hardware firewall buying

I'm in the market for a hardware router/firewall device as I am FINALLY moving to broadband... cable to be precise.

I've looked at a few models from both Linksys and D-link. I also took a gander at some websites that have customer reviews to get an idea on what models have/don't have problems. The problem is that most of what I read are complaints, no matter what model I'm looking at.

I've also tried a few review websites but they didn't seem offer me much information beyond what's in the manufacturers brochures.

I'm kind of fond of the Linksys BEFSX41.

Can anyone offer some comments that might help my decision making process?

What I'd love to find is a website that does reviews and comparisons like DPReview.com does for digital cameras. They are extremely in depth and have a search matrix to help you decide what models meet your requirements.

Brian

Reply to
Skywise
Loading thread data ...

Skywise skrev:

I have't read up on this site for along time now, but perhaps you can find something useful here.

formatting link

Reply to
Anders

If the device you are considering is not on a list of CERT approved appliances, then it's not really a firewall. At least not to the level that you can feel comfortable that you will be secure.

NAT Routers ARE NOT FIREWALLS.

Reply to
Leythos

Anders wrote in news:od91h.21195$E02.8627 @newsb.telia.net:

This is much better than the sites I'd previously found.

Thanks.

Brian

Reply to
Skywise

Leythos wrote in news:48b1h.20031$pq4.14052 @tornado.ohiordc.rr.com:

Thanks for the education. I found cert.org and am still browsing. Lot's to learn.

I keep seeing people say that hardware firewalls are better than software firewalls, and figured I'd get a router/firewall instead of just a plain router. BTW, I use Kerio 4 and feel comfortable with its performance.

After reading some of the reviews on the website recommended by Anders, I'm getting the impression that I might want something more than these "all-in-one" broadband router/firewalls.

I may be just a "home user" but I always seem to have this knack for pushing the envelope of my computer equipment.

Sure, these little devices might be nice and cheap, but as they say, you get what you pay for.

Perhaps what I shoudl be looking for is something on the low end of "industrial strength" or "pro-sumer" or "professional grade".

Does anyone have some suggestions along these lines for some makes/models I might be interested in?

Brian

Reply to
Skywise

I use Tiny and Kerio and ZAP on laptops, nothing on desktops. I also have a gateway firewall solution that strips files out of HTTP and SMTP sessions to protect my kids/family and we do the same at clients. NAT Routers claiming to be firewalls can't do that.

One of the nicer low end units is the DFL-700 from D-Link, or even the SOHO Firewall solutions like the WatchGuard X550.

Reply to
Leythos

Gotta UDP-flood you, you won't be pleased with the performance any more. Oh, and what about security? Kerio just decreases.

Well, then you should simply stop yelling around for any firewalls. You don't need any.

Linksys WRT54G series with an alternative Linux firmware?

Reply to
Sebastian Gottschalk

Cisco PIX 501 or Juniper Netscreen 5GT.

Reply to
Jerry Gardner

Hi

What you can do is as a home user you can look in to some kindaa UTM Device instead of just a NAT Router/Firewall.Start searching for good UTM device .

I used Sonicwall and Fortinet at starting

CK

Skywise wrote:

Reply to
CK

For most home users I suggest the BEFSX41. It is a solid unit that does it's job well. Having SPI (Stateful Packet Inspection) it does technically quality as a firewall under the RFC2979 guidelines (I emailed the author of RFC2979 and he agreed that a packet filter in a NAT router does qualify the device as a firewall.)

Leythos disagrees, but since he is a much higher level guru, and regularly works with much more expensive equipment, he has good reason to favor full featured hardware firewalls.

But for home use, a BEFSX41 is a good deal and should serve you well. The only caveat is that you need to take the time to find out about the kinds of exploits that the lower end units aren't designed to detect or prevent.

The BEFSX41 can lock out all ActiveX, Java, Cookies, etc, if you like. But that would be a major pain. Your best bet is to add a good popup blocker (not the one in IE... it sucks. I use PopUpCop.), take some care as to where you surf, have a good anti-virus program, etc.

A BEFSX41 and a little knowledge can protect you very well.

Reply to
Spender

If it qualified, technically, then it would have been submitted to Cert for certification.

I completely agree, but I can't just make a blanket statement that a BEFSX will provide the level of protection that home users might need - since we don't know what level of protection they need - since each home/client is different. What we can say is that the BEFSX is a nice unit, NAT router, and provides some nice firewall like features, and it may be more than suitable for most home users.

If the BEFSX was a full firewall, then they would have submitted it for Certification to CERT. If a vendor as large as Linksys / CISCO has a product that is worthy of the classification of "Firewall" they would go the extra step to have it certified - that gives them a better selling position and more customers willing to buy it.

Reply to
Leythos

Err cobblers.

Are you seriously trying to argue that a Cisco ASA somehow isn't a firewall because ICSA certification is in process and hasn't been granted yet ?

Do you expect people to believe that ICSA certified Checkpoint FW-1 running on Splat is a 'firewall' but the exact same code running on a standalone Redhat or Nokia IP series is not ?

How can you possibly assert that a cisco device running Firewall Feature set cannot be a firewall because it has not been submitted to ICSA, but those submitted devices running the exact same code somehow are ?

ICSA certfication is no guarantee of anything let alone fitness for purpose.

According to

formatting link
the Chocolate FireGuards you're so fond of peddling are neither ISCA 4.0 or

4.1 certified, is that why they have been ripped and replaced on at least two large watchguard customers here in the UK I know of.

Or is it because they are unsupportable bug ridden rubbish ?

greg

Reply to
Greg Hennessy

How can you possibly assert that a 457 makes the car fast?

I can't assert anything, only that a Certified solution is going to have a very high probability of working when setup the same as the tested solution.

I can not make that same assertion of an uncertified solution.

If I were to follow your reasoning then the WG certification would not mean anything and there would be no reason to pull them - according to you. Until a few months ago they were certified, I had checked around June.

If I follow my reasoning, then I at least have an expectation that a certified solution is likely to work properly.

So, as you suggesting that certifications mean nothing?

Reply to
Leythos

As usual you've proven incapable of addressing a single point raised.

By your own logic Watchguard products are now not firewalls.

[diversionary fallacious irrelevance binned]
Reply to
Greg Hennessy

Actually, I addressed specifically what you posted.

Yep, that would seem so, and I've contacted ICSA Labs and WatchGuard about it to determine what the real issue is - as they were still listed in June of this year.

Which would seem to indicate that most of your reply was binned.

Why can't you address anything I posted?

Reply to
Leythos

You have done nothing of the sort.

I fail to see the relevance of the non sequitur posted above.

Proof if any were necessary of the fallacious nature of your argument.

I have repeatedly, it is not the fault of the audience that the ridiculous premise you've trotted out here over the past several years, has hoisted you upon your own petard.

You cannot explain why identical code running on one 'certified' platform suddenly stops doing what it's supposed to do when running on an 'uncertified' one.

The notion that certification provides some expectation of 'working properly' is arrant nonsense. ICSA guarantee no such thing. Read their disclaimers sometime.

Reply to
Greg Hennessy

Skywise wrote in news:12ka6ouq9uf9s54 @corp.supernews.com:

I'm on cable, and am using a Linksys Wireless-G Cable Gateway (WCG200, ver.

2)

It's a cable modem, wireless/cable router, and an SPI firewall all rolled into one.

Nothing gets through its firewall. Nothing.

Yo!

Reply to
Yohann

CERT doesn't write the internet standards.

Again, CERT isn't the authority in this case. RFC2979 is. According to the RFC, a packet filter is a firewall.

Reply to
Spender

Spender wrote in news: snipped-for-privacy@news.easynews.com:

Well, I think I have *some* knowledge. I run Kerio. I have Firefox 2, which has a popup blocker. I do have Java on only because many sites I visit use it, and those I do trust. I have Norton 2000 for a/v and scan the files I donwload. I use mailwasher to keep out the spam, and I don't go around opening attachments willy-nilly anyway; that's just suicidal if you ask me. I've also disabled a lot of unnecessary services in W2K. I practice safe net. In my ten years on the net I've only been hit once, and it turned out to be my own damned fault anyway.

It's beginning to sound like the BEFSX41 will do me just fine, as it will compliment the things I already do to be safe. If, in the future, I feel the need for more, I can always add a "real" firewall later on.

Now to go put on my asbestos armor as the flames seem to be getting a bit warm around here.... :)

Brian

Reply to
Skywise

Sure, I've explained my position on it several times, why keep ignoring it.

Here it is again: A certified solution gives me a set of testing, hardware, firmware, specifics that show that it's passed X tests.

The same solution on another hardware, firmware, or some other variant, may or may not pass certification, and may or may not be as secure.

And they clearly say that under a given set of testing conditions, with specific hardware/firmware, that the device has passed certification (or not).

So, unless you continue to be as dense as a rock, even you can see that certification has merit - that it can give an expectation of the device being able to provide the tested functions/methods.

I've never said that an uncertified device can't protect you, or that it can't protect you as well, never, but I clearly state that a certified solution is very likely to be able to provide what it claims.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.