OK, I've got the message that software firewalls are mostly snake oil so I want to get a hardware firewall so I can put my software firewall to bed for good. Would I have to disable the firewall in my router if I get one, or do these work as routers too and I can remove my router from the chain? Post your recommendations. Thanks.
I recommend using ZyXEL firewall model ZyWall 2 (ICSA certified) for networks of less than 10 users with built-in broadband (DSL or cable) gateway(Router) and 4 port ethernet switch, you can get it for less than $200.
You can connect it directly to your broadband Modem and remove your router, it will work as a firewall and router in the same time.
Why isn't the firewall in your router sufficient? It is true that if you have a business or organisation with a group of inexperienced users then a router designed for home use may not be sufficient, although they are getting better and cheaper. If there's only you with one or two PCs at home and if you are reasonably experienced (or wish to become more experienced) and are able to supervise other users of your home PCs then it may not be necessary to use anything more than a home router.
Since I don't know your situation or experience it is difficult to give specific advice.
It may be that a hardware firewall is a good choice for you but can you tell me why you want one? One good reason may be to learn how to configure one.
Assuming you are using Windows PCs then there are many other things to check before you start worrying about firewalls.
In my experience, home users often mistakenly put firewalls (hardware or software) above everything else. I've seen users who told me they must be safe because they had a firewall but who turned out to be running as administrator with no Windows updates, no anti-virus software (or anti-virus software that had never been updated) and no updates to other software such as Java, Acrobat, Flash, Office, etc etc.
No, I've got all the other protections in place so am ok there. The reason I want one is because I see a few people in here saying the firewalls in routers are not really firewalls and are very basic. I want a real firewall so I have a new toy to play with. :)
In most cases, unless you actually get a firewall that knows the difference between HTTP and DNS, you're not really getting much more than a NAT Appliance.
What I mean is that many of the cheap Firewall Appliances don't really know the difference between HTTP or FTP or DNS or HTTPS, they only let you create rules by port number (TCP/UDP) and in/out. Most of them don't allow you to filter content in a HTTP session or a FTP session and I don't know of any cheap ones that filter content/headers from inbound SMTP sessions.
Considering that most of the cheap firewalls also have some form of user (IP) limit unless you purchase additional licenses, you don't gain a lot.
Now, if you consider the last two paragraphs, a NAT Appliance, like the almost firewall device DFL-700 by D-Link, becomes a really nice device. Even a quality NAT Appliance is doing almost as much as the cheap firewall appliance. Just look at what each does yourself and you'll see that there really isn't a lot of difference between the quality NAT Appliances (that claim to be firewalls) and the cheap firewalls (and I'm talking under $300 USD).
My mother inlaw uses a Linksys BEFSX41 unit, has used it for 4 years, and has never had an uninvited intrusion that we could detect/see traces of. The unit is connected to another PC that she doesn't use, that runs WallWatcher and sends me logs every night. I've also seen the same protection provided to group users (20 to 30 people in an common building). We've even got one office building with a CISCO switch (so we can track traffic, connected to 12 Linksys BEFSR41 units, that provide service to 12 clients in a building. None of the clients have access to the admin pages of the routers, but we ensure that the clients understand that this is NOT a firewalled solution and they are welcome to install a firewall if they want.
Most of our clients, and my own business and home, have what I consider firewall appliances - they know the difference between protocols and filter content out of HTTP/FTP/SMTP sessions, block websites based on categories of provided content, allow dedicated branch office VPN solutions, etc...
So, if you already have a NAT solution, unless you move way up the chain, or install some software based solution on a dedicated box, you are not going to gain much.
I've thought of doing that before but I don't want another big box taking up space and increasing the noise pollution. I already have two PC's besides my desk and don't really have room for a third. I'll consider it though and thanks for the links.
I consider the 604 to be a standard NAT Router. As long as it has available firmware updates, still supported by the vendor, I consider it viable for home use and that every home user with an internet connection should have at least a NAT Router as their first layer.
I would also suggest that you block outbound ports 135-
Two boxes "inside" on what - a residential cable connection? Think how much traffic/speed that you need. The traffic _between_ your two systems shouldn't be hitting the firewall, and unless you are paying a LOT of bux for your connection, it's probably limited to something under 100 Megabit per second. My provider supplies a dual speed Ethernet connection (10 or
100BaseT), and I've connected that to a 10BaseT NIC in what remains of an ancient 386SX-16 laptop - no case, no display, no keyboard (it's admin'ed over the LAN with a backup connection via the serial port). A second NIC connects to a dual-speed HUB to allow multiple systems access. It's in a cardboard box, and there are two sources of noise - the hard disk, and a four inch fan, neither of which are audible above the noise from the desktop systems. You don't _need_ a Quad Xeon with a Gig of RAM for this function. In my case, the lap-doggy only has 8 Megs of RAM. As for the electrical load, the _fan_ is consuming about a third of the total power into the box (about 15 watts total).