Is a dedicated Firewally really necessary?

mikey71497

Limp Gawd
Joined
Sep 27, 2004
Messages
215
What are your thoughts on a dedicated firewall apliance for your home network? I just got the Negear WNDR3700 to replace my 6 year old Linksys WRT54G. I noticed in the logfile that there have been several attempts of DoS attacks today. My router is pretty locked down and not blown open as some folks tend to leave them, but i am wondering if how I have my router setup is enough sercurity. I only allow 5 IP addresses to be handed out, have wireless MAC filtering enabled, WPA(2) enabled and some other minor things going on. Is this enough?

TIA

Mike
 
Last edited:
You've done enough on that end to protect yourself. At this point, other attack vectors are cheaper than attempting to blow through your perimeter.
 
for your network i think its fine. Running a setup like mine (dedicated firewall, Cisco IDS (intrusion detection sensor), and a log running all of them including my router) is only because im near/in a hostile enviroment with mutiple users (college frat 30-60 users daily) and need it. For a home user your secure (but you can always go nuts if you want)
 
Thanks for the replies guys. Lets say I wanted to "go nuts." What hardware firewall would you guys recommend. I was looking at a Cisco ASA used on eBay but I dont have much experience with them. I am VERY familair with Cisco routers and switches so CLI is not an issue. Are there any other vendors that have a good firewall? A Gui based interface would be great, but CLI is fine as well. Looking to keep the cost 200 or under.
 
Thanks for the replies guys. Lets say I wanted to "go nuts." What hardware firewall would you guys recommend. I was looking at a Cisco ASA used on eBay but I dont have much experience with them. I am VERY familair with Cisco routers and switches so CLI is not an issue. Are there any other vendors that have a good firewall? A Gui based interface would be great, but CLI is fine as well. Looking to keep the cost 200 or under.
If you get an ASA, use the ASDM gui. The command line on an asa is just enough like the IOS stuff to be confusing as hell, but otherwise shares none of the fun stuff.
 
If your familiar with cisco routers then get a router and put on at the very least an ios that supports ios firewall and ids. Personally get one that supports at least a 12.4 advanced enterprise IOS then you get access to it all.

I have a 3725 as my edge router doing all of the firewall nat and etc. Works great.
 
jeebuz, I'm all for Cisco and crap but having an ASA for a home user network is just ridiculous unless you're learning. You're much better off running a UTM firewall that offers web/malware filtering capabilities in addition to basic NAT. Astaro Home and Untangle offer much more protection for a home user than a Cisco ASA5505 unless you plan on paying for the extra yearly licensing fees associated with Cisco's new content filtering service for the ASA.
 
i have a pix 515, a few pix 501e's, and a small watchguard all collecting dust

i am thinking of setting one up and giving it to my dad so we can backup files between florida and dc.. i also am thinking of setting up a vpn on one of the pix firewalls so my friend in china can vpn to it and use my connection to surf websites that are blocked in china.
 
i have a pix 515, a few pix 501e's, and a small watchguard all collecting dust

i am thinking of setting one up and giving it to my dad so we can backup files between florida and dc.. i also am thinking of setting up a vpn on one of the pix firewalls so my friend in china can vpn to it and use my connection to surf websites that are blocked in china.

nice. share the wealth to people who dont have the luxury of unfiltered content. if you do set it up props to you!
Which is expensive shit by itself even for businesses

yea Cisco licenses don't run cheap.

jeebuz, I'm all for Cisco and crap but having an ASA for a home user network is just ridiculous unless you're learning. You're much better off running a UTM firewall that offers web/malware filtering capabilities in addition to basic NAT. Astaro Home and Untangle offer much more protection for a home user than a Cisco ASA5505 unless you plan on paying for the extra yearly licensing fees associated with Cisco's new content filtering service for the ASA.

agreed. All that shit is nice at my house cause we got 15-30 IT guys living here that like to learn + its nice for a nice sized network like mine, but when i move out in a few months im just gunna have a nice linux box with some IPTables running to do my dirty work. no need to get an ASA or PIX (same stuff i know) to safegaurd 4 PCs.
 
Right now i just have a apple wireless extreme router, however on the way is a nice new wireless N sonicwall with the security app for a year for free :)
 
What are your thoughts on a dedicated firewall apliance for your home network? I just got the Negear WNDR3700 to replace my 6 year old Linksys WRT54G. I noticed in the logfile that there have been several attempts of DoS attacks today. My router is pretty locked down and not blown open as some folks tend to leave them, but i am wondering if how I have my router setup is enough sercurity. I only allow 5 IP addresses to be handed out, have wireless MAC filtering enabled, WPA(2) enabled and some other minor things going on. Is this enough?

TIA

Mike

A dedicated firewall gives an added layer of security. Think of it this way, if they pop your Linksys there's nothing standing between you and the internet at large. If you have a secondary device (of another type/vendor) then you've still got separation since generally speaking what worked on the first device won't crack the secondary device. A dedicated firewall like an old PIX, iptables box, or ASA gives you that level of protection. The main limitation of packet filtering firewalls is that if a bad guy is able to spoof permitted traffic then all your preventive measures are for nothing.

As for your wireless being locked down I think you're fine. I still suggest changing the pre-shared key every 30 days though.


If your familiar with cisco routers then get a router and put on at the very least an ios that supports ios firewall and ids. Personally get one that supports at least a 12.4 advanced enterprise IOS then you get access to it all.

I have a 3725 as my edge router doing all of the firewall nat and etc. Works great.

Generally that's a good idea except the 3700 series switches don't have NAT anymore. They pulled it out a while back when it donned on them that they were a little too feature-rich.
 
Reading over this everyone seems to be concerned about inbound access. What about outbound access.
 
I am not really concerned about outgoing traffic because its only my wife and I who use the computers. My 2 kids are 1.5 and 2.5 years old. They only know how to bang the crap out of the keyboard and knock the monitors over.:rolleyes:
 
Reading over this everyone seems to be concerned about inbound access. What about outbound access.
For most home systems, outbound access is less of a concern. Why would it be? In businesses, the reason we care about outbound access is to filter websites, and block company data from being illegally sent to other networks. Neither of which is a concern in a home environment ( unless you are blocking your children ).

Yes, you could try to filter suspicious traffic, but what does that constitute? Inbound filtering would block the return traffic from any malware site, essentially preventing a connection from being established, so unless we're talking about blind UDP dumps it's not really a concern.
 
What are your thoughts on a dedicated firewall apliance for your home network? I just got the Negear WNDR3700 to replace my 6 year old Linksys WRT54G. I noticed in the logfile that there have been several attempts of DoS attacks today. My router is pretty locked down and not blown open as some folks tend to leave them, but i am wondering if how I have my router setup is enough sercurity. I only allow 5 IP addresses to be handed out, have wireless MAC filtering enabled, WPA(2) enabled and some other minor things going on. Is this enough?

Welcome to the Internet! Reading logfiles of firewalls, you'll see kajillions of port scans, DoS attacks, SQL exploits and this and that and the other. That's the job of the NAT router to stop, so you can sit back and enjoy using the internet instead of losing sleep over it all night.

You have your routers default admin password changed, you have WPA or higher wireless security, keep your Windows updated, good antivirus software, keep Java and Flash updated..sit back and enjoy your computers.

Getting some UTM grade firewall with strict outbound access...well, that's up to you and how you wish to spend your time. I don't run my home network with outbound clamped down..else the kids complain that //this game// doesn't work online, wife complains //blah blah// doesn't work for her work, I have to spend time making rules for this, that, and the other. Home network for me...good inbound protection, minimal effort on my end for everything else, I'd rather spend time relaxing at home rather than getting things working for others due to strict outbound stuff.
 
Yes, you could try to filter suspicious traffic, but what does that constitute? Inbound filtering would block the return traffic from any malware site, essentially preventing a connection from being established, so unless we're talking about blind UDP dumps it's not really a concern.

So inbound filtering really blocks the return traffic from any malware site? Hmm, I guess state tables are a thing of the past then? I wonder how this website I just visited knows how to return the page that I requested.
 
Agree with YeOld's post. But if you want to monitor outbound connections or have a added layer of protection without getting crazy you can just install something like PC Tools Firewall Plus on your system. It's lightweight and in standard mode really doesn't bother you at all. If something is not on it's whitelist, not signed(you can change those settings) and is trying to connect to the internet it'll warn you. There are other circumstances where it'll warn you also, it doesn't just rely on a whitelist and signed signatures. In advanced mode there are a lot of settings you can customize and fine tune. By the way, you can password protect it. It's good for the home user who's behind a router and they want something a little more beefy than the Windows firewall but don't want to get into running dedicated firewall boxes.


It's really up to the user, I know people who run dedicated firewall boxes for their home. And usually the average Joe will spend a week trying to get it up and running and still won't get it working correctly.
 
Last edited:
So inbound filtering really blocks the return traffic from any malware site? Hmm, I guess state tables are a thing of the past then? I wonder how this website I just visited knows how to return the page that I requested.
If you have proper inbound filtering rules, then your state tables don't matter.

Or are you referring to a specific technology, and basing your argument off of that without telling me?

EDIT: Wait, are you mixing up NAT and inbound filtering?
 
If you have proper inbound filtering rules, then your state tables don't matter.

Or are you referring to a specific technology, and basing your argument off of that without telling me?

EDIT: Wait, are you mixing up NAT and inbound filtering?

It doesn't matter if you have proper inbound filtering rules set up. You can set a firewall to not allow any connections inbound, other than established, related. If a connection is initiated from inside your network to outside your network then a connection is made and traffic can return to the host that was asking for the connection.

Example:
In this example your local system is 1.1.1.1 and the web server is 3.3.3.3, very basic.

1.1.1.1:34543 -> 3.3.3.3:80 -- This is the request for the page.
3.3.3.3:80 -> 1.1.1.1:34543 -- This is the expected return traffic so that you can see the page that you requested.

You now have an established, related connection made that is in your state table.

Now where the problem comes in at is when you go to a page, email or what ever and get something that is unexpected and unwanted. We will call it malware for now. The malware will then open a connection to a predefined port on a predefined server and download it's payload or what ever is needed, including remote control. Most of the time this will not be done over ports like 80, 443 etc. It will be done over a so called high port 1062 - 65535. Blocking outbound ports that are not needed stops this communications putting a problem in the calling home scheme. Only allowing a predefine set of ports the ability outbound limits how the malware can connect. You want to prevent any accidental door from opening.

If you would like to see a first hand example IM me some contact information and we can set something simple up to show you.


No I am not confusing NAT and inbound filtering. We can easily change the example above to use a router as 2.2.2.2
 
Generally that's a good idea except the 3700 series switches don't have NAT anymore. They pulled it out a while back when it donned on them that they were a little too feature-rich.

I'm not talking 3700 switches, I'm talking 3700 series routers. Which will do firewall, ids, ips, cme and alot of what else you may want to setup. A little older of a router, but plentiful on ebay.
 
i've just set up an old IBM desktop (small form factor and dead quiet) with a few network cards and Vyatta. It's fire-walling is great for home and kicks the pants off of my old linksys as far as performance, configuration and throughput. QoS is a cinch as well. Better than forking out all that cash for a dedicated hardware device.

Question guys: UTM?
 
Jgedeon, you've essentially described a NAT router appliance.

When I speak about inbound filtering, I am talking about a firewall which examines each packet incoming and checks it's rules to determine to accept, forward or drop the packet. Yes, the state of the connection can be one determining factor, but certainly not the only one. Case in point; my inbound rules are a combination of the DROP list and region blocks ( as in, if the source is any of those IP addresses, the packet is dropped or rejected, depending on my mood that day ). These checks are inserted before I do any state checks, hence the state is irrelevant.

Now if you were speaking about a specific device, then you'd have a point.

( note: You have a valid point about outbound filtering, I am not disagreeing with that. However, it becomes problematic when you are talking about games and such as they often use high IPs for their connections. Or even torrents )
 
Back
Top