Buffalo WHR-G54S + Tomato firmware = hardware firewall?

P

pdawg17

Limp Gawd
Joined
May 5, 2007
Messages
173
I'm a nOOb with hardware firewall stuff...I've always just installed ZA or Comodo and was done with it...I'm trying to minimize the amount of security software installed and am curious how to "maximize" my hardware protection...I have a Buffalo WHR-G54S router with Tomato 1.18 firmware installed...does this cover me as far as NAT goes or are there settings I need to change? Or is what people refer to as a "hardware firewall" a completely different piece of equipment?
 
Essentially all that a traditional 'consumer class' router provides by way of a 'firewall' is NAT and SPI. NAT provides a large degree of security (though you're certainly not immune to spoofed packets), and SPI (Stateful Packet Inspection) eliminates malformed packets that can be used to exploit access to network/computers (also built into Windows SP2 Firewall).

A 'real' firewall serves to provide a very granular means to restricting both inbound *and* outbound traffic. As most consumers aren't looking to limit outbound connections, it isn't typically found in most hardware. There are some higher end routers that feature elements of UTM (Unified Threat Management) that actually screen out malware/viruses as they come through the router, and serve to significantly (but not entirely) reduce the need for client-side filtering. They also typically have a yearly subscription attached to them.

I could go on, but does that answer your question?

Edit: Your Tomato firmware does provide NAT coverage unless you modified the defaults.
 
Hunterzyph said:
Essentially all that a traditional 'consumer class' router provides by way of a 'firewall' is NAT and SPI. NAT provides a large degree of security (though you're certainly not immune to spoofed packets), and SPI (Stateful Packet Inspection) eliminates malformed packets that can be used to exploit access to network/computers (also built into Windows SP2 Firewall).

A 'real' firewall serves to provide a very granular means to restricting both inbound *and* outbound traffic. As most consumers aren't looking to limit outbound connections, it isn't typically found in most hardware. There are some higher end routers that feature elements of UTM (Unified Threat Management) that actually screen out malware/viruses as they come through the router, and serve to significantly (but not entirely) reduce the need for client-side filtering. They also typically have a yearly subscription attached to them.

I could go on, but does that answer your question?

Edit: Your Tomato firmware does provide NAT coverage unless you modified the defaults.
Click to expand...

That's a great answer...thanks...

Is the NAT coverage through the setting "NAT loopback" or something else? NAT loopback is set to "Forwarded only"...is that correct?

Lastly, if I were to only use the Windows firewall and the Tomato firmware on my router is that enough? Or is Comodo helping me more somehow?
 
Forwarded only should be fine for your needs. That ensures that packets that are routed in on forwarded ports are routed back out appropriately.

Speaking from personal and professional experience...the Comodo Firewall is something of a two-edged sword (as are almost all other 'network security' programs/packages). On the upside it allows you to more selectively be aware of the decision making process of allowing programs to access the internet (outbound connections) and block potentially malicious inbound packets (either spoofed or otherwise 'invited' into the network). If you're planning on 'sharing' the computer, this isn't a bad idea. On the downside, you're almost guaranteed to run into a networking issue at some point that forces you to uninstall or at least seriously reduce the functionality of the firewall in order to resolve the issue...thus defeating its use. Most programs these days now have a "disable for XX minutes" function that resolves this, but I'm not a big fan.
 
Hunterzyph said:
Forwarded only should be fine for your needs. That ensures that packets that are routed in on forwarded ports are routed back out appropriately.

Speaking from personal and professional experience...the Comodo Firewall is something of a two-edged sword (as are almost all other 'network security' programs/packages). On the upside it allows you to more selectively be aware of the decision making process of allowing programs to access the internet (outbound connections) and block potentially malicious inbound packets (either spoofed or otherwise 'invited' into the network). If you're planning on 'sharing' the computer, this isn't a bad idea. On the downside, you're almost guaranteed to run into a networking issue at some point that forces you to uninstall or at least seriously reduce the functionality of the firewall in order to resolve the issue...thus defeating its use. Most programs these days now have a "disable for XX minutes" function that resolves this, but I'm not a big fan.
Click to expand...

When you say "sharing" the computer you mean things like media streaming, etc, right?

So is something like Comodo better than the Vista firewall because it will prompt you when something is going on or are there other benefits?

So basically though are you saying that with my current setup if I am using a home network (only for streaming media to an xbox and satellite box) I should use a software firewall of some sort?

Btw I am using Kaspersky AV which has "protective defense" if that means anything for my situation...
 
The software firewall that comes with windows XP/Vista is sufficient. Use the NAT firewall that is provided by your router. If you are really worried about security/malware then I would recommend setting up a UTM appliance on an older PC. Try Untangle, Astaro, eBox, etc.
 
pdawg17 said:
When you say "sharing" the computer you mean things like media streaming, etc, right?

So is something like Comodo better than the Vista firewall because it will prompt you when something is going on or are there other benefits?

So basically though are you saying that with my current setup if I am using a home network (only for streaming media to an xbox and satellite box) I should use a software firewall of some sort?

Btw I am using Kaspersky AV which has "protective defense" if that means anything for my situation...
Click to expand...

No, by sharing I was implying other less savvy users using the computer...you know, the ones that go to the 'wrong' part of the internet :p. Honestly, you'll be fine and like Captain C said, if you really want to offload that security you'll need to pursue one of the UTM options...which is likely overkill.
 
Hunterzyph said:
No, by sharing I was implying other less savvy users using the computer...you know, the ones that go to the 'wrong' part of the internet :p. Honestly, you'll be fine and like Captain C said, if you really want to offload that security you'll need to pursue one of the UTM options...which is likely overkill.
Click to expand...

Oh that kind of sharing....hmmmm....I'm not sure who in my family would do that ;)
 
NAT and your windows firewall will do the job but there is no substitution for a good user. Don't do anything stupid and you will be fine. I recommend running online scans every month. I use trendmicro's free scan
 
Jay_oasis said:
NAT and your windows firewall will do the job but there is no substitution for a good user. Don't do anything stupid and you will be fine. I recommend running online scans every month. I use trendmicro's free scan
Click to expand...

Mainly bittorrents although we all know those aren't always clean...
 
You must log in or register to reply here.
Back
Top