Stoneskin left a note on my windscreen which said:
> > > Just about to add a linksys router (BEFSR41)? What protection does the
> > > router provide.
> > > How should it be setup for maximum security.
> > >
> > > Should I continue to run Zonealarm on the pcs, or would something else be
> > > better?
> > >
> > I had a quick look at the instructions for this router and couldn't see
> > any mention of a built in firewall so it looks like you will need to run
> > Zone alarm or similar, my own router has a firewalll but I run Kerio
> > Personal Firewall on to of that on all but the least powerfull M$ PCs.
> >
> > I run Kerio because it is solid and very easy to set up and maintain
> > even when running servers behind the firewall
>
> That model router does have a built in NAT router. I'm not too hot on
> routers and firewalls but as far as I know because your PCs will have
> local adresses they are not directly exposed to the internet. Common
> security risks such as RPC hacks won't be able to get past it because
> they are trying to take over the router - not your PCs.
>
> To allow such things like FTP servers you implement port forwarding on
> the router to direct any traffic for a certain port (i.e. port 21 for
> FTP) to a particular IP address on your local LAN.
>
> As I said above - I'm not an expert on routing or firewalls but I
> imagine a NAT router such as this would be adeqaute for most people's
> needs.
As a follow up I'd like to quote this text from the following link;
http://www.dslreports.com/forum/rema...ty,1~mode=flat
Routers run a single-purpose OS and cannot easily be compromised by a
third party. However, you should take the following precautions:
(1) If upgrading the firmware, always download the firmware directly
from the website of the company that made your router. There is a
theoretical possibility that somebody would post a hacked version that
allows some kind of covert remote administration of the router.
(2) Ensure that remote configuration is turned off, .i.e. the router
cannot be configured via the WAN port. For additional protection, change
the default router password to something less obvious.
(3) Don't forward any ports unless absolutely necessary. Some use "DMZ"
as a quick fix for everything, fully exposing one computer to the
outside. Since this "DMZ" computer is not isolated from the rest of the
LAN in the classic DMZ sense, a compromise of this computer is a direct
compromise of the entire LAN and the router. (The classic DMZ definition
is a firewall topology. Unfortunately, some router brands incorrectly
use DMZ as a NAT term, diluting the correct meaning!).
--
Stoneskin
[Insert sig here]
Similar Threads
Linear Mode
