Linksys WRT54G and Firewall software

I would say that routers are used more and more by those who are informed. Routers do come with SPI (Statefull Packet Inspection), look it up if you don't know what it means.

Not with any router that's running SPI.

Do you know what SPI is?

You have not explained why the XP FW it's better. XP's FW may be on par with a NAT router that's running SPI.

You can't read and understand English.

Well, the AV that I use has IMON (Internet Monitor) that will detect anomalies coming in the TCP connection, stop it and allow me to terminate the connection. This allows be to use an email proxy client application to go to the ISP's email server and delete the suspicious email. The email never reaches my machines.

An infected or dubious file can be downloaded from a FTP site. Do you think it cannot happen?

That's you. You make your own bed and you lay in it. One doesn't rely on detection software like a crutch, but they don't hurt in the prevention.

For a machine that has a direct connection to the modem and to the Internet, a user would be some kind of fool not to run what an AV and some kind of PFW/personal packet filter or XP's FW/personal packet filter, if using the XP O/S or some other MS NT based O/S.

I did give reasons, you just ignore them.

1) Holes in the XP Firewall that may or may not be present.

2) Holes in the firewall (XP SP2) put there by accident, by applications, by users that don't understand.

3) File and printer sharing enabled on a public connection....

The typical SOHO NAT router, by default, does not suffer any of those problems.

Are you really that ignorant of the modern NAT Routers that vendors mistakenly call Firewalls?

They are not basically the same thing, they are not subject to the same issues.

The NAT router is not under control of the OS or applicaitons on the computer.

The NAT router is secured by default, except for wireless, and they are starting to change that.

The NAT router is not something that the user can screw up without connecting to it knowingly.

The NAT router does not have port-forwarding (exceptions) enabled by default.

The NAT router can provide, when setup, blocking of some outbound ports, that the OS/Applications can not unblock.

No, they do not both do the same thing. A router protects a network, and in the case of the XP FW running on a machine, it's machine level protection, although I seen use of the XP machine and the XP FW in an ICS situation as a gateway, but FW(s)/packet filters were running on the other machines.

The XP FW/packet filter is doing the same thing as any other PFW or personal packet filter. That is to stop unsolicited inbound traffic from reaching the machine.

What does the 54G have to do with the difference between two host based software packet filters?

You have to ask him.

Disk space is cheap. If that's what they want to do, that's their business.

As long as programs are protected from the Internet, what difference does it make? You have no idea as to how someone will use his or her computer. It's their choice to do with the computer what he or she wants.

If one is in that situation, then he or she is in that situation and they should take the appropriate measures to stay updated, if he or she chooses to do so.

I am not going to say anything here. It's too easy to hammer you.

Not technically correct - they actually reach the machine and if there was an exploit path it would get through.

The NAT router (a typical SOHO unit) would never let the packet make it to the computer in the first place. Exploits at the machine would not be reached by "unsolicited" connections.

The may or may not be holes in NAT routers. Where is the difference? You rely on the proper implementation of the XP firewall or the NAT router.

The XP SP2 FW set to no exception with the user running as limited user cannot be changed by accident or intentionally to allow any application or file sharing on any connection.

And "users that don't understand" are no argument in a comparison what is objectively better. If you want to talk about the users and what they do we would first have to define what "users" we are talking about, their knowledge and willingness to learn.

I am absolutely not ignorant. I have several and I even know what they are running inside. I also know that NAT as concept is bound to have troubles at times, in particular if you are having many computers behind the NAT and you have heavy use of UDP to a few servers. It is easier with TCP but even then there are times when packets go through unsolicited (which occasionally makes a PFW running on a computer behind the NAT router think it is attacked and blocks everything).

Gerald

Um, you shoot yourself in the foot - if a simple NAT router, with a limited amount of code, has "troubles" then a complex amount of code like the Windows XP SP2 firewall would be subject to "troubles" too.

I've been using firewalls (appliances) for years and have never seen them "leak", and every one of them uses NAT as part of their routing methods.

Yes. But the NAT router is directly connected to the internet connection and it is completely unprotected (i.e. no filtering at all) on the LAN side.

NAT router's are not "secured" per se by default. They run NAT. NAT tries to match incoming packets to established connections and conversations. It's purpose it not to block but to allow traffic through. NAT thus drops any packets which it does not know where to send them. But the reasons is not to secure anything but simply because it does not know where to send the packet. If it thinks it knows because there is something in the SPI table it sends it there. Check the filter rules on an actual NAT router. Look at the rules. The "security" NAT provides is simply dropping packets if it does not know what else to do with it.

Yes. But many routers are used mostly unconfigured, often not even changing the default password. Many routers even have UPnP enabled.

Nor has the XP SP2 FW.

Gerald

He? The NAT router runs a packet filter, NAT, and much more in a package. The XP SP2 is only a packet filter. No NAT. No flaky "access restrictions". No port forwarding.

Gerald

Oh, and you think that XP, directly connected to the PUBLIC Internet is completely protected? Nope.

Now, the NAT router, WAN port, the device was specifically designed to block unsolicited traffic inbound, which is not what the XP firewall was designed to do.

Oh, and lan side - you mean like if the packets get past the XP Firewall they don't have full access to the computer/OS/apps?

Are you resorting to misdirection because you know you're mistaken?

NAT routers don't "Think" they either match or don't match. There is no thinking in it. Dropping "unsolicited" or "unmatched" traffic is proper and what should be done.

And almost everyone of those with upnp and a default password don't have remote management enabled - so, agian, they are secure by default - except for unsecured wireless, but as I mentioned, they are getting much better at not enabling wireless.

LOL - you're completely wrong. If I pickup any computer by any big box outfit it will have preconfigured exceptions. If I setup file and printer sharing it will setup exceptions. If I run as an administrator and install AOL it will punch holes/exceptions in it...

If I install a NAT Router (SOHO Typical) from the store, just bought today, no port forwarding, no holes, no way for the OS to configure it without my permission and knowing the password/IP, etc....

If my computer, running the OS and apps was limited to XP SP2 Firewall you might have a point, but, you can't run the XP SP2 firewall without XP.

The NAT router does not run a zillion line OS, does not run zillions of lines of code in applications....

Try again champ.

Yes. Therefore all the malware has to do is to "open" the port on the router. An unconfigured router with default password is an easy target. You could even run a quick dictionary attack if you wanted as the router won't bother repeated attempts to access the configuration interface from the LAN.

But even if it cannot access the management interface, the router may be configured for UPnP by default. Makes it easy to open the port.

The WRT is so popular there is even customized hacker firmware available which gives you full control of the router and the internet connection while the average user behind the router won't even notice as everything so far works normal...

And if there is nothing else, simply open the port by sending frequent UDP packets out. This allows you "unsolicited" incoming traffic through UDP.

But anyway, it still does not explain why my laptop with XP SP2 FW with no exceptions connected to a public hotspot is any more vulnerable than while it is connected behind a NAT router with or without the SP2 FW.

Gerald

Yes. It is protected. In some respects it does the same as the NAT router except for the NAT.

What exactly was the XP firewall designed to do if not block unsolicited inbound traffic?

If something gets past the XP firewall it must not necessarily have full access to the computer. It may be just a limited user access. It depends where the packets ends.

But what I have meant is that a average router is a very vulnerable target on the LAN side as it basically has no protection at all on the LAN side. Any malware on a computer on the LAN side, even a simply script which is running in a limited user account can openly attack the router to reconfigure or even flash with a hacker firmware. The malware could even run a brute force attack on the password...

Yes. But it depends on the definition of "unmatched". The router does not consider if the packet is unmatched or not. It tries to match as good as it can. You usually won't notice if it does the job to good and forwards an unsolicited packet because the computer it gets to may consider it unsolicited, too. But generally, you can observe that there are some unsolicited (or misdirected) packets going through, in particular in situations where you have several computers behind the NAT and you are using UDP.

If the user screws up and has some malware on the computer, even if it is only running as limited user, the complete router can be taken over with some simple reconfigurations or a proper hacker firmware. The user won't even notice because the internet connection works as usual.

Setting up file and printer sharing or installing AOL is no default port forwarding. The last time I have checked Windows asked before opening some ports for file and printer sharing. But not as default.

O.K. I take my laptop from the store, turn on the XP SP2 FW with no exceptions and connect to a public hotspot. No problem either. Works fine to download all the newest updates from microsoft... And I am pretty sure that the FW will be on by default in an OEM installation.

Gerald

And what is "not enough" when a computer with a XP SP2 FW with no exceptions connects to another network compared to a NAT router (which seems to be enough)?

I don't know what that is about. We are comparing the XP SP2 FW with the NAT router WRT54G. I first assumed that there was another 3rd party firmware involved but was told that it is not so.

Then, why do you answer?

But if you are really concerned about security of your computer, not installing any junk you come across is far more efficient and better then installing PFW, AV, 5 malware scanner, etc.

Gerald

Check again.

The XP SP2 FW is SPI, too.

Even that you cannot explain.

But why do you want to download the dubious file in the first place?

I connect my laptop with XP SP2 FW with no exception to public hotspots. Nothing is happending. I did that before when I still had PFW and AV on it. None of them ever reported anything relevant for a couple of years. All they did well was slowing down the computer.

Gerald

Yes. And? What is your point? Running an application like MS Word on the computer will severely affect the function of the firewall? Run PowerPoint and the firewall dies and exposes the whole interface?

And running some crappy code on a crappy cheap router with crappy hardware is so much more reliable? I haven't seen a standard consumer router where the firmware is not full of bugs (which affect the actual normal operation) and where occasionally having a whole hardware series with a fairly high return due to hardware issues. There is a reason why a Cisco or 3com SOHO router costs 10 or 20 times as much as a Netgear, Linksys, or D-Link. Only a part of that is due to mass production.

I would not want to bet on whether it is so much more likely the XP SP2 FW will be affected from load on a computer than some cheap router.

Also: suppose there is new vulnerability in the MS TCP/IP stack or FW which allows elevated code execution. You can expect to have that fixed quickly. The stack is one of the core components of communication. Suppose a vulnerability is found in Linux TCP/IP stack. The fix will be available very quickly, too, but how long will it take until the Linux based routers have new firmware available and are updated?

Gerald

And the XP firewall could relatively quickly be fixed with an update. Routers are seldom kept updated.

Then what would you suggest instead?

Just because it tries doesn't mean it actually can. It fails so blatantly for malicious software.