Have a question or want to start a discussion? Post it! No Registration Necessary.
Now with pictures!
- burnedtechie
March 21, 2006, 7:09 pm

I know this has been covered ad nauseum in the past, but maybe the
"real firewall" status of routers has changed over time? I have a
fairly new Belkin wireless router (Wireless G Plus) that claims to have
a firewall AND NAT (not just NAT), with SPI. The manual lists a big
boring list of attacks the firewall protects against. I've run all the
online firewall testers in all the advanced modes and none can even see
my computer at all.
So, do I still not have a "real" firewall? And why not? (And in case
anyone asks, yes - I'm using WPA, yes I have a *really* long
random-character passphrase, and yes I changed the router password
itself).
"real firewall" status of routers has changed over time? I have a
fairly new Belkin wireless router (Wireless G Plus) that claims to have
a firewall AND NAT (not just NAT), with SPI. The manual lists a big
boring list of attacks the firewall protects against. I've run all the
online firewall testers in all the advanced modes and none can even see
my computer at all.
So, do I still not have a "real" firewall? And why not? (And in case
anyone asks, yes - I'm using WPA, yes I have a *really* long
random-character passphrase, and yes I changed the router password
itself).

Re: Belkin not-real-firewall?

If you have a NAT packet filtering FW router that meets the specs in the
link for *what does a Internet/network FW do?*, then you have one that
has a FW. If the router doesn't meet those specs, then you don't have
one and you just have a NAT router for home usage that is using some FW
like features but is doesn't meet the definition for a network FW.
http://www.firewall-software.com/firewall_faqs/what_does_firewall_do.html
The definition of NAT and that NAT router for home usage is what you
most likely have epecially true for most wireless NAT routers, even with
SPI.
http://www.homenethelp.com/web/explain/about-NAT.asp
The link may help you with your understanding.
http://www.more.net/technical/netserv/tcpip/firewalls /
Duane :)

Re: Belkin not-real-firewall?
Duane Arnold wrote:

But it's as clear as mud to me, unfortunately. Does my Belkin, which
claims to have a firewall, NOT do the things that page describes? I
know that the firewall and the NAT are independently controlled in the
router settings and can be turned on/off separately, so they're not the
same thing (the router isn't just calling its NAT "firewall").
Is this sort of like how my Kia is not a "real car"? Or more like how
my CRV doesn't have "real all-wheel drive"? Or is it more clear-cut
than that?

But it's as clear as mud to me, unfortunately. Does my Belkin, which
claims to have a firewall, NOT do the things that page describes? I
know that the firewall and the NAT are independently controlled in the
router settings and can be turned on/off separately, so they're not the
same thing (the router isn't just calling its NAT "firewall").
Is this sort of like how my Kia is not a "real car"? Or more like how
my CRV doesn't have "real all-wheel drive"? Or is it more clear-cut
than that?

Re: Belkin not-real-firewall?

That Belkin have an admin screen where you can set packet filtering
rules to stop LAN traffic between machines? Can you set packet
filtering rules to stop any outbound traffic from a LAN IP or to a WAN
IP or by port or protocol? Does the Belkin NAT router even have a syslog
to log traffic?

I don't see how you can turn NAT off on a NAT router. You may be able to
configure it to be a switch by disabling the DHCP server, and at that
point, it's not a router anymore. It's just a switch. I guess you can
turn of SPI if you wanted to do that. But SPI alone on a NAT router
doesn't make a router a *real* FW as *you* put it.

In it's simplest definition, a router is a firewall device that
separates two networks. The network it's protecting from the WAN and the
network it is protecting the LAN. So in that sense it's acting as a
firewall providing physical separation.
The technology that's providing that protection for the most part is
NAT, which is mapping technology that maps inbound traffic from the WAN
to a machine on the LAN based on traffic being initiated outbound from a
machine behind the router, otherwise, the traffic is dropped.
Some people call that FW technology. I don't call it that. And some call
having a NAT router using SPI and NAT to be full a FW solution. I don't
it that either.
But is the NAT router performing a FW like function? Of course, it's
doing that.
But you asked the question. Is the NAT router you have a *real FW*? I am
telling you that if it's not meeting all the specifications in that link
I provided -- all of them, then it's not a solution that's a real FW.
I provided you with the links. It's up to you to read and understand the
information and come to a conclusion as to what you have.
Duane :)

Re: Belkin not-real-firewall?
I see... Well, the router does have security logs it keeps (ip,
protocol, type of attack thwarted, date/time, etc). It also has by-IP
address, by port, by protocol blocking - configurable by time schedule
or by "always". It does NOT protect machines from each other as I can
tell. So I can see various things it leaves out, but it's intended to
"mostly" protect my machines from the internet at large, and I suppose
that's good enough for my purposes.
Now, I said it completely stealths me. I did just find one online test
that shows my port 113 and 80 as being CLOSED, not stealthed. Should I
go in and take care of these? The Belkin allows me to point incoming
ports, by protocol, off to any IP address I want (even a nonexistant
one).
protocol, type of attack thwarted, date/time, etc). It also has by-IP
address, by port, by protocol blocking - configurable by time schedule
or by "always". It does NOT protect machines from each other as I can
tell. So I can see various things it leaves out, but it's intended to
"mostly" protect my machines from the internet at large, and I suppose
that's good enough for my purposes.
Now, I said it completely stealths me. I did just find one online test
that shows my port 113 and 80 as being CLOSED, not stealthed. Should I
go in and take care of these? The Belkin allows me to point incoming
ports, by protocol, off to any IP address I want (even a nonexistant
one).

Re: Belkin not-real-firewall?
burnedtechie@yahoo.com wrote:

Your Belkin is not the type of device Duane refers to. There are true
firewall/routers out there, SonicWall, CheckPoint, etc. What you have to
decide for yourself is do you real need one. Most home users probably
don't. But, if it makes you feel more secure to own one..

Your Belkin is not the type of device Duane refers to. There are true
firewall/routers out there, SonicWall, CheckPoint, etc. What you have to
decide for yourself is do you real need one. Most home users probably
don't. But, if it makes you feel more secure to own one..

Re: Belkin not-real-firewall?

Is that inbound only filtering of packets or can it stop outbound
packets from leaving the network?

As it is for most home users.

A port is *closed* it's closed traffic *cannot* come diwn a *closed*
port and the FW sent back the proper response - yeah I am here and the
port is *closed*. The Stealth thing means nothing and is a worthless
Gibson term used to impress users taking the test with a personal FW. So
the proper response didn't come back too and the stealth blanket is not
hiding you either. I know you are there.
The fact that the machines are setting behind the NAT router with their
O/S and Internet applications running on the machine that are
listening and they cannot respond to unsolicited inbound traffic due to
those packets are being dropped by the router is the point the machine
are *stealthed*.

The ports are not *open* they are *close*. If the ports were *open*,
then I would be concerned.
I suggest you take another test as there are other tests other than
Gibson out there.
Another thing, you should use Wallwatcher (free might work with the
Belkin) to review the syslog or Syslog Daemon (free will work with the
Belkin) and watch traffic coming to and leaving the router as someone
can hack your wireless network and be all over the top of your machines
wired or wireless (a personal FW would help in that area) or they can
use your wireless to attack other networks or machines on the Internet.
The link may or may not help you.
http://netsecurity.about.com/cs/wireless/a/aa112203_2.htm
Duane :)

Re: Belkin not-real-firewall?
Duane Arnold wrote:

I tried Wallwatcher and thought the graphs etc. were pretty cool, but
not something I'd find time to review on a regular basis. I run Syslog
Daemon because the daily summary email takes 30 seconds to review for
anomalies - no need to look any deeper most days.
I don't run a PFW because I object to extraneous distractions while
working. Windows Firewall only distracts me if I turn it off, so I let
it run.
My Netscreen 5GT also does it's job quietly and effectively. Worth every
penny IMHO, unless one prefers to make a full-time hobby of home network
security monitoring - and it's competitors are even cheaper these days.
I don't see where home network security is hard or expensive. Sure you
should invest a few hundred in a decent perimeter firewall, plus a day
or two configuring it and the PC operating systems - but beyond that
free AV, Windows Firewall, and some time spent educating the kids is
about all it takes.
Triffid

Re: Belkin not-real-firewall?
Triffid wrote:

Syslog Daemon was OK. I didn't like the fact that you had to buy it if
you wanted more detail information, had to go out of your way to
configure it to provide that information, and you had to implement other
solutions like a database application and report writer application if
you wanted to review traffic patterns.
Wallwatcher as many nice features like intrusion detection threshold
alerting and notification, graphs showing the low to highest counts of
IP(s) making the intrusion attempts, tracking IP if needed, back tracing
of a site name to an IP and in general online in real time tracking of
traffic to from the router. It's got some other things as well that I
like that I have used. It's free and you can beat deal.

That doesn't make any sense as the Windows FW is a personal FW, unless
you're talking Application Control in PFW solutions and its nuisance
asking of questions to allow or not to allow something, then you're
making sense.

My needs are for a FW appliance and NAT routers for home usage don't
meet my needs. However, they are good solutions for most home users.

I cannot disagree. However, the use of the Windows FW behind that FW
appliance is buying you what? If the machines are setup to allow
networking and the XP FW is allowing the inbound traffic between the
machines, you might as well not even have it enabled, as it's not buying
you anything, IMHO. The malware can still populate itself on the LAN.
Duane :)

Syslog Daemon was OK. I didn't like the fact that you had to buy it if
you wanted more detail information, had to go out of your way to
configure it to provide that information, and you had to implement other
solutions like a database application and report writer application if
you wanted to review traffic patterns.
Wallwatcher as many nice features like intrusion detection threshold
alerting and notification, graphs showing the low to highest counts of
IP(s) making the intrusion attempts, tracking IP if needed, back tracing
of a site name to an IP and in general online in real time tracking of
traffic to from the router. It's got some other things as well that I
like that I have used. It's free and you can beat deal.

That doesn't make any sense as the Windows FW is a personal FW, unless
you're talking Application Control in PFW solutions and its nuisance
asking of questions to allow or not to allow something, then you're
making sense.

My needs are for a FW appliance and NAT routers for home usage don't
meet my needs. However, they are good solutions for most home users.

I cannot disagree. However, the use of the Windows FW behind that FW
appliance is buying you what? If the machines are setup to allow
networking and the XP FW is allowing the inbound traffic between the
machines, you might as well not even have it enabled, as it's not buying
you anything, IMHO. The malware can still populate itself on the LAN.
Duane :)

Re: Belkin not-real-firewall?
Duane Arnold wrote:

Fair comment. I really only use SyslogD for the daily summary email. The
Netscreen GUI lets me drill down if the summary shows anything unusual.

Netscreen GUI does most of that - free with product purchase.

OK, we agree if you consider Windows Firewall to be a PFW. Many seem to
think 'Application Control' defines a PFW, and are unaware applications
can only be controlled to the extent they honor control.

You are aware the NS 5GT *is* a firewall appliance as you stated below,
so this comment appears to be extraneous.

XP nags if Windows Firewall is off, and everything still works when it's
on. Simple as that.

Absolutely - if malware infects a Windows networking environment, I
expect it will propagate to all machines on the LAN. The only shares on
my internal LAN are from the file server (a Linux/Samba box), but the
PCs still talk to each other constantly - might be fixable, but I'm not
sure it's worth the effort.
Triffid

Re: Belkin not-real-firewall?

Whatever works - works.

I consider the Windows FW or any PFW to be a host based packet filter
protecting at the machine level and is not a FW, since it doesn't separate
two networks. The one it's protecting from and the one it is protecting.
>Many seem to

Yeah I know that and it's worthless as far as I am concerned.

You know what a Watchguard is don't you. So of course I know what a
Netscreen is about. I'll assume you know what a NAT router is about too.
And price varies on the solution that is needed with the devices.

I don't know where your coming up with this one. I am using XP Pro right now
on this laptop and the XP FW is sure not active and I am not being nagged.
However, I configured the Security Center on XP to don't nag me with the
messages that the XP FW is not active, because I am using my own host based
3rd party packet filter -- BlackIce. As a matter of fact, I think at one
time, I just disabled the Security Center Service on XP. Don't tell me about
nothing the AV or anything else on other machines. But on this laptop, I
just told SC to not tell me about the XP FW not being active.
So you should be able to tell the SC don't tell me that the XP FW is off or
just turn the service off altogether.
It was as or should be as simple as that. :)

No it's not fixable as the machine have to network on ports 137-138 udp and
445 tcp. If you do something to close those ports, uninstall MS File and
Print sharing or configure the XP FW to not allow traffic on the ports, then
the machine cannot network and share resources.
Duane :)

Re: Belkin not-real-firewall?

I personally think that defintion of firewall is to long and to
unspecified to work. The one used in many other places taht is the
only one that fits better i think is:
A system designed to prevent unauthorized access to or from a private
network.
By that definition the berkling think sure is a firewall, however if
it's a good one is an other discussion. The next step if it works
for the intended use is yet an other one, then if it is cost effective
for the selected use still one other.
A NAT router might be a good firewall solution to protect against some
kinds of threats. I might be worth less in other situations.
/ Balp
--
http://anders.arnholm.nu/ Keep on Balping

Re: Belkin not-real-firewall?
Anders Arnholm wrote:

My Watchguard FW appliance can do every last bit of what is in that link.
My Linksys NAT router couldn't do every last bit of what is in that link.
And the system can a combination of solutions such as routers, FW
appliances and computer host based solutions.

What are you talking about?

Agreed for the most part and it *is* worth less in other situations.
Duane :)

My Watchguard FW appliance can do every last bit of what is in that link.
My Linksys NAT router couldn't do every last bit of what is in that link.
And the system can a combination of solutions such as routers, FW
appliances and computer host based solutions.

What are you talking about?

Agreed for the most part and it *is* worth less in other situations.
Duane :)

Re: Belkin not-real-firewall?

Actually the firewall definition part in that text probaly the
nat-router does do i all cases however it's not that good written:
An Internet firewall examines all traffic routed between your network
and the Internet to see if it meets certain criteria. If it does, it
is routed between the networks, otherwise it is stopped. A network
firewall filters both inbound and outbound traffic.
The rest of the text is more or less optional, else a firewall has to
be an packet filter, and I can think of several possible firewalls
that isn't packetfilters at all. What do you think of the more common
definition of firewall: "A system designed to prevent unauthorized
access to or from a private network."
With that definition it's more easy to define what is and what isn't
a firewall. A firewall isn't always one maching, och pice of hardware.
Othen it's a combination of several different pices of hardware and
software.

Can then the router without the other stuff be a firewall? If it has
some parts of the outside or inside network routed into a black-hole?

Jepp, but if could be a good woring part of the firewall if you have
secure machines on the inside. It might be a good firewall then.
/ Balp
--
http://anders.arnholm.nu/ Keep on Balping

Re: Belkin not-real-firewall?
Anders Arnholm wrote:

Well what can I say about it? I didn't write it. It's good enough as far
as I am concerned.

Yes, I know that and various solutions hardware and software can make a
total solution.
But as far as some standalone solution hardware or software, it had
better be able to do all of what's in that link I provided. Otherwise, I
don't consider it to be a FW. And I am not including PFW(s) in that
definition.

In it's simplest definition of a router separating two networks that I
have stated in a previous post in this thread, it's performing a FW
function.

I'll agree for the most part that a router can be a viable solution
standalone or part of a total solution.
As far as secured machines behind any FW solution, that's another matter
altogether that has nothing to do with FW functionality.
Duane :)

Well what can I say about it? I didn't write it. It's good enough as far
as I am concerned.

Yes, I know that and various solutions hardware and software can make a
total solution.
But as far as some standalone solution hardware or software, it had
better be able to do all of what's in that link I provided. Otherwise, I
don't consider it to be a FW. And I am not including PFW(s) in that
definition.

In it's simplest definition of a router separating two networks that I
have stated in a previous post in this thread, it's performing a FW
function.

I'll agree for the most part that a router can be a viable solution
standalone or part of a total solution.
As far as secured machines behind any FW solution, that's another matter
altogether that has nothing to do with FW functionality.
Duane :)

Re: Belkin not-real-firewall?

Personally think the more common short version is better :-)

But the linked text if long and not specific, especially in the parts
about alerting and so on. There are a many possibilites, some good
some bad and how much must be in the solution before it's a firewall?
If I don't look at the log's does it stop being a firewall? If it logs
to some own obsure stuff that no one can understand? And so on, is
logging critical for it to be a firewall, or just to be a good
firewall?

No but it has to be included in the demands on the FW.
--
http://anders.arnholm.nu/ Keep on Balping

Re: Belkin not-real-firewall?

Personally I think the one I am presenting is better. So there you go tic
for tac I guess.

If it's not doing what is it doing in that link, then as far as I am
concerned, it's not a network FW solution.
And I'll leave it at that.

What? If the FW is host based I'll agree that other measures have to be
taken in the security of the O/S for FW running on a gateway solution.
It's not the job of the gateway FW solution to be some kind of security
solution for workstations or servers behind the solution other than
protecting the network from outside intrusion. That's the demand for the
most part for a network FW solution I see, because if it were more than
that, the machines behind them would not be compromised and they are being
compromised mainly due to user activities.
Duane :)

Re: Belkin not-real-firewall?

Thats one of the problems with a non defined vocabulary. The problem
with your long definition (that have a list good things to have in a
firewall) is that it leaves open for real firewalls and other
something without name, e.g. maybe bad firewalls.

I think that when desinging firewall solutions one has to take what
machines and what security solutions they use into consideration. A
firewall for a network with one OpenBSD webserver, (propperly closed
down with competent admins) need less consideration thatr a firewall
for a mixed company with different maybe not competenty persosn
running services on there laptops.
In the first situation someting thats cleans out spoofing might be all
needed to be done. All network traffic except spoofed fraffic may
flow. In the second situation more work have to be added to the
design.
/ Balp
--
http://anders.arnholm.nu/ Keep on Balping

Re: Belkin not-real-firewall?

We can go around and around on it. You got your opinion and I have my
opinion and we'll leave it that.

You left out desktops and what you say on the two situations is a given.

In the second situation , if the machines are networking, the host based
packet filter FW is buying them nothing, unless the solution has some kind
of IDS implemented in it that creates/controls packet filtering rules for
the packet filter or host based FW solution.
Duane :)
Site Timeline
- » Defense against nmap tcp synchronise scans
- — Next thread in » Networking Firewalls
-
- » Trojans via Messenger
- — Previous thread in » Networking Firewalls
-
- » NYC local event: Unigroup's 17-Oct-2019 Meeting: SDN/SDP - So...
- — Newest thread in » Networking Firewalls
-
- » KY: Magoffin County 911 offering new Text-To-911 service [telecom]
- — The site's Newest Thread. Posted in » General Telecommunications Forum
-