Please explain routers, firewalls, etc.
October 12, 2005 4:08 PM Subscribe
Need nerd help: Is it better to use a software firewall or a router to protect oneself while connected to the internet? Pardon my igorance, but I really am quite stupid.
I will be setting up new DSL service soon, and will be getting a wireless router. I have heard that routers are good at protecting "ports" or some such thing, but I don't know how that works. I've used ZoneAlarm in the past and it seems to stop worms and whatnot from "infiltrating" my "computer," but I could really use some help in understanding how I should best be protecting myself. I figured others might find this information useful, too.
I will be setting up new DSL service soon, and will be getting a wireless router. I have heard that routers are good at protecting "ports" or some such thing, but I don't know how that works. I've used ZoneAlarm in the past and it seems to stop worms and whatnot from "infiltrating" my "computer," but I could really use some help in understanding how I should best be protecting myself. I figured others might find this information useful, too.
I rarely call on outside tech support but when setting up a router between two machines here, I bought the equipment from a local computer store and had them install it and check the firewall. It was more expensive but the peace of mind was worth it I think.
posted by ceri richard at 4:28 PM on October 12, 2005
posted by ceri richard at 4:28 PM on October 12, 2005
You can think of your router as a phone system in a large company and ports as telephone extensions.
You tell the router that if it gets data directed to, say, port 2915, that you want the router to allow it through and forward it to your laptop, while data for port 1800 should go to your PC. And maybe you want to tell it that all the other ports should just be put on hold and forced to listen to Cher--that would be how you stop those pesky worms.
Here's a list of common ports that various programs prefer to use--you don't really need to know much about them unless you are planning on using those particular services on your new network.
There's also something called a "DMZ" host in router parlance--it means "demilitarized zone" and basically it's like saying "Make my laptop the DMZ--anything that hasn't been routed someplace else, just pass right through to my laptop."
That's the best layman's explanation I can make. Others will have more details I'm sure!
posted by bcwinters at 4:31 PM on October 12, 2005
You tell the router that if it gets data directed to, say, port 2915, that you want the router to allow it through and forward it to your laptop, while data for port 1800 should go to your PC. And maybe you want to tell it that all the other ports should just be put on hold and forced to listen to Cher--that would be how you stop those pesky worms.
Here's a list of common ports that various programs prefer to use--you don't really need to know much about them unless you are planning on using those particular services on your new network.
There's also something called a "DMZ" host in router parlance--it means "demilitarized zone" and basically it's like saying "Make my laptop the DMZ--anything that hasn't been routed someplace else, just pass right through to my laptop."
That's the best layman's explanation I can make. Others will have more details I'm sure!
posted by bcwinters at 4:31 PM on October 12, 2005
The router is superior, but both is the best.
The router hides your address via Network Address Translation, so nothing can touch you unless it passes the packet through. NAT also allows multiple computers off a single IP address. Routers are always operational so a worm or trojan you pick up through browsing can't disable it.
A software solution's main advantage is controlling the outbound traffic side, so you decide which applications can talk to the internet. If you do get infected or simply want some application from "phoning home", you'll have the ability to stop that software from talking. Unfortunately, much malicious stuff these days talks through an application like iexplore that you have already allowed.
If your WiFi network is cracked, software helps protect the computer. Typical wireless routers are only designed to protect traffic between the inside and outside, not between local hosts (including wireless).
posted by SpookyFish at 4:31 PM on October 12, 2005
The router hides your address via Network Address Translation, so nothing can touch you unless it passes the packet through. NAT also allows multiple computers off a single IP address. Routers are always operational so a worm or trojan you pick up through browsing can't disable it.
A software solution's main advantage is controlling the outbound traffic side, so you decide which applications can talk to the internet. If you do get infected or simply want some application from "phoning home", you'll have the ability to stop that software from talking. Unfortunately, much malicious stuff these days talks through an application like iexplore that you have already allowed.
If your WiFi network is cracked, software helps protect the computer. Typical wireless routers are only designed to protect traffic between the inside and outside, not between local hosts (including wireless).
posted by SpookyFish at 4:31 PM on October 12, 2005
If you're running a software firewall, it will generally alert you whenever a new program tries to access the internet. This means that if you, in your ignorance, fall prey to a worm or a trojan horse, you're instantly notified, and the threat is nullified. Note that this can be annoying or confusing if you're not sure what's going on, or don't care.
Your router-firewall will protect you from incoming attacks, but not from things that you install yourself, or things that exploit vulnerabilities in your web browser and email client.
Most people get by with a router. The paranoid use a router and a software firewall.
posted by agropyron at 4:32 PM on October 12, 2005
Your router-firewall will protect you from incoming attacks, but not from things that you install yourself, or things that exploit vulnerabilities in your web browser and email client.
Most people get by with a router. The paranoid use a router and a software firewall.
posted by agropyron at 4:32 PM on October 12, 2005
I'd recommend the router, for a few reasons. First off, it works all the time - if you hook up a new PC, you need to connect to the Internet to get the firewall and software updates, and it will keep you safe during that time. Secondly, you may one day get more computers and want to share files or printers between them - this is much easier with a router than with a software firewall. Lastly, a router comes properly set up* and is difficult to screw up, whereas a software firewall is far too easy (hit allow or deny at the wrong time and you're up the creek.)
Software firewalls do have one major benefit: they can protect you from software that's already on your computer sneaking out to use the Internet. If you're not a pretty hardcore power user, this isn't a major bonus, since you won't be able to tell whether it's good or bad software doing the sneaking.
* Wireless routers excepted - they are generally set up to allow wireless access from anyone and must be disciplined prior to use.
posted by pocams at 4:35 PM on October 12, 2005
Software firewalls do have one major benefit: they can protect you from software that's already on your computer sneaking out to use the Internet. If you're not a pretty hardcore power user, this isn't a major bonus, since you won't be able to tell whether it's good or bad software doing the sneaking.
* Wireless routers excepted - they are generally set up to allow wireless access from anyone and must be disciplined prior to use.
posted by pocams at 4:35 PM on October 12, 2005
The router for all the reasons above. If you keep your system tight, you probably don't need a software firewall.
Software firewalls tend to put a heavy drain on your resources. Its seriously a pain in the ass.
WIPFW, which is a port of FreeBSD's ipfw firewall, is the best local firewall I've found for Windows.
posted by devilsbrigade at 4:42 PM on October 12, 2005
Software firewalls tend to put a heavy drain on your resources. Its seriously a pain in the ass.
WIPFW, which is a port of FreeBSD's ipfw firewall, is the best local firewall I've found for Windows.
posted by devilsbrigade at 4:42 PM on October 12, 2005
I may get too technical so I apologize in advance.
Firewall's and routers are completely different technologies. Most commercial routers provide firewall capabilities, but not vice-versa.
Most WiFi routers provide port forwarding and port blocking capabilities. This would be the Firewall portion of your router. Normally all incoming ports are blocked. All outgoing ports are allowed through. Most commercial routers also provide Network Address Translation. NAT allows multiple machines behind the router to look like one machine in front of the router. In front of the router being the big bad internet.
Port forwarding is needed when you are going to allow other computers to come in to your machine on a service. Services use ports. Remember when I said most routers block all incoming ports? In order to provide incoming services(torrent, hosting ftp, hosting www), you need to poke a hole(open a port) in your router and forward traffic on that port to the machine with the hosted service.
If using WiFi, you'll want to utilize the WEP/WPA encryption which most commercial WiFi routers use. This is the easiest commercial option for commercial users to protect the network behind the firewall and keeping those you don't want to user your DSL line.
posted by mnology at 4:43 PM on October 12, 2005
Firewall's and routers are completely different technologies. Most commercial routers provide firewall capabilities, but not vice-versa.
Most WiFi routers provide port forwarding and port blocking capabilities. This would be the Firewall portion of your router. Normally all incoming ports are blocked. All outgoing ports are allowed through. Most commercial routers also provide Network Address Translation. NAT allows multiple machines behind the router to look like one machine in front of the router. In front of the router being the big bad internet.
Port forwarding is needed when you are going to allow other computers to come in to your machine on a service. Services use ports. Remember when I said most routers block all incoming ports? In order to provide incoming services(torrent, hosting ftp, hosting www), you need to poke a hole(open a port) in your router and forward traffic on that port to the machine with the hosted service.
If using WiFi, you'll want to utilize the WEP/WPA encryption which most commercial WiFi routers use. This is the easiest commercial option for commercial users to protect the network behind the firewall and keeping those you don't want to user your DSL line.
posted by mnology at 4:43 PM on October 12, 2005
Best answer: Sorry, I misread; I see the "I could really use some help in understanding" now.
A separate router is a tiny computer. It sees each request that you make to the Internet and keeps track of it. When some data comes from the Internet, the router checks to see if it's the response to a request you made, and if so, it allows it through. Otherwise, it throws it away.
If you have a bunch of computers, it also keeps track of which computer made each request. It then passes the request through to the Internet. When a response comes back, it looks up who made the request and sends the response to the appropriate computer. This is the "NAT" trick that SpookyFish mentioned. It lets you use a bunch of computers with only one real Internet address - the one belonging to the router.
This is easy on your computer, since it doesn't have to be monitoring the traffic. It's also simple, because the router doesn't need any special knowledge about your computer or your programs. The tradeoff is that it allows any request coming from your computer, even ones you may not know about or like.
A software firewall works a little differently. It keeps track of the programs on your computer, and you specify what programs get to use the Internet. Some programs (like a Web browser) only need to make requests to the Internet. Others (like an instant messenger client) may listen for requests from the Internet. When a program that the firewall doesn't know about tries to send out or listen for a request, it will prompt you to permit or deny it.
The nice thing about that is that you can see when programs try to "phone home" back to the vendor or when spyware tries to send data back to its masters. It can be a load on your computer, though, and it can also be a load on you - saying "permit" or "deny" to the wrong program can leave you open to attacks, or block your Internet access entirely.
Anyway, my earlier suggestions still stand, but I hope this makes things a little clearer.
posted by pocams at 4:51 PM on October 12, 2005
A separate router is a tiny computer. It sees each request that you make to the Internet and keeps track of it. When some data comes from the Internet, the router checks to see if it's the response to a request you made, and if so, it allows it through. Otherwise, it throws it away.
If you have a bunch of computers, it also keeps track of which computer made each request. It then passes the request through to the Internet. When a response comes back, it looks up who made the request and sends the response to the appropriate computer. This is the "NAT" trick that SpookyFish mentioned. It lets you use a bunch of computers with only one real Internet address - the one belonging to the router.
This is easy on your computer, since it doesn't have to be monitoring the traffic. It's also simple, because the router doesn't need any special knowledge about your computer or your programs. The tradeoff is that it allows any request coming from your computer, even ones you may not know about or like.
A software firewall works a little differently. It keeps track of the programs on your computer, and you specify what programs get to use the Internet. Some programs (like a Web browser) only need to make requests to the Internet. Others (like an instant messenger client) may listen for requests from the Internet. When a program that the firewall doesn't know about tries to send out or listen for a request, it will prompt you to permit or deny it.
The nice thing about that is that you can see when programs try to "phone home" back to the vendor or when spyware tries to send data back to its masters. It can be a load on your computer, though, and it can also be a load on you - saying "permit" or "deny" to the wrong program can leave you open to attacks, or block your Internet access entirely.
Anyway, my earlier suggestions still stand, but I hope this makes things a little clearer.
posted by pocams at 4:51 PM on October 12, 2005
Response by poster: Is there a particularly good brand for WIFI routers (for the home user)? "Good" meaning "secure" and "not terribly difficult to learn how to configure and use." Oh, "inexpensive" would be good, too.
posted by _sirmissalot_ at 4:53 PM on October 12, 2005
posted by _sirmissalot_ at 4:53 PM on October 12, 2005
Pardon the liberal use of 'commercial'. I wanted to make a distinction between average home users, powerusers and enterprise level networking. I just didn't want to stray in to the Cisco, Unix land stuff.
posted by mnology at 4:53 PM on October 12, 2005
posted by mnology at 4:53 PM on October 12, 2005
Response by poster: Thanks pocams, that was indeed a good explanation for the layman.
posted by _sirmissalot_ at 4:55 PM on October 12, 2005
posted by _sirmissalot_ at 4:55 PM on October 12, 2005
The Linksys WRT54G is very popular, pretty power, and usually pretty cheap.
posted by smackfu at 4:56 PM on October 12, 2005
posted by smackfu at 4:56 PM on October 12, 2005
Linksys and 3com are what I reccommend to home users.
posted by mnology at 4:56 PM on October 12, 2005
posted by mnology at 4:56 PM on October 12, 2005
If you want a basic software firewall, if you have XP the one that's built-in is just fine, especially if you're going to be behind a NAT router. Just make sure it's actually turned on.
posted by zsazsa at 6:44 PM on October 12, 2005
posted by zsazsa at 6:44 PM on October 12, 2005
What Spookyfish said. You want both. The router for inbound, the software firewall (free zonealarm works) for outbound.
posted by Manjusri at 8:04 PM on October 12, 2005
posted by Manjusri at 8:04 PM on October 12, 2005
You want a software firewall as well as a router for all the reasons mentioned above but also, because you cannot trust your own network either. I.e. if your kids' computer gets infected, it can infect your home office computer, router-or-no-router. A firewall is not optional these days, it's like locking your car at night even though it's parked in your driveway. The driveway doesn't provide real extra security, just the illusion thereof.
Sygate gives away a very powerful XP-SP2-compatible personal firewall. For older Win2000 systems, Kerio is better (although you probably want to check oldversion.com for an older, more lightweight version from what they have currently.
posted by costas at 8:55 AM on October 13, 2005
Sygate gives away a very powerful XP-SP2-compatible personal firewall. For older Win2000 systems, Kerio is better (although you probably want to check oldversion.com for an older, more lightweight version from what they have currently.
posted by costas at 8:55 AM on October 13, 2005
I would recomend a hardware router.
However, that being said I would also recomend that you carefully read the instructions and immediately change it's "default" name and password as soon as you set it up.
While most routers are have options that turn off remote control of their configuration over the internet - that is not always the case. As well, if you buy a WiFi router, one of the most common attacks is simply to use the well known "default" passwords over the air...
posted by jkaczor at 6:24 PM on October 17, 2005
However, that being said I would also recomend that you carefully read the instructions and immediately change it's "default" name and password as soon as you set it up.
While most routers are have options that turn off remote control of their configuration over the internet - that is not always the case. As well, if you buy a WiFi router, one of the most common attacks is simply to use the well known "default" passwords over the air...
posted by jkaczor at 6:24 PM on October 17, 2005
This thread is closed to new comments.
posted by mcsweetie at 4:14 PM on October 12, 2005