Stateful stealth firewall, router, modem all-in-one

I know similar questions have been asked so my apologies for another whats-the-best
question. I'm wanting to replace my current broadband connection via my main PC with an
all-in-one box. Primary wants are

1) stateful firewall with packet inspection, rejection of common attacks, non-responsive
to unauthorised access attempts ("stealth" mode)
2) router working with DHCP client (for WAN) and server (for LAN)
3) NAT to present the outside world with one IP address and many TCP and UDP ports
representing the many internal IP addresses
4) Four or more Lan ports at 10/100
5) Compatible with UK ADSL

Despite searching I cannot find any single box that clearly does all of the above - and
it's not a long list! Ones I have looked at include the Netgear DG834 which does stateful
inspection but I can't see that is has a stealth mode. Also I'm not sure that its NAT will
assign TCP and UDP ports as described. It says it has NAT many-to-one. Is this the same?

The other one I've looked at is the Trust 445A but I'm not sure its firewall engine is
truly stateful and "stealthy"

Much appreciate any guidance. As you can see the firewall functionality is key.
--
Cheers,
James

James Harris wrote:

> I know similar questions have been asked so my apologies for another whats-the-best
> question. I'm wanting to replace my current broadband connection via my main PC with an
> all-in-one box. Primary wants are
>
> 1) stateful firewall with packet inspection, rejection of common attacks, non-responsive
> to unauthorised access attempts ("stealth" mode)
> 2) router working with DHCP client (for WAN) and server (for LAN)
> 3) NAT to present the outside world with one IP address and many TCP and UDP ports
> representing the many internal IP addresses
> 4) Four or more Lan ports at 10/100
> 5) Compatible with UK ADSL
>
> Despite searching I cannot find any single box that clearly does all of the above - and
> it's not a long list! Ones I have looked at include the Netgear DG834 which does stateful
> inspection but I can't see that is has a stealth mode. Also I'm not sure that its NAT will
> assign TCP and UDP ports as described. It says it has NAT many-to-one. Is this the same?
>
> The other one I've looked at is the Trust 445A but I'm not sure its firewall engine is
> truly stateful and "stealthy"
>
> Much appreciate any guidance. As you can see the firewall functionality is key.

Stealth mode isn't everything. A closed port is just that - closed.

Anyways, I think the SAR715 from Solwise would do what you want and the
Vigor 2600 from Draytek seems to do everything.

It might be more sensible to go for separate boxes, though.

--
Alexander Mann

> Stealth mode isn't everything. A closed port is just that - closed.

Ah, but doesn't a closed port report back to the sender that the IP exists but that the
port is not available - perhaps an ICMP port or protocol unreachable? Am currently using
Zone Alarm. It does a great job on one PC but tells me how many times I am hit with a ping
or a Netbios connect from another computer. Presumably if my PC were to respond to these I
would then be hit with a flurry of port scans.

I have been using Vsocks Light to proxy other machines and I have twice caught what look
like hack attempts working through that software, one from Australia and the other from
Israel. The first was transferring a lot of data when I caught it. Hence my desire for the
IP to remain hidden.

Thanks for your recommendations.
--
Cheers,
James

"James Harris" <no.email.please> wrote in message
news:40368b56$0$24593$(E-Mail Removed).. .
> > Stealth mode isn't everything. A closed port is just that - closed.
>
> Ah, but doesn't a closed port report back to the sender that the IP exists
but that the
> port is not available - perhaps an ICMP port or protocol unreachable? Am
currently using
> Zone Alarm. It does a great job on one PC but tells me how many times I am
hit with a ping
> or a Netbios connect from another computer. Presumably if my PC were to
respond to these I
> would then be hit with a flurry of port scans.
>
> I have been using Vsocks Light to proxy other machines and I have twice
caught what look
> like hack attempts working through that software, one from Australia and
the other from
> Israel. The first was transferring a lot of data when I caught it. Hence
my desire for the
> IP to remain hidden.
>
> Thanks for your recommendations.
> --
> Cheers,
> James
>
>
Yep Draytek is the way to go. Any unauthorised inbound packets are just
dropped. Nothing sent back.

"James Harris" <no.email.please> wrote in message

> The other one I've looked at is the Trust 445A but I'm not sure its
firewall engine is
> truly stateful and "stealthy"

Solwise SAR130 (and the similar, but older SAR110) have statefull
inspection, and a couple of IP rules later you have a system that attains
"truestealth" from shieldsup.

In fact I think (do check the specs) the only thing it doesn't have is the 4
ports, but a 10/100 4 port switch can be purchased for less than £20.

Checkout www.solwise.co.uk and http://www.chrismarsh.co.uk/sar110/ for the
rules to stealth the router.

Jc.

James Harris wrote:

>>Stealth mode isn't everything. A closed port is just that - closed.
>
>
> Ah, but doesn't a closed port report back to the sender that the IP exists but that the
> port is not available - perhaps an ICMP port or protocol unreachable? Am currently using
> Zone Alarm. It does a great job on one PC but tells me how many times I am hit with a ping
> or a Netbios connect from another computer. Presumably if my PC were to respond to these I
> would then be hit with a flurry of port scans.

No, not really. These scans are automated - most are from viruses.
Closed is the "correct" response but sites like GRC.com recommend
"stealthing" your ports - previously referred to as "filtering". Pings
aren't dangerous and most systems on the net reply to ping requests.
There's not a lot in it, though.

I'm using a SAR-130 which does the job well. My only gripe is that it
insists on "stealthing" ports rather than responding with closed but
that wouldn't bother you :-) It only has one LAN port, though, so you'd
need a separate hub/switch.

Alex
--
Alexander Mann

James,
If you have any closed ports visible, you can find out using
http://scan.sygate.com/probe.html
The ones that are seen as closed can be made stealthy by forwarding them to
a bogus internal IP and port.

For example you have an external 'closed' port 80, you forward this to
internal IP 192.168.0.254 Port 49151, you can forward a number of external
ports to the same internal IP and port, that way from an external source it
looks as if there is no reply and the traffic disappears into a black hole.
Just make sure you have your DHCP server set to only give out addresses up
to .253 and nothing will be on the other end, also port 49151 or similar
will reduce the chance of there being an application using the same.

So you just need a router that allows you to do port forwarding and a decent
configuration interface.

Works for me.

Graham



"James Harris" <no.email.please> wrote in message
news:40368b56$0$24593$(E-Mail Removed).. .
> > Stealth mode isn't everything. A closed port is just that - closed.
>
> Ah, but doesn't a closed port report back to the sender that the IP exists
but that the
> port is not available - perhaps an ICMP port or protocol unreachable? Am
currently using
> Zone Alarm. It does a great job on one PC but tells me how many times I am
hit with a ping
> or a Netbios connect from another computer. Presumably if my PC were to
respond to these I
> would then be hit with a flurry of port scans.
>
> I have been using Vsocks Light to proxy other machines and I have twice
caught what look
> like hack attempts working through that software, one from Australia and
the other from
> Israel. The first was transferring a lot of data when I caught it. Hence
my desire for the
> IP to remain hidden.
>
> Thanks for your recommendations.
> --
> Cheers,
> James
>
>

"Josey" <(E-Mail Removed)> wrote in message
news:xkwZb.8965$Y%(E-Mail Removed)...

> Solwise SAR130 (and the similar, but older SAR110) have statefull
> inspection, and a couple of IP rules later you have a system that attains
> "truestealth" from shieldsup.

> Checkout www.solwise.co.uk and http://www.chrismarsh.co.uk/sar110/ for the
> rules to stealth the router.

I'm indebted for this info. From the Solwise advertising I didn't see any reference to a
stateful engine but it's there in the info on the second URL. Hiding a light under a
measuring basket?

The link to Shieldsup was excellent too. For the record, when running against my PC I got,
Your system has achieved a perfect "TruStealth" rating. Not a single packet - solicited or
otherwise - was received from your system as a result of our security probing tests. Your
system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the
standpoint of the passing probes of any hacker, this machine does not exist on the
Internet. Some questionable personal security systems expose their users by attempting to
"counter-probe the prober", thus revealing themselves. But your system wisely remained
silent in every way. Very nice.
which is exactly what I want to see when the router is in place!
--
Thanks again,
James

On Fri, 20 Feb 2004 21:24:15 -0000, "James Harris" <no.email.please> wrote:


>
>1) stateful firewall with packet inspection, rejection of common attacks, non-responsive
>to unauthorised access attempts ("stealth" mode)

Stealth is overrated, and for some operations like delivering smtp mail,
logging into some ftp sites etc, 100% stealth causes severe problems.



>2) router working with DHCP client (for WAN) and server (for LAN)

Most do that.

>3) NAT to present the outside world with one IP address and many TCP and UDP ports
>representing the many internal IP addresses

I've yet to see one which didn't support some form of hide mode nat/PAT.


>4) Four or more Lan ports at 10/100
>5) Compatible with UK ADSL
>
>Despite searching I cannot find any single box that clearly does all of the above - and
>it's not a long list!

A cisco 827 with Firewall feature set will most definitely do it. As will
the Speedtouch 510V4 I have here.

>Much appreciate any guidance. As you can see the firewall functionality is key.

If its firewall functionality you're after, it doesn't get much tighter
than a crisco.



greg.
--
You do a lot less thundering in the pulpit against the Harlot
after she marches right down the aisle and kicks you in the nuts.

"Greg Hennessy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> If its firewall functionality you're after, it doesn't get much tighter
> than a crisco.

Or expensive :-)