Dennis K. wrote in news: snipped-for-privacy@4ax.com:
Well, I'm behind a NAT router. I do use a software firewall on each machine, with the full realization that some malware can disable or bypass them. However, for most programs, malware or not, it does ask for permission to allow the program access or not. Also, if one of the other computers on my LAN should be compromised, it will prevent access attempts from them incoming to my uncompromised machines. File sharing is turned off to everything but the multifunction printer on the network.
There are widely varying opinions of the merits of such setups, so expect conflicting opinions. Decide for yourself.
The nature of NAT is such that someone on the outside can find the NAT box (commonly a home broadband router in our context), but they can't find the computers attached behind it.
Imagine finding an apartment building, and finding a door bell panel with thousands of buttons. If you've been invited by a tenant, they've told you which of the many buttons is theirs. And they can tell you what pattern to tap-out so they'll answer. If you're just walking down the street looking for people to bug, not only will it be unlikely that you'll find the right button, it's even less likely that you'll know the right pattern to tap-out to get an answer if you do find a button that attaches to something. For all practical purposes, you're locked-out.
What NAT can't protect you from is attacks from within. If you allow a trojan in (perhaps a drive-by download from a website you visited), it can invite problems in when it phones home. In this case, the attack will know which button to press, and what pattern to tap-out because it's being invited in behind your back.
The most effective way of fighting these problems is a software firewall that monitors programs attempting to make outbound connections. The problem is that these programs usually will ask a user if they want to allow a connection, and many of the people who are most prone to inadvertently allow these trojans to enter in the first place are also prone to rubber-stamp any outbound connection request with a "yes". (Or at least they are once they discover that rubber-stamping with a "no" can disconnect them from the Internet all together.)
But for someone who's alert, this level of protection, along with regular scans for viruses, trojans, spyware and adware, along with the intrinsic protection of NAT, will be sufficient.
However, if you happen to have information that needs to be protected for National security issues, or have some other data that makes you a real target of people other than script-kiddies, relying on a software firewall running on the same machine that it's trying to protect is like hoping an interior door in your house will protect the house. If they're already into the machine, half their objective is met, and getting past a piece of software is as easy as knowing how to remotely disable it.
There are external firewall boxes offering various levels of security well beyond what NAT and a software firewall. But frankly, most home users don't need to invest in these anymore than they need to invest in an electric fence, a moat, or an armed guard to protect their homes. They're just overkill for most people.
So to more directly answer your question, NAT, along with a software firewall that monitors outbound connections, and regular scans of your computer by anti-virus (etc.) programs is sufficient for most users, and a true hardware firewall is not required. And yes, NAT is a very important component of this strategy.
Networking is not my strong point, so I'll not comment on any advice that's been given here. Compliments on command of the english language to Todd, though.
Ubiqitous ..... now THAT'S a word not commonly heard.
Well, that kind of depends on whether you hang out with people who watch Jeopardy every night, or with people who can't wait for the next new episode of Fear Factor.
OK. The WRT54G came today. And I have I have asked TW to come out and install roadrunner on Wednesday.
I opened the box for the WRT54G and glanced at the instructions. It says that before I do anything, I should insert the CD that came with it and follow the directions. Exactly what does this CD do to my PC? I assume it's configuring something. Whatever it is doing, can it be undone if necessary?
Do I need to do this on every PC I plan to use with the router?
You can skip the CD entirely if you like. It just makes configuring wireless security a lot easier for the uninitiated. If it makes you more likely to configure WPA PSK on your wireless computers, by all means use the CD to get that set up.
Otherwise, set your computer to use DHCP, plug the computer in to the router on the LAN side and point your web browser at http://192.168.1.1 login with admin as username and password, and do your config from the built in web server.
Thanks. Since I don't have any wireless devices at this time, I guess I can skip that part. When my mom stops by to visit in a month with her wireless laptop, I guess I can install it then.
I suspect the CD also has a user's manual on it as well as a 60-day trial on Norton Internet Security. Do I need the Norton firewall if my PCs have the XP firewall running?
Doesn't the WRT54G have its own built-in firewall?
In general if you know how to get to this newsgroup you don't need the CD. Just browse to 192.168.x.1 (it should be on the bottom sticker) and start configuring it. Not THAT hard. The defaults are all fairly reasonable.
The big on is to rename your wireless net to something other than Linksys and give it a WPA-PSK password.
No. The more Norton crap you keep off of your machine the happier you'll be.
Yes, it implements a network based stateful packet inspection firewall, a NAT router, and a 4 port 100mbps switch. The SPI firewall protects against inbound network based threats. It does not do any egress (outbound) filtering, however.
As Todd says, it is not necessary to run the CD when you deploy the router. I'd like to add that you should *not* run the CD after you have deployed the router, and have a working LAN. Running the CD at a later time will make unintended changes to your LAN and the network settings on the computer that it is running on. Do *not* run it later.
The Windows XP firewall only protects you from incoming problems. It does not protect you from outbound problems. For example, the XP firewall will let you carry a trojan in, and if your anti-virus program doesn't detect it, that trojan can then run on your computer, connect to the real world, let other stuff in, and the Windows XP firewall won't blink an eye because the attacks will actually be initiating from the inside, not the outside.
Does this mean you should install the Norton firewall instead? No. That's not what it means.
Depending on how you use your computer, you may not want any firewall running at all. If I remember correctly, you needed a public IP address so you could do some networking homework from a remote location. The presence of a firewall of any kind can make troubleshooting any problems you run into more difficult.
Of course if you're limiting your security to what's provided by the nature of NAT and the SPI in the router, you probably shouldn't keep any valuable data (like passwords to your bank accounts) on that computer, either.
What kind of protection you install should be based upon what you need (or don't need). After you decide what you need, you can then evaluate the choices out there. And when you do that, you'll run into all the issues people have with Norton software, even after they think they've uninstalled it all.
The last thing you want to do is just casually install some free trial software just because it was included with something else. That software is no different than the ads for wallets and pen sets that are stuffed in your credit card statement each month. It's just a way to hook you in before you have time to think about what you're doing.
You must be thinking of someone else. I don't need a public IP address. You may have been thinking of my question about using a hub *instead* of a NAT router.
RoadRunner is installed and working. After the installer left I plugged in the router and things pretty much worked out-of-the-box.
I went in to the router's setup program and changed the admin password and disabled wireless network mode (since I don't have any wireless devices at the moment). Is there anything else that I should do security-wise in the router's setup?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.