Jump to content
IGNORED

Firewall / Router information request


computerilliterate
 Share

Recommended Posts

I'm having trouble shopping for a secure firewall/router. I understand the need for speed and the question of how far the thing can reach. But that's all the reviews talk about. What about the most important thing: Firewall quality. I'm yet to read a review that discusses the quality of the firewall in a home firewall/router. In fact, the word firewall rarely even appears in reviews. Can anyone help me with a link or explanation for this? Are all home firewalls the exact same circuitry and rule set? Any thoughts?

Link to comment
Share on other sites

I'm having trouble shopping for a secure firewall/router. I understand the need for speed and the question of how far the thing can reach. But that's all the reviews talk about. What about the most important thing: Firewall quality. I'm yet to read a review that discusses the quality of the firewall in a home firewall/router. In fact, the word firewall rarely even appears in reviews. Can anyone help me with a link or explanation for this? Are all home firewalls the exact same circuitry and rule set? Any thoughts?

 

]https://www.pfsense.org/products/[/VIDEO]

Link to comment
Share on other sites

Depending upon just how fast and just how secure you want to be, there are plenty of really good devices out there.

 

For simplicity combined with good security and excellent performance, I usually recommend the Apple Airport Extreme BaseStation. Easy to setup, well supported, and for the most part, "just works."

 

Stepping up from there, you get into the low end Cisco line, like this one: Cisco RV130W Wireless-N Multifunction VPN Router - Cisco

 

A little more difficult to setup, but provides excellent excellent security, and good wireless performance.

 

You can step up from there as far as your wallet will stretch, but I suspect the Airport Extreme might be the ideal model for you. Give a few more details about what you are concerned with, and we can go a bit deeper.

 

Yours,

-Paul

Anyone who considers protocol unimportant has never dealt with a cat DAC.

Robert A. Heinlein

Link to comment
Share on other sites

I'm having trouble shopping for a secure firewall/router. I understand the need for speed and the question of how far the thing can reach. But that's all the reviews talk about. What about the most important thing: Firewall quality. I'm yet to read a review that discusses the quality of the firewall in a home firewall/router. In fact, the word firewall rarely even appears in reviews. Can anyone help me with a link or explanation for this? Are all home firewalls the exact same circuitry and rule set? Any thoughts?

 

Routers and Switches for Small Business - Main Page - Cisco Systems

 

Home - SmallNetBuilder

 

A few key words among others to look for in product descriptions, are firewall and security.

 

Don't forget that you get what you pay for here.

Link to comment
Share on other sites

Like many things in tech, it is the low-tech stuff that's key.

 

Network address translation, a very simple thing that pretty much every router has, should work simply and well to protect your home network **if you are very good about setting a good password** for your router. A good password mainly means a long one. (To understand why, Google "rainbow tables.")

 

Beyond that you don't want to give bad stuff permission to come in (careful what you click).

 

Then if you want to be more sophisticated, you can look into something like pfsense. Also have a look at OpenDNS, which is a nice DNS service.

One never knows, do one? - Fats Waller

The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein

Computer, Audirvana -> optical to EtherREGEN -> microRendu -> ISO Regen -> Pro-Ject Pre Box S2 DAC -> Spectral DMC-12 & DMA-150 -> Vandersteen 3A Signature.

Link to comment
Share on other sites

Depending upon just how fast and just how secure you want to be, there are plenty of really good devices out there.

 

For simplicity combined with good security and excellent performance, I usually recommend the Apple Airport Extreme BaseStation. Easy to setup, well supported, and for the most part, "just works."

 

Speaking as a network ignoramus, I support this recommendation. I have a couple of Airport Extremes (older one at home, newer one at work), and I've never had any trouble configuring them, nor have I had any problems after configuration. Wireless performance on the newer one (802.11ac) is spectacular.

 

--David

Listening Room: Mac mini (Roon Core) > iMac (HQP) > exaSound PlayPoint (as NAA) > exaSound e32 > W4S STP-SE > Benchmark AHB2 > Wilson Sophia Series 2 (Details)

Office: Mac Pro >  AudioQuest DragonFly Red > JBL LSR305

Mobile: iPhone 6S > AudioQuest DragonFly Black > JH Audio JH5

Link to comment
Share on other sites

Depending upon just how fast and just how secure you want to be, there are plenty of really good devices out there. For simplicity combined with good security and excellent performance, I usually recommend the Apple Airport Extreme BaseStation. Easy to setup, well supported, and for the most part, "just works." Stepping up from there, you get into the low end Cisco line, like this one: Cisco RV130W Wireless-N Multifunction VPN Router - Cisco A little more difficult to setup, but provides excellent excellent security, and good wireless performance. You can step up from there as far as your wallet will stretch, but I suspect the Airport Extreme might be the ideal model for you. Give a few more details about what you are concerned with, and we can go a bit deeper. Yours, -Paul
What I'm concerned about is security from the unknown. I know I have to look out for sources of malware, but we're all bound to hit something on accident. But, based on reviews I've read, the firewall provides no security improvement if one moves from a $20.00 TP-Link N300 TL-WR841N up to a $300.00 Asus RT-AC88U. You get more whip-zammy speed and the reach will let you watch video from the next county, but nothing is said about whether one will block a malware attack any better than the next. Now, you look at malware prevention stuff like Bitdefender or whatever, and everybody performs tests right and left, throwing a stack of malware files at them. But this is never done with the firewall in a router. That's where I am puzzled.
Link to comment
Share on other sites

Now, you look at malware prevention stuff like Bitdefender or whatever, and everybody performs tests right and left, throwing a stack of malware files at them. But this is never done with the firewall in a router. That's where I am puzzled.

 

Because what routers and firewalls deal with is mostly where bad things come from (e.g., whitelists and blacklists) and possibly some fairly general content monitoring (This is executable code, do you want to let it in?). Antivirus and malware prevention software deals in a very sophisticated and constantly changing way with content (please download today's updated virus definition file). I suppose they could be combined in a single user interface, but I'm not familiar with anyone who's done that.

One never knows, do one? - Fats Waller

The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein

Computer, Audirvana -> optical to EtherREGEN -> microRendu -> ISO Regen -> Pro-Ject Pre Box S2 DAC -> Spectral DMC-12 & DMA-150 -> Vandersteen 3A Signature.

Link to comment
Share on other sites

Because what routers and firewalls deal with is mostly where bad things come from (e.g., whitelists and blacklists) and possibly some fairly general content monitoring (This is executable code, do you want to let it in?). Antivirus and malware prevention software deals in a very sophisticated and constantly changing way with content (please download today's updated virus definition file). I suppose they could be combined in a single user interface, but I'm not familiar with anyone who's done that.
I'm a little (very) confused by your reply. It sounds like you're trying to prove my point. True, firewalls deal with where bad things come from, so, we should be buying based on how well the firewall deals with bad things. But, from what I can tell, every firewall has the same "instructions" as to what should be accepted or blocked and the same ability to carry out those instructions. If that is so, if I buy a 20 buck unit, I am just as "safe" as the guy who spends $300. Then, it all falls on ones choice of anti-malware and ones ability to play it safe. Am I right or am I missing something? Of course, the units they call "enterprise firewalls" have a bunch of gizmos that let you make exceptions based on your need. But, from what I'm reading, they don't have a super duper powerful capability. They're just made with more flexibility. So, I'm back to the question of "is one firewall any better than the next?"
Link to comment
Share on other sites

As Jud mentioned a network firewall looks at where something is coming from and what protocol it is using.

 

There are two common philosophies in use in network firewalls:

1) let everything through by default, block specific things known to be bad

2) block everything by default, let through specific things you want

 

The second is much more secure, but it takes effort to figure out what you want to let through. One approach with this is let through a few things you know you want and then start using it. When something gets blocked, decide whether you really want it. For example if you never play any games over the internet you can block the game protocols, you can never get hacked through a game. But if you do play games you need to open up the game protocols.

 

Because of the difficulty of implementing strategy #2, almost all home routers use #1, but most give you some way to block specific locations/protocols, but very few people ever do that.

 

I personally use pfSense on a small dedicated industrial computer as my router, I get to set it up exactly the way I want, but I'm a network nerd and like to deal with that sort of stuff.

 

John S.

Link to comment
Share on other sites

As Jud mentioned a network firewall looks at where something is coming from and what protocol it is using. There are two common philosophies in use in network firewalls: 1) let everything through by default, block specific things known to be bad 2) block everything by default, let through specific things you want The second is much more secure, but it takes effort to figure out what you want to let through. One approach with this is let through a few things you know you want and then start using it. When something gets blocked, decide whether you really want it. For example if you never play any games over the internet you can block the game protocols, you can never get hacked through a game. But if you do play games you need to open up the game protocols. Because of the difficulty of implementing strategy #2, almost all home routers use #1, but most give you some way to block specific locations/protocols, but very few people ever do that. I personally use pfSense on a small dedicated industrial computer as my router, I get to set it up exactly the way I want, but I'm a network nerd and like to deal with that sort of stuff. John S.
Thanks, John, for the further education. Now, when I'm shopping and comparing "Asus" vs "Lynksys" vs "TPLink" vs "whatever", how do I know if one is using strategy 1 or 2? How do I know if one did a pretty shabby job at implementing their choice of strategy? That's where I (and possibly all of us) am flying blind. Again, you can read paragraph after paragraph about how fast and far reaching the thing is, but you can't find one sentence about how secure the thing is. What to do?
Link to comment
Share on other sites

Thanks, John, for the further education. Now, when I'm shopping and comparing "Asus" vs "Lynksys" vs "TPLink" vs "whatever", how do I know if one is using strategy 1 or 2? How do I know if one did a pretty shabby job at implementing their choice of strategy? That's where I (and possibly all of us) am flying blind. Again, you can read paragraph after paragraph about how fast and far reaching the thing is, but you can't find one sentence about how secure the thing is. What to do?

You can assume that anything marketed for "home use" or "small office use" is going to use #1, and will be essentially the same as far as the firewall itself is concerned.

 

The big difference is going to be the GUI for modifying the rules if you want to do so. Some are easy to use, but not very flexible, some are flexible but horrible to use, and once in a great while you can find one that is both flexible and easy to use. But this is only necessary if you are going to dive in and modify things for your own needs.

 

If you are not going to be modifying things then pretty much any of the "home" routers are going to be essentially the same from a firewall perspective, ie pretty much wide open so the people in the house can do whatever they want on the internet without worrying about whether the firewall is going to block them.

 

There are few things that every firewall blocks by default, that nobody has a legitimate need for using, but that is pretty much standard.

 

John S.

Link to comment
Share on other sites

One more important aspect to this is the reliability of the code.

 

Some routers need to be rebooted every month and others can go for years on end. Many routers will start getting slower and slower as the time from the last reboot increases. For me this is a very important aspect of a router.

 

Unfortunately there is no way to know from looking at marketing material which is good and which is bad. The best place to find out about this is either the amazon reviews or internet network forums. If there are significant issues with a router they will be reported somewhere on the net.

 

Price has little bearing on this, some inexpensive routers are rock solid, but most of the really reliable ones tend to be on the more expensive side.

 

John S.

Link to comment
Share on other sites

You can assume that anything marketed for "home use" or "small office use" is going to use #1, and will be essentially the same as far as the firewall itself is concerned. The big difference is going to be the GUI for modifying the rules if you want to do so. Some are easy to use, but not very flexible, some are flexible but horrible to use, and once in a great while you can find one that is both flexible and easy to use. But this is only necessary if you are going to dive in and modify things for your own needs. If you are not going to be modifying things then pretty much any of the "home" routers are going to be essentially the same from a firewall perspective, ie pretty much wide open so the people in the house can do whatever they want on the internet without worrying about whether the firewall is going to block them. There are few things that every firewall blocks by default, that nobody has a legitimate need for using, but that is pretty much standard. John S.
Thanks again John S. Though that is, of course, not good news. No wonder there is such a problem with malware. We are all sitting ducks. Oh well, you just saved me a couple hundred dollars. I guess I'll just spend 20 bucks and focus on other forms of protection.
Link to comment
Share on other sites

Thanks again John S. Though that is, of course, not good news. No wonder there is such a problem with malware. We are all sitting ducks. Oh well, you just saved me a couple hundred dollars. I guess I'll just spend 20 bucks and focus on other forms of protection.

 

No, we're not sitting ducks. Get a router to do *its* job (fast, reliable, the usual/typical firewall capability), and use malware/anti-virus protection to do *its* job. Bitdefender, which you mentioned, is a good choice.

One never knows, do one? - Fats Waller

The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein

Computer, Audirvana -> optical to EtherREGEN -> microRendu -> ISO Regen -> Pro-Ject Pre Box S2 DAC -> Spectral DMC-12 & DMA-150 -> Vandersteen 3A Signature.

Link to comment
Share on other sites

You need to layer your protection. Firewalls minimize ingress, to services that your computer runs, from the outside world and also inspect traffic for common attack vectors. IP Spoofing, malformed packets/payloads, etc...

 

I like Zyxel for an affordable and still very much business class solution.

 

Next is Anti-Virus

 

Next is Managed DNS (OpenDNS)

 

Next is using a managed email service.

 

Next is using your computer with a Standard user, and not Administrator, account.

 

Next is having a backup plan in place.

 

A firewall will not protect you from doing something unfortunate though.

Link to comment
Share on other sites

No, we're not sitting ducks. Get a router to do *its* job (fast, reliable, the usual/typical firewall capability), and use malware/anti-virus protection to do *its* job. Bitdefender, which you mentioned, is a good choice.
Not to mention a good free software firewall as well, e.g. Privatefirewall: https://www.privacyware.com/personal_firewall.html

"Relax, it's only hi-fi. There's never been a hi-fi emergency." - Roy Hall

"Not everything that can be counted counts, and not everything that counts can be counted." - William Bruce Cameron

 

Link to comment
Share on other sites

You need to layer your protection. Firewalls minimize ingress, to services that your computer runs, from the outside world and also inspect traffic for common attack vectors. IP Spoofing, malformed packets/payloads, etc...

 

I like Zyxel for an affordable and still very much business class solution.

 

Next is Anti-Virus

 

Next is Managed DNS (OpenDNS)

 

Next is using a managed email service.

 

 

I like Fastmail.

One never knows, do one? - Fats Waller

The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein

Computer, Audirvana -> optical to EtherREGEN -> microRendu -> ISO Regen -> Pro-Ject Pre Box S2 DAC -> Spectral DMC-12 & DMA-150 -> Vandersteen 3A Signature.

Link to comment
Share on other sites

What I'm concerned about is security from the unknown. I know I have to look out for sources of malware, but we're all bound to hit something on accident. But, based on reviews I've read, the firewall provides no security improvement if one moves from a $20.00 TP-Link N300 TL-WR841N up to a $300.00 Asus RT-AC88U. You get more whip-zammy speed and the reach will let you watch video from the next county, but nothing is said about whether one will block a malware attack any better than the next. Now, you look at malware prevention stuff like Bitdefender or whatever, and everybody performs tests right and left, throwing a stack of malware files at them. But this is never done with the firewall in a router. That's where I am puzzled.

 

Because what routers and firewalls deal with is mostly where bad things come from (e.g., whitelists and blacklists) and possibly some fairly general content monitoring (This is executable code, do you want to let it in?). Antivirus and malware prevention software deals in a very sophisticated and constantly changing way with content (please download today's updated virus definition file). I suppose they could be combined in a single user interface, but I'm not familiar with anyone who's done that.

 

Actually the future is here, albeit in the top-end routers for now:

Virus Protection, Zone Alarm, for Consumer and Home | Check Point Software

 

Security Appliances and Services | ZyXEL

Link to comment
Share on other sites

 

The first link, if I understand correctly, appears to be for a combination *software* firewall and AV, which have existed for a very long time. I happen to dislike software firewalls as a matter of personal preference, as at least at the consumer level I've never yet run into one that didn't start off too intrusive and wind up too permissive, because the algorithms weren't good enough to distinguish truly harmful content from ordinary at a very specific level in the way that good AV software does.

 

I don't know enough about the ZyXEL enterprise-level stuff to comment, though my assumption would be that the price range isn't what our OP is looking for.

One never knows, do one? - Fats Waller

The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein

Computer, Audirvana -> optical to EtherREGEN -> microRendu -> ISO Regen -> Pro-Ject Pre Box S2 DAC -> Spectral DMC-12 & DMA-150 -> Vandersteen 3A Signature.

Link to comment
Share on other sites

Oh, one other comment to the OP: Google the programs and services that launch on startup to see whether there's anything running on your machine that sends bad stuff to other computers and/or invites bad stuff to yours. You may also find programs that aren't harmful but aren't necessary and load your machine down.

One never knows, do one? - Fats Waller

The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein

Computer, Audirvana -> optical to EtherREGEN -> microRendu -> ISO Regen -> Pro-Ject Pre Box S2 DAC -> Spectral DMC-12 & DMA-150 -> Vandersteen 3A Signature.

Link to comment
Share on other sites

 

I don't know enough about the ZyXEL enterprise-level stuff to comment, though my assumption would be that the price range isn't what our OP is looking for.

 

I've seen current Zyxel's with wireless included for $40 after rebate (this happens occasionally).

 

A really awesome feature in Windows 8/10 Ultimate or Enterprise is APPLocker.

 

You can create a white list of programs that are allowed to run (by .exe and even for an .exe a particular release version).

 

That way if you errantly click on a link to deliver an exe to your machine it won't run.

 

Also Null Proxying your web browsers and using a proxy white list of sites you want to go to.

Link to comment
Share on other sites

I've seen current Zyxel's with wireless included for $40 after rebate (this happens occasionally).

 

The enterprise level stuff in Iain's link?

 

A really awesome feature in Windows 8/10 Ultimate or Enterprise is APPLocker.

 

You can create a white list of programs that are allowed to run (by .exe and even for an .exe a particular release version).

 

That way if you errantly click on a link to deliver an exe to your machine it won't run.

 

Yeah, or you can run Linux or FreeBSD and get a system set up from the start not to give admin privileges to most executable code without your permission.

 

Also Null Proxying your web browsers and using a proxy white list of sites you want to go to.

 

OpenDNS can be used for whitelists, blacklists, or a combination. I personally am too lazy to set this up.

One never knows, do one? - Fats Waller

The fairest thing we can experience is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. - Einstein

Computer, Audirvana -> optical to EtherREGEN -> microRendu -> ISO Regen -> Pro-Ject Pre Box S2 DAC -> Spectral DMC-12 & DMA-150 -> Vandersteen 3A Signature.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share



×
×
  • Create New...