Jump to content

Do I Need A Physical Firewall On A Direct Connection?


dusf
 Share

Recommended Posts

I use Xubuntu 11.04, and although I have the Gufw installed with incoming connections blocked by default apart from torrents, I have no physical router and instead LAN NIC is connected into what I think is a repeater, which takes the cable up to the roof that is receiving a signal from my ISP, am i secure firewall wise?

What is on the roof is, or looks very similar to http://cgi.ebay.com/ALVARION-3-5Ghz-ANTENNA-AN1704-SU-RA-OF-3-5b-OFDM-/230509999385

It should be noted, sometimes I boot into Windows 7/Windows XP which I have installed Bitdefender on.

Oh and Darren mentioned home firewalls not usually being adequate, so if you maintain I buy one please recommend some models. I have some Cisco 2600s here that are just missing WAN NICs, perhaps I could adapt one with a LAN NIC somehow?

Edited by dusf
Link to comment
Share on other sites

Google NAT on a stick for 2600 using NAT with a single ethernet interface if you want to use the router for an extra hop. Using a SOHO or consumer firewall is advisable and will not alleviate all risk (nothing usable can do that). The issue that Darren is alluding to is that defense must occur in layers. You can have nothing allowed in, only port 80 outbound, and can still get whacked by an attachment through web-based email, local infiltration (USB or similar), or something to that effect. While many feel that a software based firewall is sufficient, if you can stop the packets before they even hit your machine you will be at least as secure, but likely more secure. Most SOHO firewalls are not configurable OOTB for egress filtering so they filter what can come in, but it is free range for outbound (read exploit) traffic. Reality - you are probably not much of a target either way. Protect yourself from script-kiddies and most of the problems will go away for you in most cases.

Link to comment
Share on other sites

I have set up a similar internet connection for a client and have to say it does not come with any standard firewall protection. Another thing you can do, to really determine if it comes with a built in firewall, is to find out what the default gateway ip address is, by going to a console and typing Ifconfig and then from your web-browser type the IP address of the default gateway.

It should take you straight into the configuration page of your internet box. If it does not have any reference to security or firewall then your question is already answered, you will need a firewall either installed on your computer or built from a box, some decent firewall distributions worth checking out, are Untangle, PFsense and Smoothwall.

If you need assistance let me know.

Link to comment
Share on other sites

Google NAT on a stick for 2600 using NAT with a single Ethernet interface if you want to use the router for an extra hop.

I had a look at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml which looks good, albeit it complicated :) Although I studied three of the semesters 4/5 years ago I need to study the entirety of the new curriculum which has been updated before going to the exam. I have never installed an IOS etc, but I'm sure if I run into difficulty I would be able to get help on these forums?

Also, if I want to use more than Packet Tracer for the CCNA labs the modules I will need for the three 2600s are http://cgi.ebay.ie/Cisco-WIC-2T-2600-Series-2-port-Serial-Interface-Module-/300554368392?pt=UK_Computing_Networking_SM&hash=item45fa6fb588, do I need a similar module for the spare module slot but with an extra Ethernet port to set one up as my home router, or am I somehow going to convert the console or auxiliary port to take the connection from the roof in, with the connection from my pc coming from the regular Ethernet interface on the 2600? If a module is required, do you know the name of it so I can price it?

Using a SOHO or consumer firewall is advisable and will not alleviate all risk (nothing usable can do that). The issue that Darren is alluding to is that defense must occur in layers. You can have nothing allowed in, only port 80 outbound, and can still get whacked by an attachment through web-based email, local infiltration (USB or similar), or something to that effect.

Well I rely a lot on Bitorrent (only when using Xubuntu with Ufw up but) so for my needs I have to leave certain ports listening, is there anyway I can minimize any security risk they may pose, is it easy for a potential threat to discover what ports are listening once they have my IP, and even as that what can they do with that listening port?

While many feel that a software based firewall is sufficient, if you can stop the packets before they even hit your machine you will be at least as secure, but likely more secure. Most SOHO firewalls are not configurable OOTB for egress filtering so they filter what can come in, but it is free range for outbound (read exploit) traffic.

From my understanding of egress filtering this would entail configuring not just inbound ports, but outbound ports, which although would take effort every time I want to do something new, I think after I get the hang of opening and closing ports on the 2600 I would quite enjoy it, and learn from it! :)

Reality - you are probably not much of a target either way. Protect yourself from script-kiddies and most of the problems will go away for you in most cases.

And the risk is very much decreased by using peer reviewed software on linux, yes? That said, it would be nice when playing games on Windows 7/XP if I was able to check my email and browse without worry of my passwords etc being compromised... would you suggest any software instead of, or to compliment Firefox and Bitdefender? I'm already using NoScript with the former.

I have set up a similar internet connection for a client and have to say it does not come with any standard firewall protection.

Are you familiar with Ufw? Or in my case the frontend for Ufw, Gufw. Neither were turned on by default and I had to install and set them to block incoming ports other than specific torrent ones.

Another thing you can do, to really determine if it comes with a built in firewall, is to find out what the default gateway ip address is, by going to a console and typing Ifconfig and then from your web-browser type the IP address of the default gateway.

I'm all but certain there's no built in firewall, I'm just not sure if repeater is the correct term for the device, it's possibly an 'IDU'. To confirm I executed ifconfig, which I am familiar with, and I expected to see the default gateway I configured but instead I see my inet, bcast, and mask addresses and not my DG? Using the address I have configured in the GUI firefox reports 'Firefox can't establish a connection to the server at xxx.xxx.xxx.xxx.'. I tried http, and https, and both with the bcast, perhaps it requires a port to respond? If the default gateway is as I suspect a high site transmitting and receiving off a local hotel here, would it respond to me, a regular customer?

It should take you straight into the configuration page of your internet box. If it does not have any reference to security or firewall then your question is already answered, you will need a firewall either installed on your computer or built from a box, some decent firewall distributions worth checking out, are Untangle, PFsense and Smoothwall.

So my software firewall Ufw is insufficient then? I will have a look at Untangle, PFsense and Smoothwall - building a physical firewall running one of those distros would be a nice little project!

Link to comment
Share on other sites

Its not about the firewall, as much as you don't want your machine sitting on the direct IP exposed to the internet. A simple router with NAT is sufficient to give you an extra layer of protection, but you should always have a software firewall, whether directly connected to the internet or behind a router. The router will block anonymous internet requests, stealth your ports, and keep any vulnerable windows ports inaccessible from the internet. Be sure to disable uPnP on the router, and if it has SPI, leave it enabled. Some systems may have issues when SPI is enabled, depending on the configuration of the machine, but its generally a good idea to have it on when possible to prevent spoofing of packets and anonymous connections initiated from the internet.

Link to comment
Share on other sites

Sorry for the late reply, I have been "away."

I had a look at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml which looks good, albeit it complicated :) Although I studied three of the semesters 4/5 years ago I need to study the entirety of the new curriculum which has been updated before going to the exam. I have never installed an IOS etc, but I'm sure if I run into difficulty I would be able to get help on these forums?

My CCNA expired several years ago, but I will help as much as I can.

Also, if I want to use more than Packet Tracer for the CCNA labs the modules I will need for the three 2600s are http://cgi.ebay.ie/Cisco-WIC-2T-2600-Series-2-port-Serial-Interface-Module-/300554368392?pt=UK_Computing_Networking_SM&hash=item45fa6fb588, do I need a similar module for the spare module slot but with an extra Ethernet port to set one up as my home router, or am I somehow going to convert the console or auxiliary port to take the connection from the roof in, with the connection from my pc coming from the regular Ethernet interface on the 2600? If a module is required, do you know the name of it so I can price it?

For labs, I would just use GNS3 with valid IOS images. It is far easier and cheaper. It is basically an emulated IOS environment.

Well I rely a lot on Bitorrent (only when using Xubuntu with Ufw up but) so for my needs I have to leave certain ports listening, is there anyway I can minimize any security risk they may pose, is it easy for a potential threat to discover what ports are listening once they have my IP, and even as that what can they do with that listening port?

Yes, it is easy to determine which ports are open. If the ports that are open are secured/not vulnerable/patched, then you should not have too much of a problem.

From my understanding of egress filtering this would entail configuring not just inbound ports, but outbound ports, which although would take effort every time I want to do something new, I think after I get the hang of opening and closing ports on the 2600 I would quite enjoy it, and learn from it! :)

And the risk is very much decreased by using peer reviewed software on linux, yes? That said, it would be nice when playing games on Windows 7/XP if I was able to check my email and browse without worry of my passwords etc being compromised... would you suggest any software instead of, or to compliment Firefox and Bitdefender? I'm already using NoScript with the former.

Most AV vendors will be similar, catching 90%+ of the common viruses. I use a common AV product and compliment it with Malwarebytes for occasional scanning. Most of my more questionable scanning is done in a non-persistent linux vm, but my everyday environment for productivity is Windows 7.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...