1
What is the actually difference between port forwarding and a firewall?
So do these so called firewalls built into household adsl routers actually do anything to protect your network?
ageis23
Posted 2010-12-25T01:43:08.857
Reputation: 599
A traditional firewall vs port forwarding household stuff
Answers
0
To touch on your 2nd question. The only thing that the consumer routers do is provide a NAT layer to your network. Most of them use what's called Stateful Packet Inspection to do this. Which is just a fancy way of saying that they keep track of all the connections that have been initiated from the LAN until they are destroyed by normal TCP/IP means or time out after a period of no activity. This does offer a network some level of security as the only traffic is let through is traffic that is initiated from inside the network. There are a few exceptions to this with UPNP and port forwarding which allow unsolicited traffic to be forwarded through.
What consumer devices don't offer that an enterprise firewall does at a basic level is the ability to have rules on incoming and out going traffic. For instance if you wanted to block traffic from or to a certain port or host. You can also have schedules that define when the rules are enforced. But as others have mentioned in some cases the enterprise hardware can also have additional functionality beyond a firewall but that's really beyond the scope of the question you're asking here.
3dinfluence
Posted 2010-12-25T01:43:08.857
Reputation: 543
0
Port Forwarding is one of many things a firewall is capable of doing. As to your second question it depends on the modem. Your question sets the bar pretty low ie are they better than nothing. I would say that yes most do offer protection. Are they going to be as robust and feature rich as a Cisco ASA 5505? No. Does that mean you need to go out and spend $400 on an ASA 5505? That also depends. If you are a home user the built in firewall in the adsl router/modem is probably good enough assuming it is turned on and properly configured. If you have a home office and want a robust set of security features plus support plus reliability then by all means spend $400 dollars. Otherwise just make sure that the firewall is indeed turned on and not wide open.
As an aside, I just used Cisco as an example. There are other options that you could consider like Watchguard, Fortinet, etc. if you were interested in a true soho firewall.
sdanelson
Posted 2010-12-25T01:43:08.857
Reputation: 326
I'd go and spend 400 Universal Currency Units on a ASA5505 for my home. In fact, I will in a few weeks. – Tom O'Connor – 2010-12-25T08:59:27.403
As would I. Currently have an old pix, but will eventually migrate to an ASA for kicks and giggles. But I would say we are atypical. – sdanelson – 2010-12-25T15:01:22.033
0
In my experience home routers lack the capacity, logging, accountability (RADIUS or TACACS support), complexity of ruleset, redundancy, reliability of hardware, number of physical networks supported, VLANs, VPN concentrators, intrusion detection sensors and a whole lot of other stuff you don't need in a home network.
Home routers are difficult to misconfigure, and complexity is the enemy of security... so I'd say that they're generally better than the big stuff... unless you need some of those features I listed.
mgjk
Posted 2010-12-25T01:43:08.857
Reputation: 1 337
On the other hand, I recently put in a Juniper SRX router to replace my NetGear and I forgot all the nice things that a consumer grade router does for you that you take for granted. 15 NAT rules later XBOX live and Playstation were working again. Consumer grade routers aren't all that bad! – SpacemanSpiff – 2010-12-25T04:14:07.187
I hate hardware that does things for me. It adds one more layer of unpredictability, and in a business setting, that's the last thing you want. – Tom O'Connor – 2010-12-25T08:58:24.237
0
Without getting in an argument about firewalls and protection, your single best protection is regular security patching and a firewall. The firewalls built into home routers do work as firewalls but cannot stop many of the self inflicted viruses/exploits/trojans that can infect a computer from simple web browsing. The same is true for Anti-virus software, most is next to useless for newer exploits or user inflicted (i.e. you clicking or visiting where you should not) exploits. In a home setup a port forward will expose the computer that is the receiver of that port forward to any potential attacks on that port.
Questions about home networking belong on SuperUser. If you're considering using a SOHO router for a business and don't know the difference, you probably shouldn't be the person making the decision.
– Chris S – 2010-12-25T03:11:03.520@Chris S of course if he is fledgling sysadmin advising an otherwise clueless boss about the differences, then Server Fault is THE place to get educated from wiser, more experienced folk that are willing to shepherd those that are young and eager to learn with the hopes of one day becoming great sysadmins like many of the good folk here, without fear of being ridiculed because they asked a "basic", "simple", or "beginner" question. Ever sysadmin started somewhere, and many start with "you can spell IP, so here, you run things", as opposed to a more formal "education" of questionable value. – Jed Daniels – 2010-12-25T04:14:58.173