Hardware firewall advise - D-Link DIR-330 and Linksys

Hi all, I want to buy a hardware firewall with very good security. I'm a single user with 1 pc, 1 wireless laptop, and possibly doing testing with a Web, Ftp server, but that's the lowest of my priorities (if I ever get the time to play with that).

I'm currently undecided between D-Link and Linksys. Linksys' Website is quite confusing.

I have picked the D-Link DIR-330 , which has SPI, WiFi, and VPN ($170).

Does any one recommend something similar from Linksys? Or is my D-Link selection OK? Or any other brands or suggestions?

Also I saw on the D-Link site they are selling the VPN software for $50? Can I use any other software (possible free)? I have not used VPN before, but I do understand I'll need it to connect remotely (which I don't do regularly).

Thanks for your advise!

Reply to
Nando
Loading thread data ...

What's your plans for VPN is this to connect from home to work, because may be you don't need a VPN solution router, and you only need a router that provides VPN protocols, which most routers come with VPN?

Whatever you do, make sure you get something that is using Wallwatcher.

formatting link
For wireless, you might want to look at the Wrt54G which may be a better overall solution, particularly if you change the firmware over to one of the

3rd party firmware's.

Make sure you try to implement some kind of security measures for the home network for what it's worth.

formatting link

Reply to
Mr. Arnold

Thanks Mr. Arnold, I'm lost with the VPN protocol/soluti . VPN Tunnels: 8 (IPSec, PPTP, L2TP) . IPSec LAN-to-LAN / Roaming User . PPTP/L2TP Server/Client . IPSec/PPTP/L2TP Pass-through . IPSec NAT-Traversal . DHCP over IPSec . Encryption Transform: DES, 3DES, AES . XAUTH (Extended Authentication) for IPSec Authentication

Interesting, so this program can alert me and monitor the firewall logs without logging and using the router's interface? I checked and the D-Link is not supported. Hopefully I can train it.

Interesting, I did not know that was possible (to change to a non-Linksys firmware). Please tell more about this. Does that mean that Linksys firmware is not too secure). I actually installed and configured the Linksys WRT54G router for my sister's apartment. It works great and it costs less than half the price of the D-Link DIR-330. But seems I'm kinda of techie I figured I needed something more secured for myself, that's why I picked the firewall D-Link DIR-330, but it sounds like I'm missing something on my criteria. I need a hardware firewall with good security, and remote connectivity.

Great, I visited the link and read all the info. I'm glad to say that I have taken all those steps (not for me, but when setting up a router at my sister's home).

Reply to
Nando

formatting link
This router you're looking at is not a typical router for home usage. It's a VPN router that would be used in a company's work environment with VPN clients connecting to it to get on the company's LAN. I can't tell you yes or no not to use a VPN router, because it's your situation and you do what you want.

But do you really need a VPN router or do you need a FW router, if all you're doing is transferring some files with a computer on your network to a laptop you may have with you somewhere?

No you can't train it. The author of WW would have to configure WW to capture the syslog from the router. That's if the router is not listed, and the router produces a syslog to begin with, which you can contact the WW author about incorporating the router's syslog into the WW solution.

No it doesn't mean that the Linksys firmware is not secure. It just means that the Linksys firmware cannot produce the syslog that can be used with WW.

formatting link

Is it a FW router? Just because the manufature is calling something a FW, it doean't mean that it's a FW solution.

Question? *What does a FW do?*

formatting link
I think the Linksys WRT54G with its firmware and the 3rd party firmwares may come closer to that definition than the D-link wireless VPN router solution of being a FW solution. You'll have to check it out for yourself.

If you're looking for a FW solution, then maybe link will further help you.

formatting link
And if you need remote connectivity, make sure you understand what's in the link, and keep the computer out of the so called DMZ, when using FTP to transfer files.

formatting link

Reply to
Mr. Arnold

formatting link
While not wireless, you should really just buy an Access Point and set it up as needed, so you can upgrade as things change later.

The D210 has LAN and DMZ jacks so that you can REAL separate networks when you're ready to play.

Reply to
Leythos

I read the hyperlink's vpn info. I think I got the idea. So a hardware firewall can either be a VPN Server to allow remote access to the network or it can allow VPN traffic to a machine that acts as a VPN server. However I'm just missing the actual implementation of this. So do I only need a VPN client software if the router is a VPN solution (server)? Or what about if the router only allow VPN connections (which seems to be the norm), does that implies that I'll need a VPN client software and a VPN server (software or hardware) behind the firewall right?

I wish I can really know what I need, because I understand the vpn concept, but I do not have details of the implementation. I may be missing something but if a VPN router solution will only require to setup a client software for my laptop to connect, then that's it right there. As I said before, I'll occasionally connect with my laptop to my home pc (both using Windows XP). I do not have a clue of how this "connection" will be. I don't know if I'll just have to go to MyComputer and transfer the file Explorer-like or Desktop-screenshot-like. I just need to transfer/updating some personal files.

I have been playing with a hp printer and a couple of home routers (usrobotics, linksys), and I have noticed there is always an option to specify a syslog server. If these devices have this option, why a program like Wallwatcher need to be configured to capture the logs (just curious). Is it just the data format right?

formatting link
I firmware which source code is available, hmm..interesting... hopefully that will contribute to make the router more and not less secure.

Reply to
Nando

Thanks Leythos, I guess then I won't have to buy those expensive Access Points that have management capabilities, and multi SSIDs, etc, right? Because it will be just acting as an antenna or another port or network for the router that'll be able to administer through the options on the firewall correct?

Great! DFL-210 looks good. Thanks a lot!

Reply to
Nando

There are three types of VPN solutions and they are the following:

1) Software to software VPN solutions like AT&T's Extra Net client software running on a computer connecting to AT&T's Extra Net server software running on a server. Or Windows IPsec software running on a client computer connecting to Windows IPsec server software running on a server. 2) Hardware to hardware solitions like router to router or router to a FW appliance. 3) Software to hardware a client machine using VPN client software that's decicated to a VPN server software that's running on a router or FW appliance.

Let's say you have a company laptop and it's connected to the company's network while you're at work. With that laptop connected to the company's network, the machine can see all the other machines on the network (other user machines and servers), and the laptop can access all of them on the LAN (Local Area Network).

Let's say you have some company accounting software running on your company laptop and that laptop with the accounting software is accessing the company's Finance server that has finance data on the server. Data is being exchanged between your company laptop and the Finance server. That situation is ok, because the commutations between the two machines are in a protected environment behind the company's FW.

Let's say the company allows you to take that laptop home with you where you can do work from home with the laptop connecting to the company's LAN over the Internet. In all cases that I have seen, that laptop is connected over the Internet in such a manner that the laptop is right there on the company's LAN, but it's not physically on the company's LAN.

So, you start using the accounting software on the laptop and it's in communications with the Finance server on the company's LAN data is being exchanged between the two computers, but the laptop is not physically on the protected company LAN behind the FW. The laptop is out there on the public Internet with that data being exchanged between the computers over the Internet.

This is where a VPN connection comes into play, which there must be two valid VPN endpoints. VPN is a protocol that encrypts the traffic between the two VPN endpoints and the traffic is decrypted at each end, so that the data cannot be eavesdropped on. The VPN protocol rides on the TCP (Transmission Control Protocol) and IP (Internet Protocol).

Do you have that kind of situation where the data between two machines must be protected over the Internet? If you have that situation, then you need VPN. IMHO, for some simple file transfers where you can use a standalone FTP server software to do it, I don't think you need VPN for this.

You use a FTP server on the host machine or some Remote Desktop applications like PC Anywhere will allow you to transfer files between the client or the host machine using FTP.

Reply to
Mr. Arnold

Not sure I follow you here. I always use a cheap AP with WPA-PSK or WPA2, and often put them in the DMZ (depends on need) and then setup a rule in the firewall to allow Authenticated users access through the DMZ to the LAN.

That's the minimum I would go for a true DMZ.

Reply to
Leythos

I forgot about this.

Yes, those solutions have the ability to produce a syslog and may have some limited means of looking at the syslog data, along with the syslog data itself being limited to how much data the router will hold for a given time period.

With something like Wallwatcher or Kiwi Syslog Daemon, those solutions provide much more information, by holding on to the data in a repository on the computer so that analysis tools that those solutions provide can be done.

You as someone seeing that data in real time as the router produces the syslog, which WW or KSD can allow you to look that data in real time too, you cannot do a proper analysis with what's happening with the traffic data the router is producing in real time, which the router only holds onto and shows this data in a limited time frame with the data being lost by the router after that.

Sometimes, one may need to go backwards in time doing an analysis of what's happening with a particular WAN/IP or even a LAN/IP and its traffic in a given time period. WW and KSD captures the syslog data on the computer they are running on so that history can be done to see just what is happing with traffic.

The router can only allow you to look at what is happening in a very short time frame, and then the data is lost. The router cannot hold on to the data for history analysis to get a clear picture of what is happening.

Reply to
Mr. Arnold

Hello,

Consider 'ZyXEL Internet security appliances'

formatting link
They are ICSA certified firewalls with VPN support.

I suggest going to ZyWALL 2 plus or ZyWALL P1, they fit into your setup and budget.

Good luck!

Panda,

Reply to
panda

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.