). Bob Harris [allowsmilie] => 1 [showsignature] => 0 [ipaddress] => [iconid] => 0 [visible] => 1 [attach] => 0 [infraction] => 0 [reportthreadid] => 0 [isusenetpost] => 1 [msgid] => [ref] => <46edncz4hr7Uc13dRVn-jw@speakeasy.net> <2ip0acFon43nU1@uni-berlin.de> [htmlstate] => on_nl2br [postusername] => Bob [ip] => harris@zk3.dec. [isdeleted] => 0 [usergroupid] => [membergroupids] => [displaygroupid] => [password] => [passworddate] => [email] => [styleid] => [parentemail] => [homepage] => [icq] => [aim] => [yahoo] => [msn] => [skype] => [showvbcode] => [showbirthday] => [usertitle] => [customtitle] => [joindate] => [daysprune] => [lastvisit] => [lastactivity] => [lastpost] => [lastpostid] => [posts] => [reputation] => [reputationlevelid] => [timezoneoffset] => [pmpopup] => [avatarid] => [avatarrevision] => [profilepicrevision] => [sigpicrevision] => [options] => [akvbghsfs_optionsfield] => [birthday] => [birthday_search] => [maxposts] => [startofweek] => [referrerid] => [languageid] => [emailstamp] => [threadedmode] => [autosubscribe] => [pmtotal] => [pmunread] => [salt] => [ipoints] => [infractions] => [warnings] => [infractiongroupids] => [infractiongroupid] => [adminoptions] => [profilevisits] => [friendcount] => [friendreqcount] => [vmunreadcount] => [vmmoderatedcount] => [socgroupinvitecount] => [socgroupreqcount] => [pcunreadcount] => [pcmoderatedcount] => [gmmoderatedcount] => [assetposthash] => [fbuserid] => [fbjoindate] => [fbname] => [logintype] => [fbaccesstoken] => [newrepcount] => [vbseo_likes_in] => [vbseo_likes_out] => [vbseo_likes_unread] => [temp] => [field1] => [field2] => [field3] => [field4] => [field5] => [subfolders] => [pmfolders] => [buddylist] => [ignorelist] => [signature] => [searchprefs] => [rank] => [icontitle] => [iconpath] => [avatarpath] => [hascustomavatar] => 0 [avatardateline] => [avwidth] => [avheight] => [edit_userid] => [edit_username] => [edit_dateline] => [edit_reason] => [hashistory] => [pagetext_html] => [hasimages] => [signatureparsed] => [sighasimages] => [sigpic] => [sigpicdateline] => [sigpicwidth] => [sigpicheight] => [postcount] => 10 [islastshown] => [isfirstshown] => [attachments] => [allattachments] => ) -->).[/ref] Actually, you can use either of the Extreme Base Station's ports. If you want the base station to have its own subnet (nested within the existing local network), just connect it via its WAN port while leaving it in its default configuration as a router (NAT and DHCP server enabled). If you set the base station to bridge-only mode (NAT and DHCP disabled), you can use either its LAN or WAN ports to connect it to the local network. In fact, there's a small advantage in using the WAN port, as it will prevent the base station from gumming up the wired network in case the base station accidentally gets reset to act as a router. [allowsmilie] => 1 [showsignature] => 0 [ipaddress] => [iconid] => 0 [visible] => 1 [attach] => 0 [infraction] => 0 [reportthreadid] => 0 [isusenetpost] => 1 [msgid] => <1gf4jmr.1ndyqjt2o51p6N%neillmassello@earthlink.net> [ref] => <46edncz4hr7Uc13dRVn-jw@speakeasy.net> <2ip0acFon43nU1@uni-berlin.de> [htmlstate] => on_nl2br [postusername] => Neill [ip] => neillmassello@e [isdeleted] => 0 [usergroupid] => [membergroupids] => [displaygroupid] => [password] => [passworddate] => [email] => [styleid] => [parentemail] => [homepage] => [icq] => [aim] => [yahoo] => [msn] => [skype] => [showvbcode] => [showbirthday] => [usertitle] => [customtitle] => [joindate] => [daysprune] => [lastvisit] => [lastactivity] => [lastpost] => [lastpostid] => [posts] => [reputation] => [reputationlevelid] => [timezoneoffset] => [pmpopup] => [avatarid] => [avatarrevision] => [profilepicrevision] => [sigpicrevision] => [options] => [akvbghsfs_optionsfield] => [birthday] => [birthday_search] => [maxposts] => [startofweek] => [referrerid] => [languageid] => [emailstamp] => [threadedmode] => [autosubscribe] => [pmtotal] => [pmunread] => [salt] => [ipoints] => [infractions] => [warnings] => [infractiongroupids] => [infractiongroupid] => [adminoptions] => [profilevisits] => [friendcount] => [friendreqcount] => [vmunreadcount] => [vmmoderatedcount] => [socgroupinvitecount] => [socgroupreqcount] => [pcunreadcount] => [pcmoderatedcount] => [gmmoderatedcount] => [assetposthash] => [fbuserid] => [fbjoindate] => [fbname] => [logintype] => [fbaccesstoken] => [newrepcount] => [vbseo_likes_in] => [vbseo_likes_out] => [vbseo_likes_unread] => [temp] => [field1] => [field2] => [field3] => [field4] => [field5] => [subfolders] => [pmfolders] => [buddylist] => [ignorelist] => [signature] => [searchprefs] => [rank] => [icontitle] => [iconpath] => [avatarpath] => [hascustomavatar] => 0 [avatardateline] => [avwidth] => [avheight] => [edit_userid] => [edit_username] => [edit_dateline] => [edit_reason] => [hashistory] => [pagetext_html] => [hasimages] => [signatureparsed] => [sighasimages] => [sigpic] => [sigpicdateline] => [sigpicwidth] => [sigpicheight] => [postcount] => 11 [islastshown] => [isfirstshown] => [attachments] => [allattachments] => ) --> Router firewalls NAT or SPI - Mac Networking

Router firewalls NAT or SPI - Mac Networking

Hope this is the correct newsgroup for this post on network security. Interested in opinions on "best" and most practical firewall approach. Currently have a LAN with a Netgear RT314 providing NAT connecting my wife's and my Mac and to the DSL modem. I gather this provides some level of protection/firewall. I need to get another router for another location. I'm wondering if I should continue with a router with NAT or buy one that uses SPI (stateful packet inspection) as well? And also if I should change my current router for something with more protection? Have no clue what ...

  1. #1

    Default Router firewalls NAT or SPI

    Hope this is the correct newsgroup for this post on network security.

    Interested in opinions on "best" and most practical firewall approach.

    Currently have a LAN with a Netgear RT314 providing NAT connecting my
    wife's and my Mac and to the DSL modem. I gather this provides some
    level of protection/firewall.

    I need to get another router for another location. I'm wondering if I
    should continue with a router with NAT or buy one that uses SPI
    (stateful packet inspection) as well? And also if I should change my
    current router for something with more protection? Have no clue what SPI
    is.

    I do not run any software firewalls.

    Are there any good articles on options for SOHO security in terms of
    hardware or software firewalls?

    Thanks.

    --
    Please send email to: nwhiii at yahoo dot com
    Norm Guest

  2. #2

    Default Re: Router firewalls NAT or SPI

    Norm wrote:
     

    It provides security through obscurity (eg., hiding devices behind a
    public IP).
     

    What is your end goal? A NAT'ing device will work fine for most
    purposes, since it hides your internal machines from the outside
    world. A SPI firewall provides much more granular access.

    And also if I should change my 

    A SPI firewall maintains state on inbound/outbound connections. For
    example, when a new TCP connection is initiated, a stateful packet
    filter detects the SYN bit set in teh TCP header, and adds an entry
    to the state table. Traffic can then flow between two endpoints as
    long as teh sequence numbers/ACKs match up correctly.

     

    Sure thing. Check out the "IP filter" website.
     

    Matty Guest

  3. #3

    Default Re: Router firewalls NAT or SPI

    In article <Liwxc.447$bellsouth.net>,
    Matty <net> wrote:
     
    >
    > It provides security through obscurity (eg., hiding devices behind a
    > public IP).[/ref]

    It's better than that. If all the internal IPs are being translated to
    a single public IP (as opposed to a configuration with multiple public
    IP's being statically translated one-to-one to internal IPs), the router
    must maintain a dynamic port translation table. Then, inbound packets
    will only be permitted if they match up with previous outbound packets,
    except for specific port mappings that you might have enabled
    intentionally (because you want to allow public access to a server).

    --
    Barry Margolin, mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Guest

  4. #4

    Default Re: Router firewalls NAT or SPI

    On 2004-06-09, Matty <net> wrote: 

    This is not "security through obscurity". LAN address cannot be
    reached directly at all from the outside. That offers real security,
    of a significant kind, compared to having the machine directly on the
    internet. In addition, the Netgear RT314 runs its own firewall --
    more genuine security, though, admittedly, the configuration
    interface for the RT314 firewall is pretty daunting for the average
    user.



    If you use a non-standard port for some service in the hopes that
    hackers won't find it, that would be an example of "security by
    obscurity", which is to say, hardly counts as security at all.


    noman Guest

  5. #5

    Default Re: Router firewalls NAT or SPI

    OP responding below.

    In article <Liwxc.447$bellsouth.net>,
    Matty <net> wrote:
     
    >
    > It provides security through obscurity (eg., hiding devices behind a
    > public IP).

    >
    > What is your end goal? A NAT'ing device will work fine for most
    > purposes, since it hides your internal machines from the outside
    > world. A SPI firewall provides much more granular access.[/ref]


    Reasonable question. ;)

    Simply put, make sure no one can access our computers. That is probably
    a beginner or naive response but not sure how else to describe my
    concern after reading, but not understanding, the types of potential
    risks.

     
    >
    > A SPI firewall maintains state on inbound/outbound connections. For
    > example, when a new TCP connection is initiated, a stateful packet
    > filter detects the SYN bit set in teh TCP header, and adds an entry
    > to the state table. Traffic can then flow between two endpoints as
    > long as teh sequence numbers/ACKs match up correctly.
    >[/ref]

    Hmmm...you lost this old, older, rookie at networking. I guess my reply
    is whether I need that?

    Thanks for the help. I'll look for the the IP filter website.


     
    >
    > Sure thing. Check out the "IP filter" website.

    >[/ref]

    --
    Please send email to: nwhiii at yahoo dot com
    Norm Guest

  6. #6

    Default Re: Router firewalls NAT or SPI

    OP responding.

    In article <dca.giganews.com>,
    Barry Margolin <mit.edu> wrote:
     
    > >
    > > It provides security through obscurity (eg., hiding devices behind a
    > > public IP).[/ref]
    >
    > It's better than that. If all the internal IPs are being translated to
    > a single public IP (as opposed to a configuration with multiple public
    > IP's being statically translated one-to-one to internal IPs), the router
    > must maintain a dynamic port translation table. Then, inbound packets
    > will only be permitted if they match up with previous outbound packets,
    > except for specific port mappings that you might have enabled
    > intentionally (because you want to allow public access to a server).[/ref]


    Following up on your input.....

    I have a static IP with my ISP.

    As I understand it, the Netgear RT314 then assigns (permanently I
    believe) IPs to each Mac on the network. The IPs assigned don't appear
    to me to "hide" those Macs because it looks to be an IP number just
    based on the Netgear router address and not randomized. But not knowing
    how this works, maybe that is not necessary.

    Does this setup mean no one can send packets inbound that I haven't
    requested? That question is probably not correctly worded but hopefully
    understandable as to my concern as to the risks.

    Thanks.

    --
    Please send email to: nwhiii at yahoo dot com
    Norm Guest

  7. #7

    Default Re: Router firewalls NAT or SPI

    In article <net>,
    Norm <invalid> wrote:
     

    Yes, that's what it means.

    Suppose you have three machines inside. Someone sends a packet to your
    public IP, so it arrives at the outside interface of the router. But
    it's not in response to anything you sent out, so which inside machine
    should it be sent to? Since there's nothing in the translation table
    for the port, it will just be dropped.

    --
    Barry Margolin, mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Guest

  8. #8

    Default Re: Router firewalls NAT or SPI

    On 2004-06-09, Norm <invalid> wrote: 

    If you're using the Netgear in its default configuration, the
    addresses it assigns should be in the 192.168.0.* network, where only
    the last digit varies. Address of this sort are specifically for LANs
    -- it's impossible to reach, or even find, a host with an address like
    this except from another host on the same LAN (including the router,
    of course).

    For a packet from the outside world to get through, it has to pass
    through the router, and for the router to know what to do with it, one
    of two things has to be true: either it's part of an existing
    conversation that's already been established, or it's a request for a
    new connection and you've _explicitly_ told the router that you want
    those requests to be forwarded to one of the machines on the LAN.


     

    By default, yes. The one exception is you configure the router to
    forward all requests for new connections on some specific port to some
    specific host in your LAN. As an example of the latter, you might
    want one of your LAN hosts, say Host1, to be reachable via ssh. In
    this case you would tell the router that any connection requests on
    port 22 (ssh) should be forwarded to Host1.

    In its standard configuration, the RT314 doesn't forward any
    requests.

    noman Guest

  9. #9

    Default Airport Base firewall ? (was Re: Router firewalls NAT or SPI)

    OP back.

    Thanks very much to all respondents for for the help/education on NAT,
    etc..

    On a related topic....

    For another location, I'm considering an Airport Extreme Base to go with
    a PB G4 15 Al. (I need to look again as to whether this Base has an
    ethernet port as well as wireless connection since I'd like to connect
    by both methods.)

    At any rate, if I go with an Airport Extreme Base, does it provide the
    same level of NAT or other protection from hackers as my Netgear router?
    I'm not talking about the risks inherent in using wireless connections
    but rather the risks from the internet connection (DSL or cable) itself.
    By that I'm also asking are there "better" levels of hardware firewall
    protection that one should consider for SOHO environments?

    Thanks for any advice.

    --
    Please send email to: nwhiii at yahoo dot com
    Norm Guest

  10. #10

    Default Re: Airport Base firewall ? (was Re: Router firewalls NAT or SPI)

    In article <net>,
    Norm <invalid> wrote:
     

    An Airport base station is a just Cable/DSL router and WiFi access point
    that performs NAT and DHCP services just like D-Link, Netgear, Linksys,
    etc... The difference between an Apple Airport base station and 3rd
    party base stations is the bells and whistles, such as how you manage
    the base station, if it has a print server, internal modem, routes
    AppleTalk (only of interest if you are using Mac OS 9, or have an old
    AppleTalk based printer), etc...

    The one thing I will point out. If you attach an Airport base station
    to an existing home network that is already being serviced by another
    Cable/DSL router, then you want to setup the Airport base station to
    just "Bridge" WiFi to ethernet. What you do not want to do is setup a
    situation where you have 2 routers on your network (at least not without
    meaning to do it :-) Mostly this means setting up the Airport base
    station to _NOT_ distribute IP addresses, and to _NOT_ plug anything
    into the WAN port (icon looks like a circle of tiny dashed lines). You
    only use the LAN port (icon looks like <-->).

    Bob Harris
    Bob Guest

  11. #11

    Default Re: Airport Base firewall ?

    Bob Harris <dec.com> wrote:
     

    Actually, you can use either of the Extreme Base Station's ports. If you
    want the base station to have its own subnet (nested within the existing
    local network), just connect it via its WAN port while leaving it in its
    default configuration as a router (NAT and DHCP server enabled). If you
    set the base station to bridge-only mode (NAT and DHCP disabled), you
    can use either its LAN or WAN ports to connect it to the local network.
    In fact, there's a small advantage in using the WAN port, as it will
    prevent the base station from gumming up the wired network in case the
    base station accidentally gets reset to act as a router.

    Neill Guest

  12. #12

    Default Re: Router firewalls NAT or SPI

     

    although I thought iChat did some clever stuff with NAT routers since I
    know that you can connect between two machines behind NAT routers
    WITHOUT port forwarding or DMZ's etc. at least in some cases.

    Could someone please tell me how wrong I am?

    m
    moll Guest

  13. #13

    Default Re: Router firewalls NAT or SPI


    "moll" <com> wrote in message
    news:btopenworld.com... 


    iChat AV makes use of SIP - Session Initiation Protocol. This encodes the
    private LAN ip address along with the public ip - compatible routers will
    receive SIP packets and understand which machine to forward them along to.

    You need a SIP compatible router, but most are these days.


    Cheers,
    Ian


    Ian Guest

  14. #14

    Default Re: Router firewalls NAT or SPI

    In article <de>,
    "Ian McCall" <org> wrote:
     
    >
    >
    > iChat AV makes use of SIP - Session Initiation Protocol. This encodes the
    > private LAN ip address along with the public ip - compatible routers will
    > receive SIP packets and understand which machine to forward them along to.
    >
    > You need a SIP compatible router, but most are these days.
    >
    >
    > Cheers,
    > Ian[/ref]

    aha ... that was it... thanks.

    m
    moll Guest

  15. #15

    Default Re: Router firewalls NAT or SPI

    In article <de>,
    "Ian McCall" <org> wrote:
     
    >
    >
    > iChat AV makes use of SIP - Session Initiation Protocol. This encodes the
    > private LAN ip address along with the public ip - compatible routers will
    > receive SIP packets and understand which machine to forward them along to.
    >
    > You need a SIP compatible router, but most are these days.
    >
    >
    > Cheers,
    > Ian[/ref]

    ....and are you the person who can explain to me what the other NAT Alg's
    on my router are i.e.
    - H.223
    - IPsec
    - PPTP
    - ICQ (audio) which is pretty obvious i suppose

    I've tried all combinations but only seem to be able to iChat every time
    when one of the ends has a DMZ.

    m
    moll Guest

  16. #16

    Default Re: Router firewalls NAT or SPI

    moll <com> wrote:
     

    Have you tried enabling uPNP on your router, it should work then.

    --
    Groeten,

    Antonio (Voor email, verwijder X)
    AnToNio Guest

  17. #17

    Default Re: Router firewalls NAT or SPI

    In article <btopenworld.com>,
    moll <com> wrote:
     

    I assume you mean H.323. That's used for Voice over IP.
     

    IP security, used for secure IP tunnels.
     

    Point-to-Point Tunneling Protocol, an earlier form of secure IP tunnels.
     

    Sounds like audio for ICQ conferencing.

    --
    Barry Margolin, mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Guest

  18. #18

    Default Re: Router firewalls NAT or SPI

    In article <dca.giganews.com>,
    Barry Margolin <mit.edu> wrote:
     
    >
    > I assume you mean H.323. That's used for Voice over IP.

    >
    > IP security, used for secure IP tunnels.

    >
    > Point-to-Point Tunneling Protocol, an earlier form of secure IP tunnels.

    >
    > Sounds like audio for ICQ conferencing.[/ref]

    aha ... it's all beginning to make sense.

    One final question... what is the IP masquerade business? I presume it's
    sth to do with your IP number when you've tunneled with IPsec or PPTP?

    Oh... I lied. The final final question (for now). How does UPnP tie in
    with SIP? I think I've worked out what UPnP is... a way for a computer
    on the network to reconfigure the router on the fly to pass through
    traffic when it initiates a connection??? But isn't that what SIP is for?

    Maybe I'll just leave my dad with his DMZ!

    regards

    m
    moll Guest

  19. #19

    Default Re: Router firewalls NAT or SPI

    In article <btopenworld.com>,
    moll <com> wrote:
     

    IP Masquerading is an old term for many-to-one NAT, back when most NAT
    was many-to-many (an organization would get a bunch of public IP's, and
    the router would dynamically assign different ones to internal IP's as
    needed).
     

    I think UPnP is Universal Plug'n'Play. I'm not very familiar with it, I
    think it's mostly used for finding devices on your local LAN.

    --
    Barry Margolin, mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Guest

Similar Threads

  1. Firewalls
    By Clo in forum Windows Setup, Administration & Security
    Replies: 9
    Last Post: August 11th, 01:09 PM
  2. Newswatcher AND firewalls
    By Crucifyself03 in forum Mac Applications & Software
    Replies: 56
    Last Post: August 7th, 01:02 AM
  3. Firewalls and web service Q
    By Justin Dutoit in forum ASP.NET Web Services
    Replies: 0
    Last Post: August 5th, 12:44 AM
  4. How many firewalls does xp have on it?
    By Hothornman in forum Windows Networking
    Replies: 1
    Last Post: July 5th, 06:08 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •