Re: [Newbie alert!] Is the Linksys BEFSX41 hardware Firewall/router a "real" firewall?

From: Leythos (void_at_nowhere.lan)
Date: 03/27/05 

Date: Sun, 27 Mar 2005 15:59:51 GMT

On Sun, 27 Mar 2005 00:39:21 -0800, Melissa wrote:
>
> While I do believe in "overkill in moderation" for certain things, it
> might be nice if I could depend on a hardware firewall to the point that
> I can toss the software "Personal Firewall" altogether (one less thing
> to run in the background, constantly tweak, etc.).

For a home user, there is very little that a real firewall appliance will
do that a NAT Router won't (provided you get one with extra features)
already do, at least for a home user.

As I see it, and I use to run a BEFSR41 in the early days before I started
by own business and needed more security around the home office, you're
not going to get comfortable without a PFW unless you start learning about
networking and traffic.

If you get a BEFSX41 or even the lowly BEFSR41 and setup a small PC,
something with Win 98 will even work, and run WallWatcher, you can monitor
ALL inbound and outbound traffic in real time - a simple KVM switch will
even let you share a single monitor/keyboard/mouse so that you don't have
to purchase those for the monitoring PC (a off brand KVM for 2 stations is
about $20 most places).

With the advent of browsing the web as a Windows XP User, not an
Administrator, FireFox 1.01+, quality AV products, and not using Outlook
(any version) you should easily be able to do away with the PFW as long as
you have at least a NAT Router.

You don't really need outbound protection, think about it, once your
machine is compromised, if it uses port 80 to attack/update there is
little your firewall will do, same with SMTP, if you have unrestricted
outbound SMTP then it can spam all it wants. The only real place a
firewall appliance helps the home users is when the home user takes the
time to understand the threats and paths in-depth. Take our SMTP example,
the NAT router can't limit SMTP outbound to the ISP only, it's an all or
nothing type thing. A firewall appliance could limit outbound SMTP to just
the ISP's SMTP servers, this would render any virus with it's own SMTP
engine about useless is spamming other SMTP servers - that doesn't mean
you can't get one that learns your password and sends through the ISP's
SMTP server, but, without a account/password your ISP should not allow
SMTP sending from any client.

If you want to secure your network from easily spreading viruses/worms via
typical MS File Sharing and other ports, you can set what linksys called
Private Ports in some versions - where you can list port ranges to block
to destination ports - meaning you could block ports 135~139,445... going
to the destination port end (not your local outbound port, the port on the
receiving end). This means that your network can use typical MS ports to
attach to OTHER computers OUTSIDE your network (no impact inside the
network).

The SOHO Firewall Appliances are very nice, and they block outbound by
default (some vendors have typical use outbound ports open), and also
detect various types of attacks and block the attacker, but, a typical NAT
router will also keep your internal network from being compromised by
unsolicited traffic, it won't help much on outbound (except as noted).

Save your money, get a BEFSX41, BEFVP41, BEFSR41 or a D-Link or Netgear
and setup your network on 192.168.10.0/24, use a STRONG PASSWORD, disable
all UPNP, disable port forwarding, disable remote management, disable
remote upgrade, enable LOGGING, etc... This will keep unsolicited inbound
OUT.

Now, get a quality browser, or lock IE down as MS suggests (high-security
mode), get a non-MS email client, get quality AV software (I swear by
Symantec Corporate Edition - never been compromised yet), and get some
means to monitor the router in real time (WallWatcher) and learn how to
read it.

Also, if you only have one computer, disable file/printer sharing. 

-- 
spam999free@rrohio.com
remove 999 in order to email me

Relevant Pages

  • RE: SBS firewall blocking port 25 SMTP traffic?
    ... you should forward the incoming port 25 on firewall to port 25 ... Microsoft CSS Online Newsgroup Support ... SBS firewall blocking port 25 SMTP traffic? ...
    (microsoft.public.windows.server.sbs)
  • Re: change incoming mail pop3 to smtp
    ... Hi thanks for your help so far, i have run the CEICW again, and emails are ... and SMTP SERVER. ... the telnet is on port 23 ... This has not made any difference, should i be configuring the SBS firewall? ...
    (microsoft.public.windows.server.sbs)
  • Re: published mail server behind 2006 cannot telnet out on port 25?
    ... I tried creating an outbound access rule (port 25 of internal ... From the outside, POP3 works, and SMTP can be used to send an email to ... But, the Exchange Server cannot send emails to the outside world, they ...
    (microsoft.public.isa)
  • Re: Possible Mail Relay or just new usages of returned mail by spammers
    ... understanding is that ISA 2000 is our Firewall to the external world. ... you all were talking about Port 25 only being open outbound. ... SMTP Server Access Rule, Allow, SMTP, External,Local Host, all users. ... Permit mail from member server,Allow,SMTP and SMTPServer!!!, Member ...
    (microsoft.public.windows.server.sbs)
  • Re: Added second Nic but the email CEICW wizard does not recognize it
    ... added port 3325 for outgoing smtp ... anyone's mail server that is listening on the default of 25. ... service for both inbound and outbound mail, due to your ISP blocking port ... not reflect the new NIC for the firewall configuration. ...
    (microsoft.public.windows.server.sbs)