What firewall protection do I need with my Linksys WRT54G?
September 27, 2005 3:17 PM   Subscribe

Home PC WAN-filter: Setting up a home broadband network with a cable modem, PC, & Linksys WRT54G...

I already have Norton Internet Security on the PC. Do I need additional firewall protection, or is the WRT54G default enough with the Norton sub? What works for you? Any gotchas in the standard setup?

Also - I'm curious about the Linksys A/G Media Center Extender or Wireless-B Media Adapter. Anyone out there tried one of these? Are they worthwhile?

posted by It's Raining Florence Henderson to Computers & Internet (13 answers total) 2 users marked this as a favorite
Usually the Linksys hardware is going to be doing the lion's share of the security for your network, due to the IP address obfuscation. The only way you'd really need the additional security precautions is if you're setting your machine up as the DMZ machine.

Either that, or you're surfing massive amounts of Porn and Warez sites with a non-patched version of IE and Windows.
posted by thanotopsis at 3:23 PM on September 27, 2005

What he said. Unless you're practicing incredibly promiscuous and unsafe Internet, the Linksys is all you need (and depending on your surfing/email habits, I'd even say that literally--don't even bother with the Norton, it can actually f*ck your machine up good itself!).
posted by cyrusdogstar at 3:30 PM on September 27, 2005

If you really feel that you need a software firewall, I'd go with something like Kerio V 2 (still available if you search, always free) or the Sygate personal firewall, which is a bit more user-friendly. Your Linksys will do a fine job of stopping incoming attacks, but a software firewall can let you know that a nasty has gotten onto your machine and is trying to connect outwards.

I've fixed too many computers that NIS messed up to recommend it to anybody.
posted by Dipsomaniac at 3:39 PM on September 27, 2005

One thing to look out for is to update the routers firmware to the latest version. That model has had security problems.
posted by Mr T at 4:20 PM on September 27, 2005

a more obvious thing (which you may have already done) is to change your default administrator password on the WRT54G and possibly enable WEP and turn off the id tranmission.

agree with the above posters regarding additional firewalls.

do make sure your windows is patched to the latest version, however, and it's helpful to have a password on your account (even if you permit it to auto-login from a local boot).
posted by fishfucker at 4:27 PM on September 27, 2005

Response by poster: Thanks, y'all! This has been very helpful. I'll be sure to update the firmware and I'll definitely rethink the NIS. The basic Norton Anti-virus is still a good idea, though, no?

I haven't picked up the hardware yet, fishfucker, but I'll definitely be setting it up as you suggest.

Oh, and thanotopsis: Define "massive." /grin
posted by It's Raining Florence Henderson at 4:38 PM on September 27, 2005

yes, you absolutely need a virus scanner, unless you do not use POP email at all and never download anything from the internet.
posted by Hackworth at 5:03 PM on September 27, 2005

Ditto the sentiment that the WRT54G's firewall, while worthwhile, doesn't render a software firewall redundant.

The standard litany:

Keep your OS patches up to date.

Run a Kerio firewall (if only to keep an eye on what's initiating out-bound communications, and what processes are starting other processes.)

Run StartupMonitor to keep track of what's trying to set itself to run at start time.

Use IE only for windows update; use Opera or Firefox for web browsing. In your Internet Options, disable ActiveX controls from anyone but Microsoft.

Scan all freshly-downloaded executables (or packages including executables) for viruses before opening them. Yeah, Norton Anti-Virus should be fine (but I use Grisoft's AVG.) And keep your virus definitions up to date.

If you do all this, you probably won't have much problem with spyware (other than tracking cookies), but run a spyware check every so often anyway (Hitman Pro takes the over-the-top approach of downloading and running seemingly every free spyware checker.)
posted by Zed_Lopez at 5:16 PM on September 27, 2005

I haven't run a real-time virus scanner EVER. Number of viruses I've had? 1 in fourteen years of internet use. And that was due to attempting to use a very sketchy 0-day crack for the first Warcraft.

i have got nailed by some annoying spyware (largely ceased after switching to firefox), and succumbed to the occasional worm (on a few boxes connected directly to the internet with no attempt at firewalling whatsoever), but I've been fairly virus-free. I've NEVER got a virus from an executable that was offered up from a reputable source.

that isn't to say that viruses don't exist, or that I'll never get them, just that while virus scanners might be useful for some people's peace of mind, I find them a waste of time and system resources.

Something much more useful, IMHO, is to set up a regular and automated (because otherwise you won't do it) backup plan that will allow you to quickly and easily revert to if you do happen to get a virus, or, more likely, your files decide to suicide (either due to a hard drive crash or user error).

This isn't to say that posters suggesting virus scanning downloads, or installing a realtime virus monitor are making a bad suggestion, it's just that ime virus scanners aren't necessary (the only time i run a virus scanner is if my computer is behaving weirdly and I get suspicious. and even then it's always come up clean, excepting, perhaps, a couple bits of spyware).
posted by fishfucker at 6:26 PM on September 27, 2005

The basic Norton Anti-virus is still a good idea, though, no?

General security advice follows:

I haven't run a real-time virus scanner in about ten years. Number of viruses I've gotten? One nine years ago. How do I know? I format every three to six months to keep things 'clean' (and to keep me responsible about backups) and each time just before I format I hit an online virus scanner. My favorite these days is TrendMicro's Housecall.

Don't be an idiot, always keep your computer behind the router, turn on Kerio if you're going to use a friend's possibly-infected LAN, and run a Housecall sweep every couple weeks. Where possible use non-mainstream software. Trillian instead of AIM, Thunderbird instead of Outlook express (Gmail is even better), Firefox instead of IE, etc.

If you're going to warez take the time to find out which release groups are currently reputable or talk to someone 'in the scene' (if you know any) who would know. If you can't be bothered at least limit yourself to stuff already used by someone you know who keeps a relatively clean setup.

I also take the precautions of formatting frequently and shutting down all non-essential Windows services (when I've finished shutting down services just after a clean format XP typically boots using only 35-38MB of RAM as opposed to the default 100-110MB). The less shit you have running, the fewer potential infection vectors you're exposed to.

Never had a worm or a trojan, between the Firefox Adblock extension and keeping Flash uninstalled from Firefox (I only use IE when I *need*Flash) I never see a single non-text advertisement when hitting CNN/MSNBC/Slashdot/Metafilter.
posted by Ryvar at 11:10 PM on September 27, 2005

One good reason to set up a WiFi network is to be able to offer visitors with laptops Internet access, or to bring home company laptops or other devices that are exposed to other networks routinely, including the Internet. Visitors (or visiting devices) get their familiar interface and applications, you don't have to put them on your private machine(s), and it's pretty easy to do by configuring your Linksys router's DHCP server, and enabling WEP (128 bit) or better yet, WPA. You want to keep a sensible number of DHCP addresses as a "sanity check" limit to keeping other passerby off your network (put only 2 or 3 addresses in the WiFi DHCP range), and you want to use a fairly long passphrase, which you give out only to visitors (and change from time to time), and you may want to inhibit network SID broadcasts, but most folks that are looking for WiFi access in your home will probably be familiar with setting up a new wireless connection on their laptops, if you give them the passphrase, and your WiFi is secured by the usual reasonable practices. It's not rocket science, and it's not supposed to be :-)

But, if you do this, your visitors are going to be on your LAN, and if their machine is toting malware, your Linksys firewall is going to be little help in keeping your machines protected. So, if you plan to give visitors net access, take precautions to keep your own machines from getting exposed to malware from visiting machines on your own network. This might be as simple as turning off your machines whenever a visitor is logged in, or using local software firewalls and anti-virus programs on all your Windows boxes all the time.

That's a good strategy if you want to leave a Windows box up for your visitors as a printer sharing machine, so that they can print stuff from your printer, or if you want to publish a local file share via Windows, to facilitate file exchanges on your LAN.
posted by paulsc at 10:12 AM on September 28, 2005

Response by poster: Y'all rawk! Thanks so very much!
posted by It's Raining Florence Henderson at 10:51 AM on September 28, 2005

To adapt a cliche, I'll note that virus scanners get you through times of no viruses better than viruses get you through times of no virus scanners. I scan before executing anything I've downloaded, as I recommended. I haven't yet had anything turn up in the years I've been doing this. In 2000, I wasn't doing this and my system got wiped out by a virus. That was a far worse outcome than spending a few seconds to check new executables a few times a month.

If you're going to warez take the time to find out which release groups are currently reputable or talk to someone 'in the scene' (if you know any) who would know. If you can't be bothered at least limit yourself to stuff already used by someone you know who keeps a relatively clean setup.

This is like a guy foregoing condoms 'cause he only has sex with nice girls. It's both easier and more effective to just use the virus scanner and not worry so much about investigating the source.
posted by Zed_Lopez at 5:02 PM on September 28, 2005

« Older Why do I keep passing out?   |   Telus lockout Newer »
This thread is closed to new comments.