This may be a stupid question, but I am new to cable modems and being connected all the time.
Is it safer to use a router with NAT between the modem and the computer rather than just go from the modem direct to the computer using a firewall? I know the advantages of the router regarding additional computers having access.
100% YES. A router blocks unsolicited inbound traffic to your system. Recent news releases show that unprotected systems can be infected in as little as 20 minutes(some reported even less time). Any broadband connection at a minimum should have a NAT device between the modem and computer.
I've never seen a consumer router that allows you to specifically block ports since all ports are generally blocked by default, except for the ones that are specifically opened.
On Linksys BEFSR41 and BEFSR81 v1 and v2 Routers the URL is -- http://192.168.1.1/Filters.htmLinksys BEFSR41 and BEFSR81 v3 Routers use a different URL but utilize the same construct. I have also done it on other routers such as Asante. I have also received feedback that it can be done on many other vendor's Routers.
The Routers don't default to block any ports. They are analagous to a closed door. Using the right request, an Internet node (I-worm or hacker) can open the port's door. Specifically blocking the port is analogous to locking the port's door. You can't can't go out that blocked port from the LAN side nor can you get in that port via the WAN side.
Dave
135~139 and
445. | | I've never seen a consumer router that allows you to specifically | block ports since all ports are generally blocked by default, except | for the ones that are specifically opened. | | -- | Bill
A software firewall on the same machine it is trying to protect can't be as effective as a firewall prior to the machine it's trying to protect. The difference is like placing a guard outside the door to protect the door vs. placing a guard inside an unlocked door to keep the intruders already in the room from doing any damage.
Additionally, the software firewall needs to integrate itself into the TCP/IP stack which can result in an unstable stack. While the software designers have gotten better, and the OS's have gotten tougher, this is still a problem.
NAT routers with SPI are inexpensive and effective. They don't let the intruder into the protected machine, and they don't add instability to the network stack. What they don't do is prevent user errors.
By user error I mean the user letting in a trojan that opens the machine to attack from the inside. To the router, it appears that the incoming attack was invited. This is also the case for software firewalls that only look at incoming communications, such as the built-in firewall of Windows XP. The advantage of a firewall that looks at outgoing communication is that it can stop these trojans -- assuming the user understands the messages it displays, and does not grant permission to the trojans to initiate the communication. So in the hands of an uninformed or careless user, even those software firewalls have little or no benefit.
I can do it with an antique SMC Barricade 7004BR. Not that I would waste two of only eight SPI fields on ports already effectively blocked by the native NAT feature.
All the SOHO routers thatI am aware of use NAT/PAT for sharing a single WAN IP address with multiple computers on the LAN. Such routers need a forwarding table to process incoming packets. No entry in the table for the unsolicited packet, and it gets dropped. There is no request that can make a router forward an unsolicited packet; if the router does not know where to forward the packet, the router drops it.
As for "opening doors"; real world analogies to the Internet rarely work. The port is not at all like a "closed door"; it is just a part of the memory address block, which can accept data, if it is enabled, or not. To access a port, there must be an application listening on that port. If there is no application listening, there is no place for the packet addressed to that port to go. WRT the router, the only ports available on the LAN side, depending upon make and model, are usually IdentD and Remote Administration. Turn them off, and there are no ports answering to remote connections.
You are trying to describe an electrical "latch" (a memory register) using a physical barrier between spaces as an analogy. It doesn't work like that.
I have watched my computer boot. The computer is already making making TCP/IP broadcasts over the LAN before the software firewall is loaded. If my computer was connected directly to the Internet, instead of behind a router, that is a window of opportunity for Sasser/Blaster, and the like.
{Looking around the outfield, trying to see where that came from...}
Most routers are fairly easy to find, if set up out of the box. Every one I've ever worked with leaves port 113 in a "closed" state; and the Linksys BEFSR11 (Firmware Version: 1.46.00, Jun 24 2004) I have only shows as "stealth" those ports blocked my my ISP (TCP 135, 139, 445, and 1025). All else show as closed; it is a very response device, and you would have no trouble finding it on the Internet.
I don't know all the "ring 0, ring 1" stuff happening at the lowest machine level, but I know that the TCP/IP stack is active long (in terms of computer cycles) before the Windows registry Run keys start the firewall. That is a window of opportunity for Sasser/Blaster, and the like.
I beg to differ. I have been through these discussions before and ports 135~139 and 445 are open on the LAN side with MS Networking.
An ounce of prevention is worth a pound of cure but, it is not worth arguing over (again !).
I will state that I have seen WAN addresses on a LAN side Win2K platform's NetBIOS cache (Linksys BEFSR41 forget the FirmWare version of that time). If a node can appear in the NetBIOS cache then packets have crossed the WAN/LAN NAT Router barrier. This behaviour was stopped by explicitly blocking the above stated ports.
I installed XP Pro on a system that was logically outside my firewall (on purpose--this was an experiment). It took approximately three minutes from the time it got to the desktop to it being infected and scanning to find other systems to spread the infection to.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.