Re: Cost of cheap but decent hardware firewall

From: jealous xmp (jealousxmp_at_aol.commonplace)
Date: 03/10/04


Date: 10 Mar 2004 18:56:50 GMT


>A linksys, or other brand of home broadband router running NAT seems
>to be a quite adequate firewall if you are just brwosing and doing email.
>It closes all ports to port probes, and NAT adds a little security.
>
>I'm open to suggestions as to how this is inadequate as a FW.

It's a side benefit of NAPT, or many to one NAT with private address space.
It's my understanding that SPI will tend to look further up in the protocol
layers to determine the authenticity of a packet. However, I'd tend to think
there is a difference between the SPI of an $8000 Sidewinder firewall and $50
Linksys combo units. Various companies will throw around terms like DPF, SPF,
SPI, etc, but the implementations vary somewhat.

Certainly in a few years, most all home appliances will have SPI and perhaps
many do already. But if you have an existing router and it would take $100
upgrade to get equal features plus SPI, I'd have to question whether it's worth
it. Someone who uses Kazaa a lot would probably be better off grabbing a
couple of copies of TDS 3 (trojan defense suite) instead.

Michael



Relevant Pages

  • Re: Plusnet 2Mbps connection
    ... >> Stateful Packet Inspection (SPI). ... The NAT firewall hides computers on ... >> through the firewall to the connected computers. ...
    (uk.people.silversurfers)
  • Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)
    ... VPN end points behind NAT as long as each one has a unique address at ... >>outbound SPI are, in general, completely indpendent values. ... > using IKE cookie matching. ... The IKE cookies, the IKE-SPI, do not have anything to do with IPsec ...
    (freebsd-isp)
  • Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess)
    ... VPN end points behind NAT as long as each one has a unique address at ... >>outbound SPI are, in general, completely indpendent values. ... > using IKE cookie matching. ... The IKE cookies, the IKE-SPI, do not have anything to do with IPsec ...
    (freebsd-net)
  • Re: The Firewalls A Dud?
    ... what does NAT and SPI mean. ... send out a request to 64.4.53.7 port 80 from a port above 1023 on your ... NAT - Network Address Translation is where an internal network address is ...
    (comp.security.firewalls)
  • Re: hows this comcast product
    ... it's just a common NAT router with SPI. ... i do have windows xp firewall enabled as well as i haven't ... > however then i'd need a router without nat and spi, ...
    (comp.security.firewalls)