I know this has been covered ad nauseum in the past, but maybe the "real firewall" status of routers has changed over time? I have a fairly new Belkin wireless router (Wireless G Plus) that claims to have a firewall AND NAT (not just NAT), with SPI. The manual lists a big boring list of attacks the firewall protects against. I've run all the online firewall testers in all the advanced modes and none can even see my computer at all.
So, do I still not have a "real" firewall? And why not? (And in case anyone asks, yes - I'm using WPA, yes I have a *really* long random-character passphrase, and yes I changed the router password itself).
If you have a NAT packet filtering FW router that meets the specs in the link for *what does a Internet/network FW do?*, then you have one that has a FW. If the router doesn't meet those specs, then you don't have one and you just have a NAT router for home usage that is using some FW like features but is doesn't meet the definition for a network FW.
formatting link
The definition of NAT and that NAT router for home usage is what you most likely have epecially true for most wireless NAT routers, even with SPI.
But it's as clear as mud to me, unfortunately. Does my Belkin, which claims to have a firewall, NOT do the things that page describes? I know that the firewall and the NAT are independently controlled in the router settings and can be turned on/off separately, so they're not the same thing (the router isn't just calling its NAT "firewall").
Is this sort of like how my Kia is not a "real car"? Or more like how my CRV doesn't have "real all-wheel drive"? Or is it more clear-cut than that?
That Belkin have an admin screen where you can set packet filtering rules to stop LAN traffic between machines? Can you set packet filtering rules to stop any outbound traffic from a LAN IP or to a WAN IP or by port or protocol? Does the Belkin NAT router even have a syslog to log traffic?
I don't see how you can turn NAT off on a NAT router. You may be able to configure it to be a switch by disabling the DHCP server, and at that point, it's not a router anymore. It's just a switch. I guess you can turn of SPI if you wanted to do that. But SPI alone on a NAT router doesn't make a router a *real* FW as *you* put it.
In it's simplest definition, a router is a firewall device that separates two networks. The network it's protecting from the WAN and the network it is protecting the LAN. So in that sense it's acting as a firewall providing physical separation.
The technology that's providing that protection for the most part is NAT, which is mapping technology that maps inbound traffic from the WAN to a machine on the LAN based on traffic being initiated outbound from a machine behind the router, otherwise, the traffic is dropped.
Some people call that FW technology. I don't call it that. And some call having a NAT router using SPI and NAT to be full a FW solution. I don't it that either.
But is the NAT router performing a FW like function? Of course, it's doing that.
But you asked the question. Is the NAT router you have a *real FW*? I am telling you that if it's not meeting all the specifications in that link I provided -- all of them, then it's not a solution that's a real FW.
I provided you with the links. It's up to you to read and understand the information and come to a conclusion as to what you have.
I see... Well, the router does have security logs it keeps (ip, protocol, type of attack thwarted, date/time, etc). It also has by-IP address, by port, by protocol blocking - configurable by time schedule or by "always". It does NOT protect machines from each other as I can tell. So I can see various things it leaves out, but it's intended to "mostly" protect my machines from the internet at large, and I suppose that's good enough for my purposes.
Now, I said it completely stealths me. I did just find one online test that shows my port 113 and 80 as being CLOSED, not stealthed. Should I go in and take care of these? The Belkin allows me to point incoming ports, by protocol, off to any IP address I want (even a nonexistant one).
Your Belkin is not the type of device Duane refers to. There are true firewall/routers out there, SonicWall, CheckPoint, etc. What you have to decide for yourself is do you real need one. Most home users probably don't. But, if it makes you feel more secure to own one..
Is that inbound only filtering of packets or can it stop outbound packets from leaving the network?
As it is for most home users.
A port is *closed* it's closed traffic *cannot* come diwn a *closed* port and the FW sent back the proper response - yeah I am here and the port is *closed*. The Stealth thing means nothing and is a worthless Gibson term used to impress users taking the test with a personal FW. So the proper response didn't come back too and the stealth blanket is not hiding you either. I know you are there.
The fact that the machines are setting behind the NAT router with their O/S and Internet applications running on the machine that are listening and they cannot respond to unsolicited inbound traffic due to those packets are being dropped by the router is the point the machine are *stealthed*.
The ports are not *open* they are *close*. If the ports were *open*, then I would be concerned.
I suggest you take another test as there are other tests other than Gibson out there.
Another thing, you should use Wallwatcher (free might work with the Belkin) to review the syslog or Syslog Daemon (free will work with the Belkin) and watch traffic coming to and leaving the router as someone can hack your wireless network and be all over the top of your machines wired or wireless (a personal FW would help in that area) or they can use your wireless to attack other networks or machines on the Internet.
I tried Wallwatcher and thought the graphs etc. were pretty cool, but not something I'd find time to review on a regular basis. I run Syslog Daemon because the daily summary email takes 30 seconds to review for anomalies - no need to look any deeper most days.
I don't run a PFW because I object to extraneous distractions while working. Windows Firewall only distracts me if I turn it off, so I let it run.
My Netscreen 5GT also does it's job quietly and effectively. Worth every penny IMHO, unless one prefers to make a full-time hobby of home network security monitoring - and it's competitors are even cheaper these days.
I don't see where home network security is hard or expensive. Sure you should invest a few hundred in a decent perimeter firewall, plus a day or two configuring it and the PC operating systems - but beyond that free AV, Windows Firewall, and some time spent educating the kids is about all it takes.
Syslog Daemon was OK. I didn't like the fact that you had to buy it if you wanted more detail information, had to go out of your way to configure it to provide that information, and you had to implement other solutions like a database application and report writer application if you wanted to review traffic patterns.
Wallwatcher as many nice features like intrusion detection threshold alerting and notification, graphs showing the low to highest counts of IP(s) making the intrusion attempts, tracking IP if needed, back tracing of a site name to an IP and in general online in real time tracking of traffic to from the router. It's got some other things as well that I like that I have used. It's free and you can beat deal.
That doesn't make any sense as the Windows FW is a personal FW, unless you're talking Application Control in PFW solutions and its nuisance asking of questions to allow or not to allow something, then you're making sense.
My needs are for a FW appliance and NAT routers for home usage don't meet my needs. However, they are good solutions for most home users.
I cannot disagree. However, the use of the Windows FW behind that FW appliance is buying you what? If the machines are setup to allow networking and the XP FW is allowing the inbound traffic between the machines, you might as well not even have it enabled, as it's not buying you anything, IMHO. The malware can still populate itself on the LAN.
I personally think that defintion of firewall is to long and to unspecified to work. The one used in many other places taht is the only one that fits better i think is:
A system designed to prevent unauthorized access to or from a private network.
By that definition the berkling think sure is a firewall, however if it's a good one is an other discussion. The next step if it works for the intended use is yet an other one, then if it is cost effective for the selected use still one other.
A NAT router might be a good firewall solution to protect against some kinds of threats. I might be worth less in other situations.
Actually the firewall definition part in that text probaly the nat-router does do i all cases however it's not that good written:
An Internet firewall examines all traffic routed between your network and the Internet to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A network firewall filters both inbound and outbound traffic.
The rest of the text is more or less optional, else a firewall has to be an packet filter, and I can think of several possible firewalls that isn't packetfilters at all. What do you think of the more common definition of firewall: "A system designed to prevent unauthorized access to or from a private network."
With that definition it's more easy to define what is and what isn't a firewall. A firewall isn't always one maching, och pice of hardware. Othen it's a combination of several different pices of hardware and software.
Can then the router without the other stuff be a firewall? If it has some parts of the outside or inside network routed into a black-hole?
Jepp, but if could be a good woring part of the firewall if you have secure machines on the inside. It might be a good firewall then.
Well what can I say about it? I didn't write it. It's good enough as far as I am concerned.
Yes, I know that and various solutions hardware and software can make a total solution.
But as far as some standalone solution hardware or software, it had better be able to do all of what's in that link I provided. Otherwise, I don't consider it to be a FW. And I am not including PFW(s) in that definition.
In it's simplest definition of a router separating two networks that I have stated in a previous post in this thread, it's performing a FW function.
I'll agree for the most part that a router can be a viable solution standalone or part of a total solution.
As far as secured machines behind any FW solution, that's another matter altogether that has nothing to do with FW functionality.
Personally think the more common short version is better :-)
But the linked text if long and not specific, especially in the parts about alerting and so on. There are a many possibilites, some good some bad and how much must be in the solution before it's a firewall? If I don't look at the log's does it stop being a firewall? If it logs to some own obsure stuff that no one can understand? And so on, is logging critical for it to be a firewall, or just to be a good firewall?
No but it has to be included in the demands on the FW.
Fair comment. I really only use SyslogD for the daily summary email. The Netscreen GUI lets me drill down if the summary shows anything unusual.
Netscreen GUI does most of that - free with product purchase.
OK, we agree if you consider Windows Firewall to be a PFW. Many seem to think 'Application Control' defines a PFW, and are unaware applications can only be controlled to the extent they honor control.
You are aware the NS 5GT *is* a firewall appliance as you stated below, so this comment appears to be extraneous.
XP nags if Windows Firewall is off, and everything still works when it's on. Simple as that.
Absolutely - if malware infects a Windows networking environment, I expect it will propagate to all machines on the LAN. The only shares on my internal LAN are from the file server (a Linux/Samba box), but the PCs still talk to each other constantly - might be fixable, but I'm not sure it's worth the effort.
I consider the Windows FW or any PFW to be a host based packet filter protecting at the machine level and is not a FW, since it doesn't separate two networks. The one it's protecting from and the one it is protecting.
Yeah I know that and it's worthless as far as I am concerned.
You know what a Watchguard is don't you. So of course I know what a Netscreen is about. I'll assume you know what a NAT router is about too. And price varies on the solution that is needed with the devices.
I don't know where your coming up with this one. I am using XP Pro right now on this laptop and the XP FW is sure not active and I am not being nagged. However, I configured the Security Center on XP to don't nag me with the messages that the XP FW is not active, because I am using my own host based
3rd party packet filter -- BlackIce. As a matter of fact, I think at one time, I just disabled the Security Center Service on XP. Don't tell me about nothing the AV or anything else on other machines. But on this laptop, I just told SC to not tell me about the XP FW not being active.
So you should be able to tell the SC don't tell me that the XP FW is off or just turn the service off altogether.
It was as or should be as simple as that. :)
No it's not fixable as the machine have to network on ports 137-138 udp and
445 tcp. If you do something to close those ports, uninstall MS File and Print sharing or configure the XP FW to not allow traffic on the ports, then the machine cannot network and share resources.
Personally I think the one I am presenting is better. So there you go tic for tac I guess.
If it's not doing what is it doing in that link, then as far as I am concerned, it's not a network FW solution. And I'll leave it at that.
What? If the FW is host based I'll agree that other measures have to be taken in the security of the O/S for FW running on a gateway solution.
It's not the job of the gateway FW solution to be some kind of security solution for workstations or servers behind the solution other than protecting the network from outside intrusion. That's the demand for the most part for a network FW solution I see, because if it were more than that, the machines behind them would not be compromised and they are being compromised mainly due to user activities.
Thats one of the problems with a non defined vocabulary. The problem with your long definition (that have a list good things to have in a firewall) is that it leaves open for real firewalls and other something without name, e.g. maybe bad firewalls.
I think that when desinging firewall solutions one has to take what machines and what security solutions they use into consideration. A firewall for a network with one OpenBSD webserver, (propperly closed down with competent admins) need less consideration thatr a firewall for a mixed company with different maybe not competenty persosn running services on there laptops.
In the first situation someting thats cleans out spoofing might be all needed to be done. All network traffic except spoofed fraffic may flow. In the second situation more work have to be added to the design.
We can go around and around on it. You got your opinion and I have my opinion and we'll leave it that.
You left out desktops and what you say on the two situations is a given.
In the second situation , if the machines are networking, the host based packet filter FW is buying them nothing, unless the solution has some kind of IDS implemented in it that creates/controls packet filtering rules for the packet filter or host based FW solution.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.