atcomsystems.ca/forum Forums VOIP Phones & IP PBX Networking Hub, Routers, Switches

I would state an opinion but Junkman might pick on me.

Aw, come on, I'm not that bad. (chomp! snarl! growl!) Just trying to sort out some confusion and misunderstanding.

How is your client getting his internet access....if DSL, Westell makes a nice combo router/wireless AP....add one or two routers daisychained downstream & you are good to go....

I would avoid cascading routers running NAT. Use one router at the edge of your network, and switches and wireless access points inside the network.

Please, NO! Not this topic again!

There are a few times when cascading routers is useful, such as using the same internet connection for guest rooms and office computers in a hotel, put the offices behind a second router so the guests can't get to them. Normally, you only need one router.

Definitely don't chain the LAN ports of 2 different routers together unless you turn off DHCP on all but one router.

Why would a router be classified as a firewall? A router main function is to "route a routed protocol using a routing protocol."
Some routers have some basic "firewall" capabailities. NAT is actually an invention to limit the addressing shortage of IPv4 (2^32 address available.) A side benifit of NAT is a bit of security. However NAT can be cracked using a TCP seq attack of example.
A firewall on the other hand does not Route traffic, and is specifically for security. It deep scans packets and rejects or allows access through it based on predetermined policies. An example is if a packet has been altered it will be dropped.

Anyway I AGGREE with what you are saying a Router with NAT functionalty is good enough for home use, but it isnt a firewall.

Gentlemen,

First let me thank you for keeping things (mostly) civil. We're all professionals here, and with the rising popularity of this site it is important that we keep that in mind.

My own opinion is that Linksys routers (which do contain limited firewall capabilities) are adequate for home use, primarily because they are usually coupled with software-based A/V and firewalls.

However, when we're talking about a home office or a large family with 5-6 PCs running around the clock, then a hardware-based firewall should always be a consideration. The higher initial costs are offset by not having to outfit each PC with A/V & firewall software.

I see far too much consumer-grade Linksys gear being used in office environments, with typically poor results. Linksys also offers a reasonably-priced product line aimed squarely at the SOHO market. The originally posted scenario might be a good fit for the RV016, which is a 16 port router (with VPN and some firewall capability, plus redundancy and backup connection features typically found on much more expensive units).

Since this thread keeps resurrecting itself - here are my 2.5 cents. :nono:

The decision as whether to use a true Firewall really comes down to what you are doing with your Internet connection. If you will only be making "outbound" connections (surfing, mail etc.) then a NAT router or low-end firewall (linksys, etc.) will more than suffice.

Even if you had the most expensive Firewall on the market installed, it would not do you any good if it were not configured correctly (which the avg user can not do). Furthermore, in my experience, most people have any-any-any rules set for outbound connections. Therefore, the firewall is doing squat on outbound. Since most well written Malware utilize standard ports (like 80/www) a perimeter firewall (even properly configured) would happily pass these packets anyway, unless the firewall was equiped with Application Layer inspection (which is far from perfect).

A personal firewall (ass-uming that the user does not arbitrarily keep punching allow) would afford much greater protection against Trojans and other Malware as it informs you that an app or process is trying to establish an outbound connection (regardless of port or destination).

Network based antivirus (like on sonicwalls etc) Only afford a limited amount of protection and are not a substitute for a PC based product. They scan the datastream, which has a tendancy to slow things down, and poorly handle compressed files. They are a great supplement (if implemented correctly) for corporate networks but have little value in the home environment (considering the additional subscription costs).

Dave

This is default for ALL PIX firewalls, (high security level passes traffic to a lower security level) are you saying that the mighty pix is not a good firewall? To be honest in a corp enviroment, a firewall is to keep people out not to keep malware in. As you said it is preferable to have desktop applications to detect and destroy malware, i dont think this is a job of the firewall.

My 2.6 eurocents

Well, I won't even go there with PIX. Let's just say that they should stick with Routing and switching.

I disagree with what you say a firewall's job is. It should be configured to cut both ways. I have saved many a disaster by limiting outbound ports. For example, if you limit port 25 to only your legit mail hosts then you can stop worm propagation cold. You can also control many other bad places that users tend to go (like personal pop-mail hosts, usenet, etc.)