[Newbie alert!] Is the Linksys BEFSX41 hardware Firewall/router a "real" firewall?

Loading thread data ...

All of the linksys devices are just NAT Routers, some with different features, but they are all just simple NAT Routers. They are not firewalls in the traditional sense or in means of what a firewall really does for protection.

They block unsolicited in-bound traffic unless you implement port-forwarding or some other means to direct traffic in-bound.

Will the secure your home: You can do many things with the different routers, like blocking outbound to destination ports (I always block outbound to destination ports 135~139, 445, 1433~1434, and 1025~1027 as a means to hinder the spread of a virus that compromises the internal network). Many of these devices (NAT Routers) work just fine for inbound protection and coupled with smart users, quality AV software, and not using Internet Explorer (Use FireFox instead), and not running ANY P2P programs, you can stay very secure.

The BEFSX allows for IP to IP VPN Tunnels in a very easy to setup mode.

Just make sure that you've changed the default network address from

192.168.0.x or 192.168.1.x to something like 192.168.10.x and that you use a very long/strong password.
Reply to
Leythos
111

Melissa wrote in news: snipped-for-privacy@uni-berlin.de:

101

Howdy. IMO, the other respondents in the other group/forum are being a little snobby. But yes, it does just drop packets and thats about it. I am quite impressed by LinkSys/Cisco product line. You should be fine. I like that they have GPL.

formatting link
You would get more of a firewall by implementing a dedicated PC w/Linux. There are quite a few "install and away you go" distro's for that, but I won't plug them here because you may not be interested.

But, if you are concerned, what you can do is go the next step. Here are a few.

formatting link
You get what you pay for, and the above should cost more than LinkSys NAT.

Another thing what "geeks" do to save some $$$, is pickup an old webramp and load new sonicwall firmware on it. Apparently works quite well and very cost effective.

webramp:

formatting link
hack/mod:
formatting link

cheers, :-)

Reply to
Darko Gavrilovic

This is what I ordered yesterday after reading Leythos' responce to my posting.

formatting link

Reply to
Steve

"Steve" wrote in news:j8i1e.6$ snipped-for-privacy@news.uswest.net:

thats a very nice looking product. much better FW throughput than the SOHO product line.

out of curiosity, why the x15 over the x5?

Reply to
Darko Gavrilovic

That should be a good unit, since we need two internal networks, unlimited IPSec branch office tunnels, and also want VPN's, and no limits on the number of internal IP's, we picked a X700 for this office to replace our FB-II unit that's still working perfectly.

I may sell the FB-II unit on E-Bay, they go for about $600 right now, and that's without the key.

Reply to
Leythos

You have most likely seen this link in the other NG but it may help others in the decision making process about FW selection process.

formatting link
Duane :)

Reply to
Duane Arnold

For a home user, there is very little that a real firewall appliance will do that a NAT Router won't (provided you get one with extra features) already do, at least for a home user.

As I see it, and I use to run a BEFSR41 in the early days before I started by own business and needed more security around the home office, you're not going to get comfortable without a PFW unless you start learning about networking and traffic.

If you get a BEFSX41 or even the lowly BEFSR41 and setup a small PC, something with Win 98 will even work, and run WallWatcher, you can monitor ALL inbound and outbound traffic in real time - a simple KVM switch will even let you share a single monitor/keyboard/mouse so that you don't have to purchase those for the monitoring PC (a off brand KVM for 2 stations is about $20 most places).

With the advent of browsing the web as a Windows XP User, not an Administrator, FireFox 1.01+, quality AV products, and not using Outlook (any version) you should easily be able to do away with the PFW as long as you have at least a NAT Router.

You don't really need outbound protection, think about it, once your machine is compromised, if it uses port 80 to attack/update there is little your firewall will do, same with SMTP, if you have unrestricted outbound SMTP then it can spam all it wants. The only real place a firewall appliance helps the home users is when the home user takes the time to understand the threats and paths in-depth. Take our SMTP example, the NAT router can't limit SMTP outbound to the ISP only, it's an all or nothing type thing. A firewall appliance could limit outbound SMTP to just the ISP's SMTP servers, this would render any virus with it's own SMTP engine about useless is spamming other SMTP servers - that doesn't mean you can't get one that learns your password and sends through the ISP's SMTP server, but, without a account/password your ISP should not allow SMTP sending from any client.

If you want to secure your network from easily spreading viruses/worms via typical MS File Sharing and other ports, you can set what linksys called Private Ports in some versions - where you can list port ranges to block to destination ports - meaning you could block ports 135~139,445... going to the destination port end (not your local outbound port, the port on the receiving end). This means that your network can use typical MS ports to attach to OTHER computers OUTSIDE your network (no impact inside the network).

The SOHO Firewall Appliances are very nice, and they block outbound by default (some vendors have typical use outbound ports open), and also detect various types of attacks and block the attacker, but, a typical NAT router will also keep your internal network from being compromised by unsolicited traffic, it won't help much on outbound (except as noted).

Save your money, get a BEFSX41, BEFVP41, BEFSR41 or a D-Link or Netgear and setup your network on 192.168.10.0/24, use a STRONG PASSWORD, disable all UPNP, disable port forwarding, disable remote management, disable remote upgrade, enable LOGGING, etc... This will keep unsolicited inbound OUT.

Now, get a quality browser, or lock IE down as MS suggests (high-security mode), get a non-MS email client, get quality AV software (I swear by Symantec Corporate Edition - never been compromised yet), and get some means to monitor the router in real time (WallWatcher) and learn how to read it.

Also, if you only have one computer, disable file/printer sharing.

Reply to
Leythos
101

Duane Arnold wrote in news:Xns962651E57C42notmenotmecom@63.240.76.16:

```

nice link!

Reply to
Darko Gavrilovic

Leythos wrote in news:XLA1e.1859$lq2.52 @fe1.columbus.rr.com:

Lethos, why disable UPNP?

Reply to
Darko Gavrilovic

!!!

Leythos wrote in news:XLA1e.1859$lq2.52 @fe1.columbus.rr.com:

~~~

I personally still prefer a PFW on my windows machines - regardless of what NAT or FW i have in front of it.

I like to see what programs are trying to connect out without my knowledge. A PWF has also helped me nail trojans and worms that my AV didn't detect because of poor signatures. The PFW will alert you when your machine is trying to connect to strange sites in background. I caught the Palored trojan that way.

Reply to
Darko Gavrilovic

The monitoring PC is setup because WallWatcher does not run as a service, it has to run on the desktop. Unless you leave your computer logged in all the time with it running in the background, you don't get a 100% monitoring solution.

One of the things we did for a Sorority was to install a simple Windows

2000 workstation and IIS, it's in a locked box, no keyboard/mouse, no physical access. The system runs a webserver on a non-standard port and provides remote access to the WW logs through that port - it requires a password to access the website. We also setup the machine to auto-logon, screen saver/passworded in 1 minute, to start WW on login, and to email the logs to us ever night at midnight. This machine also runs VNC on a non-standard port with a password that we change monthly. We also secured the workstation and run Symantec AV Corp Ed. We can check the logs via http, via VNC, or through the email. This lets us see what is happening 24/7 in real time. We found one day that they went from the normal 8mb logs to 24mb and started reading the logs - turned out that two of the girls had installed a P2P application that is in violation of the Network Acceptable Use Policy. We identified the computers by blocking their IP from internet access (in the router) and told the senior representative that we had done so. Once the girls removed the software we re-enabled their IP. The nice thing was that we could see when they removed it because the WW R/T logs showed no more hits through those ports/IP.

I work with many people every day, and I had forgotten most of our prior conversations, sorry.

I do have to say, better is a real thing, not just subjective. FireFox, even with it's exploits, is currently a better browser than IE for most home users. Even with all the updates and patches, IE is still to large a target, ingrained into the OS too deep, and filled with to many paths to exploit when not set for High-Security. Even in High-Security mode, people won't put up with it for normal use, they hate having to add sites through the multiple clicks to the Trusted Zone...

I don't use/know about AV/AT, but as long as you're comfortable with it, as long as it scans in/out bound email to your mail server for your email client, then it should be good enough.

I don't rely on the apps / devices to protect me/clients, I always operate on the assumption that we are currently compromised with something not covered by AV/Spyware detection methods, and by something that uses the permitted ports to work. When operating with this assumption it makes the job easier because you get into the always looking mode and never relax.

Unless Sygate is doing application CRC/rules on your computer, it's not helping you any.

The thing is, a threat to one is not a threat to all. Some threats are not really threats to network A but are a threat to network B. If I don't run a web server on network A I don't have to worry about threats that attack Apache or IIS or PHP servers as I don't have those services exposed. On the other hand, I always try to setup a network to cover all the bases, even if the threat is not viable - it's a just in case type thing that has covered my arse many times.

This is a good example of not understanding many things - I had a client, a medical group, sending information about clients through their various ISP's to the teams/offices. They let each office determine who it wanted to use for an ISP, all people emailed each other through the external ISP's. I about went through the roof when I first visited them - total HIPAA violation.... To resolve this problem we implemented a total firewall appliance solution with an single email server in the corporate office - each office was connected to the home office through a IPSec tunnel and all email was now limited to sending/recv'g through the main offices email server - port 25 was blocked to everything except the main email server. This made all clear text messages valid, as they could only reach the company email server via the IPSec tunnels or via HTTPS access over the web. No patient information now goes out over the public internet to the employees, it's all on the internal email server and accessed via hardware build IPSec tunnels.

For personal email, I never send encrypted emails, if I have something sensitive I either password a PDF/Word document or I PKZip it and send it that way. I use to use a encryption program years back, but it proved to be to much work for the receivers and they stopped asking me to use it.

Actually, that mode is part of the problem, "if a person is careful about not getting their computer infected in the first place, the threat level is greatly mitigated" - Always operate like you are compromised or will soon be compromised. Never accept that you are safe enough. Don't take that wrong, I don't mean you need to run two routers with 800 PFW's and stand on your head with rubber gloves when you browse, but don't assume that you've secured your PC properly.

You should be concerned about it, even I don't assume I'm secure. I've been working with systems since the 70's, never had a single virus/compromised system in all those years (not even a clients machine), but I never assume that we're secure enough. At the same time, I still allow people to browse the web, get attachments, etc....

A good example is blocking of file types based on attachment type, meaning blocking .EXE, .SCR.... Until a couple years ago it was considered safe to allow Zip files into any network, since a Zip file could not do any direct damage (according to some). I'll assume you've seen the rash of virus infected files inside Zip's now, and then they passworded the Zips so that virus scanners could not get inside to inspect... Zip methods were something that many of us were caught off-guard by, we had to re-think our protection methods. As a result I now delete any Zip attachment that the firewall/AV software on the email server can't open or inspect. I also block any file type that could contain anything that could be executed for most clients, even word documents from outside for most users.

I once thought I was secure, even without AV software, so, we started testing AV products. We found a site that you could browse to using a unsecured IE (default settings) that would run scripts on your computer without you even knowing about it, all through IE. Symantec Corp and Norton AV personal were the only ones that caught/stopped it, all the others just ignorantly kept running.

Again, operate on the idea that you're only 75% secure, never 99.9% secure and you'll really have it a lot easier.

It's kind of like the age old argument about cleaning a compromised machine without formatting/wiping it or not - I always wipe, totally, then do a fresh install or a ghost image. We get new clients because of compromised networks and systems (nothing we installed) and tell them that even though we can clean the systems/network, that we won't sign any certificate stating it's clean unless we wipe/reinstall. As an old programmer that's written massive amounts of code for Win systems, I'm happy to edit the registry at any level, happy to hack system files, and understand the OS at a deep layer, but I'm not going to sign my name on anything as being clean unless I rebuild it from scratch. I would take the same approach in my home too.

I have several Watch Guard Firebox units, even a couple of the smaller SOHO6tc units, and I still use Symantec Corp, I won't install McCrappy on anything.

[snip]

BEGIN PGP SIGNATURE-----

Just thought you might want to know, unless you are passing messages that "require" authentication, your signature is just wasting bandwidth across the world. There is nothing that proves your message came from you, not even the signature. I can copy/paste it into a message and look just like you and very few people would know the difference. Usenet norms are 4~5 lines for a sig - just thought you might want to know.

Happy Easter.

Reply to
Leythos

Leythos wrote in news:z2L1e.21478$rL3.7616 @fe2.columbus.rr.com:

I didn't know that's what it did. That's why I asked.

I usually leave if off because I don't use the feature - never needed to use it yet I guess.

Cheers.

Reply to
Darko Gavrilovic

Darko Gavrilovic wrote in news:Xns9626CE0FE991F224154@216.196.97.142:

Yes, it has made comments Top Guns in this NG have expressed clearer and why they make the comments.

Duane :)

Reply to
Duane Arnold

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.