I think there is some confusion. A cable/DSL router is not a real "hardware security solution".
Truths: - Network Address Translation DOES hide the private network to some extent - Stateful Packet Inspection DOES stop outside connections that did not originate from your system - Filters DO stop outgoing connections on specific ports or ranges of ports IF used Misunderstandings: - NAT CAN be tricked into giving private network details - Routers don't stop Trojans or malware or spyware from coming in from sources like malicious web pages, email, or the floppy or zip disk your buddy gave you - Port filtering only works if used, if set up properly, and then only if the connection is using ports you don't allow through. If the connection uses ports such as 80 or 25 or 110 or 443, it will get through if you use these ports (http, send mail, pop, ssl https) - session hijacking DOES work through a NAT - if you allow port forwarding, anything using that port can start a connection on that port A hardware solution such as a Cisco PIX 501 does more than NAT. An easy example is a NAT forwarding all port 80's will direct port 80 to your web server, but a 501 will identify the connection as being CodeRed and stop it. (Well, should stop it. Let's not get too detailed) Never forget that cost also includes YOUR man-hours. The router == set it up and forget it. It's not granular. It lets stuff through. It can't tell CodeRed from a legit web hit. A PIX == Configuration takes some time. Updates are more time. Stops quite a bit of stuff, though likely not cutting edge exploits/worms (until the new update to combat it is developed and available) a Linux, etc box firewall == building this is lots of man-hours depending on OS and other factors (like is the default already got all ports shut?). Finding safe sources is a bit difficult. Stops even more stuff. More granular than a PIX (You can even build you own trap triggers) still doesn't stop cutting edge Software firewall== Annoyance level is high. Configuration is a drill in patience. Stops everything you tell it to. The first time you tell it to let all anything through (all pop connections as example) anyone connecting 110 has you. The cheapest protection from hacking and DoS is a router AND a firewall. But the true savior is a protected good back up of a well patched system. When CodeRed first came out, the fast fix was to restore from a backup. Granted, an hour into CodeRed's deployment, so many boxes were hunting for unpatched boxes, you were toast, but at least when the patch came out, you had a clean backup to start the rebuild and patching process, rather than starting with an OS install CD. Backups, especially things like a ghost image, are the most cost efficient thing a user can have. 90% of hacks are because of something the user installed, read, or somewhere the user went to. Then it's on the system. D. Weiss -----Original Message----- From: Jim Clark [mailto:[EMAIL PROTECTED]] Sent: Saturday, July 20, 2002 12:39 AM To: [EMAIL PROTECTED] Subject: Hardware/Software Solution for Standalone DSL User I understand from reading these posts that a hardware solution is recommended over a software solution. However, for a single DSL home user is a hardware solution cost-beneficial? Or is a software solution, e.g. Zone Alarm. Agnitum, Kerio, etc. best? One could say that for $70.00 a hardware solution(assuming something like Linksys BEFSR41 Etherfast 4-Port Cable/DSL Router) is beneficial compared to the damage that could be done, but convincing a user to spend the money when there are free software solutions is difficult. Are there hardware solutions for single users that are more cost effective? Lastly, I appreciate all the replies regarding my DSL vs Dial-up firewall post. Thanks. Jim
