentioned in the thread, in time I'll probably do same and either
buy a new Linksys, Netgear, etc. The one I have is now getting old
given the change in the the products. More likely keep what I have and
add a secondary Linux router and set it up with iptables... That being
said, I would never recommend to anyone to use a Linux server to do this
(unless they really want to).

 

[Larc]

| >> Not really... It's just a monitoring process. It doesn't *do* anything
| simply because the Linksys doesn't provide any capabilty to do this (to
| my knowledge). Nothing in my setup will prevent an outbound connection.
|
|
| Rob:
|
| That is one major reason why I have tried to encourage users to avoid
| LinkSys routers.
| IIRC, LinkSys does now have a router that can do packet filtering.
|
| My two year old Netgear router does packet filtering via strong custom
| rules.
| And it was never hyped by mktg as having SPI.

I've had my Netgear RT314 about the same amount of time. It's been configured
to do what I want it to do, and I uninstalled ZA Pro when I got everything set
up to my liking. The only problem I've ever had with it has been when I've
needed to access a friend's system via Remote Assistance. The Netgear refuses
to budge for that!

Larc



§§§ - Please raise temperature of mail to reply by e-mail - §§§

 

[CZ]

I've had my Netgear RT314 about the same amount of time. It's been
configured
to do what I want it to do, and I uninstalled ZA Pro when I got everything
set
up to my liking. The only problem I've ever had with it has been when I've
needed to access a friend's system via Remote Assistance. The Netgear
refuses
to budge for that!

Larc:

I have two Netgear RT314 routers, one is used for testing & field work.

The test unit does RAssistance as follows:
Expert is on LAN side, Novice is on WAN side.
hosts file on Expert has an entry for the Novice:
x.x.x.x computerAA

Comments:
Open the invitation with NotePad:
Verify the RCTICKET entry is the correct/current IP address.

If your friend is behind a router, is his router setup for port mapping of
TCP 3389 to his current address?

If he is using DHCP for IP addressing, you will have to verify his current
address.

 

[Larc]

| I have two Netgear RT314 routers, one is used for testing & field work.
|
| The test unit does RAssistance as follows:
| Expert is on LAN side, Novice is on WAN side.
| hosts file on Expert has an entry for the Novice:
| x.x.x.x computerAA
|
| Comments:
| Open the invitation with NotePad:
| Verify the RCTICKET entry is the correct/current IP address.
|
| If your friend is behind a router, is his router setup for port mapping of
| TCP 3389 to his current address?
|
| If he is using DHCP for IP addressing, you will have to verify his current
| address.

Thanks for that info, CZ. I'll try it the next time we need to make a hookup.

Larc



§§§ - Please raise temperature of mail to reply by e-mail - §§§