1. Home
  2. Networking Firewalls
  3. Security benefits of hardware firewalls

Security benefits of hardware firewalls

Hi there.

I have been taught that the average consumer-grade IP NAT-capable wired router is (for residential end users, SOHO users, or really anyone who does NOT need to explicitly open ports in their Internet gateway device or run a DMZ) an execellent protection against both network worms and malicious crackers or script kiddies. Specifically, I have been told that by the nature of the form of IP NAT used by consumer/home user routers, all unsolicited inbound network traffic is simply discarded, thereby protecting all users on the network from UNSOLICITED attacks. Obviously, that would still leave you vulnerable to any malicious traffic that you personally allow to enter your PC, such as foolishly downloading malware-infected programs.

So my questions are as follows: is it true that all unsolicited network traffic that attempts to pass through a consumer/home user grade wired NAT router (assuming the necessary configurations are properly made, of course) is dropped? If so, is it possible for some manner of attack to fool the NAT router (without the user's knowledge or intervention) into thinking that some malicious unsolicited traffic was solicited? And if so, are there any known exploits that exist in the wild? Don't forget that I'm asking about wired-only routers here, no WIFI.

Thanks in advance for your time and help.

Reply to
Sol
Loading thread data ...

It's always possible to have a exploit that allows inbound without solicitation, but, while it use to happen in many devices, early ones, it's not as common as it use to be. I've not seen a real case of it in any location we monitor.

Reply to
Leythos

Are there any particular router brands that I should be wary of? My opinion has generally been that Linksys makes a good router (since they're a division/child of CISCO, but I realize that that's no guarantee of quality). Who should I avoid and who should I use?

Thanks for your help.

Reply to
Sol

Any one that doesn't have SPI in the firmware for the router.

Duane :).

Reply to
Duane Arnold

CISCO bought them, but that didn't change much if anything, other than the branding and a logon that shows in the config page.

As for what I would use, well, I like the units that have been certified as a firewall, but if it came down to using a cheap unit, I would want one that has SPI and actually mentions SPI in the details section.

Reply to
Leythos

That intrigues me. Is there a firewall certification or cert. organization in particular that you're thinking of? I'm concerned with quality more than price.

Thanks for your time and effort answering me.

Reply to
Sol

At the current time, this is one testing facility that I trust:

formatting link

Reply to
Leythos

You don't need to. Just read RFC 2978. From there:

| A "firewall" is an | agent which screens network traffic in some way, blocking traffic it | believes to be inappropriate, dangerous, or both.

Yours, VB.

Reply to
Volker Birk

And since you have no clue what a real firewall is VB, you can't tell the user what will protect his network.

For most people, a firewall that IS certified will do what they need and the tests to prove it are published. The RFC does not help the OP if he purchase something that he doesn't know if it meets firewall standards or not.

Reply to
Leythos

Thanks for your help. I appreciate it.

Reply to
Sol

You're welcome - feel free to come back and ask about anything firewalls again.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.