Adding a router? additonal firewall?

Have two pcs connected by ICS with Zonealarm firewall.

Just about to add a linksys router (BEFSR41)? What protection does the
router provide.
How should it be setup for maximum security.

Should I continue to run Zonealarm on the pcs, or would something else be
better?




Clie

Clie wrote:
> Have two pcs connected by ICS with Zonealarm firewall.
>
> Just about to add a linksys router (BEFSR41)? What protection does the
> router provide.
> How should it be setup for maximum security.
>
> Should I continue to run Zonealarm on the pcs, or would something else be
> better?
>
>
I had a quick look at the instructions for this router and couldn't see
any mention of a built in firewall so it looks like you will need to run
Zone alarm or similar, my own router has a firewalll but I run Kerio
Personal Firewall on to of that on all but the least powerfull M$ PCs.

I run Kerio because it is solid and very easy to set up and maintain
even when running servers behind the firewall
..

bonzo left a note on my windscreen which said:

> > Have two pcs connected by ICS with Zonealarm firewall.
> >
> > Just about to add a linksys router (BEFSR41)? What protection does the
> > router provide.
> > How should it be setup for maximum security.
> >
> > Should I continue to run Zonealarm on the pcs, or would something else be
> > better?
> >
> >
> I had a quick look at the instructions for this router and couldn't see
> any mention of a built in firewall so it looks like you will need to run
> Zone alarm or similar, my own router has a firewalll but I run Kerio
> Personal Firewall on to of that on all but the least powerfull M$ PCs.
>
> I run Kerio because it is solid and very easy to set up and maintain
> even when running servers behind the firewall

That model router does have a built in NAT router. I'm not too hot on
routers and firewalls but as far as I know because your PCs will have
local adresses they are not directly exposed to the internet. Common
security risks such as RPC hacks won't be able to get past it because
they are trying to take over the router - not your PCs.

To allow such things like FTP servers you implement port forwarding on
the router to direct any traffic for a certain port (i.e. port 21 for
FTP) to a particular IP address on your local LAN.

As I said above - I'm not an expert on routing or firewalls but I
imagine a NAT router such as this would be adeqaute for most people's
needs.
--

Stoneskin

[Insert sig here]

Stoneskin left a note on my windscreen which said:

> > > Just about to add a linksys router (BEFSR41)? What protection does the
> > > router provide.
> > > How should it be setup for maximum security.
> > >
> > > Should I continue to run Zonealarm on the pcs, or would something else be
> > > better?
> > >
> > I had a quick look at the instructions for this router and couldn't see
> > any mention of a built in firewall so it looks like you will need to run
> > Zone alarm or similar, my own router has a firewalll but I run Kerio
> > Personal Firewall on to of that on all but the least powerfull M$ PCs.
> >
> > I run Kerio because it is solid and very easy to set up and maintain
> > even when running servers behind the firewall
>
> That model router does have a built in NAT router. I'm not too hot on
> routers and firewalls but as far as I know because your PCs will have
> local adresses they are not directly exposed to the internet. Common
> security risks such as RPC hacks won't be able to get past it because
> they are trying to take over the router - not your PCs.
>
> To allow such things like FTP servers you implement port forwarding on
> the router to direct any traffic for a certain port (i.e. port 21 for
> FTP) to a particular IP address on your local LAN.
>
> As I said above - I'm not an expert on routing or firewalls but I
> imagine a NAT router such as this would be adeqaute for most people's
> needs.

As a follow up I'd like to quote this text from the following link;

http://www.dslreports.com/forum/rema...ty,1~mode=flat

Routers run a single-purpose OS and cannot easily be compromised by a
third party. However, you should take the following precautions:

(1) If upgrading the firmware, always download the firmware directly
from the website of the company that made your router. There is a
theoretical possibility that somebody would post a hacked version that
allows some kind of covert remote administration of the router.

(2) Ensure that remote configuration is turned off, .i.e. the router
cannot be configured via the WAN port. For additional protection, change
the default router password to something less obvious.

(3) Don't forward any ports unless absolutely necessary. Some use "DMZ"
as a quick fix for everything, fully exposing one computer to the
outside. Since this "DMZ" computer is not isolated from the rest of the
LAN in the classic DMZ sense, a compromise of this computer is a direct
compromise of the entire LAN and the router. (The classic DMZ definition
is a firewall topology. Unfortunately, some router brands incorrectly
use DMZ as a NAT term, diluting the correct meaning!).
--

Stoneskin

[Insert sig here]

Stoneskin said this...

>> As I said above - I'm not an expert on routing or firewalls but I
>> imagine a NAT router such as this would be adeqaute for most people's
>> needs.

Agreed to a point.
However, my feeling is that you still need to add a software firewall. This
will add control and awareness of outgoing traffic.

--
º~ dªv¡d ~º