NAT vs. firewall (software)

CammanCamman NEW! England Icrontian
edited September 2004 in Science & Tech
I have a Netgear RT314 "Gateway Router" and I used to run Zone Alarm. I'm not a newb when it comes to security or anything but I'm just wondering what is people's educated opinion when it comes to this. Recently Zone Alarm has been causing problems with me trying to print to the printer on the other side of the house so I got rid of it. am I safe behind just the NAT protection built into my netgear or should I also run some kind of firewall software?

Comments

  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited September 2004
    I'd run Sygate or Tiny Firewall unless your router can do this:

    NAT PLUS
    SPI PLUS
    Port blocks of any unused ports (the easier to configure this, the better).

    THAT, together with AV, and a weekly spyware\adware\other malware combined scan series should minimize what you "acquire" unintentionally.
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited September 2004
    Camman wrote:
    I have a Netgear RT314 "Gateway Router" and I used to run Zone Alarm. I'm not a newb when it comes to security or anything but I'm just wondering what is people's educated opinion when it comes to this. Recently Zone Alarm has been causing problems with me trying to print to the printer on the other side of the house so I got rid of it. am I safe behind just the NAT protection built into my netgear or should I also run some kind of firewall software?

    Look up Port +Scan on Google. To validate a router for base security I run it against GRC's site, used to use PCFlank, and I run Sygate's and Symantec's Security scan against the router. My little router, with port blocks in place, passes ALL those site's scans-- even full NMAPs. MONTHLY! OH, by the way, they all get the Comcast-Spoofed WAN IP on the router. They do not even get the router's programmed WAN IP or a computer ID valid for anything on my LAN. They get an ID AND IP supplied by Comcast as a customer ID that deliberately cannot connect to my LAN if used (SPI and WAN routing programming will NOT pass that IP into LAN, and in fact the router will not even respond to ICMP Echo requests-- Comcast cannot even get throught the router, and I asked THEM to try). Out of the 64K possible TCP ports, and the 64K possible UDP ports, about 20 are open at router(Telnet is NOT open). Boxes are also firewalled with soft firewalls, ShoreWall is used (just updated today) on the Linux box I mostly surf on, and Sygate Pro runs on the XP SP2 box.
  • CammanCamman NEW! England Icrontian
    edited September 2004
    thanks for the feedback guys! I'm thinking that when I get a little bit of extra money kicking around I'm going to buy this router.

    http://www.zipzoomfly.com/jsp/ProductDetail.jsp?ProductCode=251644&ps=hw1


    I want security but I don't want to have to set up and maintain firewall software on all the PCs in the house, that router looks to have some great security features at a reasonable price.


    Firewall: Stateful Packet Inspection (SPI) to prevent Denial of Service (DoS) attacks (syn flood, ICMP flood, UDP flood, "ping of death", IP spoofing, land attack, tear drop attack, IP address sweep attack, Win Nuke attack). Intrusion Detection System (IDS) including logging, reporting and e-mail alerts, address service and protocol), Web URL content filtering.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited September 2004
    Y'know, the firewall that comes with windows XP SP 2 ain't half bad. If you want a quick and easy (cheap) solution, I would just use nat with SP2's firewall. That's what I do.

    For general security (security by obscurity) NAT alone is pretty much okay.
  • mmonninmmonnin Centreville, VA
    edited September 2004
    Are you trying to hide something? Heck why would a hacker want in your computer anyway? There are loads of people out there that done have any kind of firewall. Modem plugged straight into NIC with no SW Firewall.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited September 2004
    Well that's just not safe. Having an unprotected computer is sort of irresponsible. A script kiddie will scan a whole city's worth of IPs in a few minutes and any open computers will be scanned for exploits. Any exploitable computers will become zombies and then you have a spam server on your computer without your knowledge.

    Why would you NOT have a firewall or at least be behind NAT? That would be nuts!
  • mmonninmmonnin Centreville, VA
    edited September 2004
    People dont know its a must.
  • CammanCamman NEW! England Icrontian
    edited September 2004
    mmonnin wrote:
    Are you trying to hide something? Heck why would a hacker want in your computer anyway? There are loads of people out there that done have any kind of firewall. Modem plugged straight into NIC with no SW Firewall.

    yeah, and those people are called stupid. No, I have nothing to hide, it's more a case of I'd like to protect the computers on my network from becoming zombies for spam or ddos attacks, the only computer I can keep a close eye on in the house is my own and the other people in my house don't know enough about malicious software to know what to avoid, I'd just like to be protected....
  • ClutchClutch North Carolina New
    edited September 2004
    primesuspect wrote:

    For general security (security by obscurity) NAT alone is pretty much okay.

    Took the words right out of my mouth, spoken by a smart man.
Sign In or Register to comment.