Hi,
we have a Toshiba Cable modem for Internet Access (in Germany). Do these cable modems have something like a simple firewall that drops packets that come from outside? I am not aware of any method to manage that modem (no browser or ssh access). Without any kind of that functionality or at least a router at the cable modem port, I guess the (single) computer behind the cable modem is very easy to attack, right? In that case, I should buy a firewall, right?
Thanks a lot! Michael
Buy a cheap wireless G router with a 4-port switch. You can just plug your PC into it and later if you get a laptop you're ready to go. They're like $40-$50 for a Netgear/Linksys. Run a free or cheap software firewall (or the one that comes with some Windoze OSs - like XP) and that covers you for spyware trying to get out from your PC - the router will handle the incoming stuff.
Thanks.
So in theory it is true, that any packets on any ports are passed through the cable modem to my pc, right? Any unpatched OS can be easily attacked this way, right? Michael
Let's put it this way - the modem does very little other than form a bridge between the two networks. It would depend on the OS how vulnerable it is.
Yup, yup and yup.
The less you have to rely on your OS to protect you from network based attack, the deeper your defenses. It's $50 well spent for a hardware device that includes a stateful packet inspection firewall in it.
Best Regards,
Yes.
That's what I mean.
Any model recommendation? I don't have a clue...
Hard to go too wrong with the Linksys BEFSR41 for wired, or a Buffalo WHR-G54S to add wireless capability. The Buffalo will run third party firmware quite nicely too for more functionality if desired.
Best Regards,
So, this is only a router, I guess it has a firewall included? Is there e.g. a logging mechanism that sends syslog to a e.g. 3CDaemon Syslog - Server?
So, do the Linksys/Buffalo have that?
Thanks again! Michael
Some do some don't - I'd stick with Netgear/Linksys myself. Go to the Netgear and Linksys websites and check out the features you want and buy accordingly. I use a Netgear wired RP614. The wireless is easier to get ahold of and has everything the wired one had and probably cheaper (lots of sales). Stateful packet inspection will cost you more and you probably don't need it for a home network. NAT does most of the work and a software firewall on your PC will handle any spyware you happen to get installed.
Netgear WGR614 ($25+) is a NAT router and Netgear DG834G ($50+) ADSL router has SPI and VPN passthru and will cost a bit more.
Linksys WRT54G ($45+) has SPI.
If you'd like syslog funcitonality I know for certain that the Buffalo WHR-G54S will support logging to a syslog server if reflashed with openwrt or dd-wrt open source firmware. I'm not sure about its default factory firmware.
I've cooled o the Linksys WRT54G wireless router lately because they've reduced the flash RAM in it that makes is less fun to play with 3rd party firmware.
Yes, and yes.
"SPI firewall" is the bullet point you're looking for.
In that case, you want the WRT54GL, with the 'L' designation meaning this unit is once again a Linux model rather than VxWorks like the WRT54G v5 was. I picked one up from Newegg about a month ago and can vouch for the fact that it runs the full version of dd-wrt just fine, with plenty of room to spare.
Nice. Good to know!
I am just a beginner in security. What security feature is added by NAT? As fas as I know, the router looks up the mac address of my pc and sends the incoming packets to my network card.
But what's added by NAT? And even more, if NAT adds something, why does it help only small home networks?
Thanks for your help!! Michael
NAT is all you need for a small home network. SPI would be the next step up in security.
NAT
Short for Network Address Translation, an Internet standard that enables a local-area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. A NAT box located where the LAN meets the Internet makes all necessary IP address translations.
NAT serves three main purposes:
# Provides a type of firewall by hiding internal IP addresses # Enables a company to use more internal IP addresses. Since they're used internally only, there's no possibility of conflict with IP addresses used by other companies and organizations. # Allows a company to combine multiple ISDN connections into a single Internet connection.
Try here or Google for more info on firewalls :
As you state, SPI is a worthwhile improvement of NAT packet filtering.
It's a bit of a moot point arguing for or against it as necessary though, as it's a challenge finding a home router being sold now that doesn't employ SPI.
NAT will essentially protect you from most script kiddies. They're looking for vulnerable systems based on searching by IP address. When they hit a NAT router, the router looks to see which connected PC the packets are intended for, but the packets won't have any such information.
Could a script kiddie get by NAT? Give them enough time, in theory it could happen. But in practice, they're not going to spend that much time to get past a NAT router when they don't even know if there's any prize beyond it. In the time it would take them to find a prize behind a NAT router, they can probably find a few hundred compromisable systems.
The reason why NAT is all most home users need is that these script kiddies are likely the only threat they'll face that can be stopped by any kind of firewall solution. The typical home user's biggest threats are those that they'll invite around any firewall.
Any packets that aren't blocked by your ISP's cable modem configuration script will be passed along. Commonly they block incoming ports 80 (webserver), 110 (mailserver), sometimes 21 (FTP server), 137/139 (windows networking), 201-208 (appletalk), and any of the common virus/worm ports. However, for the most part, ports are left open on cable networks.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.