|
|
|
Hi there,
As I understand things the NAT in my Zyxel P660HW-t1 router/modem will prevent any outside intrusions to my home network. No-one from "outside" can "see" either of my home computers, NAS drive, xbox (all on wired ethernet) or iphone (wifi).
In this case, do I need to run my zyxel's built in firewall? If I disable it will I become vulnerable in some way?
In case its relevant, I use a NAS drive which I have set up to be a local back-up for my computers and an FTP server. I use the FTP side to transfer files to/from work colleagues. I have obviously had to forward ports in my router to achieve this. AFAICT its all pretty secure and safe, password protected.
The router's firewall just seems to complicate my set-up and I'm not sure if its necessary anyway. Am I right in saying the firewall is only really useful when dealing with larger or more complex LANs - eg for blocking certain activities of those users on your LAN? I am happy for every and any user inside my LAN to do anything they want.
I am not a complete beginner to home networking but I'm still learning!
If its relevant we're all using macs here (except the xbox and NAS!)
|
|
|
|
NAT is a good first defence for security. However, a firewall is still handy to bolster that defence.
However, I'm not sure what the zyxel firewall actually does. Generally you want to stop all incoming packets that are not a response to an outbound request. You don't really need to block outbound unless you want to stop someone on your network from doing something (ie you might block P2P if you have kids).
When talking between things on the internal lan the router firewall wouldn't normally be involved (it normally sits between LAN and internet, not between devices in the LAN).
All comes down to what exactly the zyxel is firewalling. If it is internal LAN stuff then I would disable it. If it is blocking incoming connections I would leave it enabled. It blocking outbound connections then I would only enable if I needed it for something specific.
|
|
|
|
Thanks for the response, Ian72
The firewall can affect all directions. wan to lan, lan to wan, lan to lan, wan to wan. Its default state is to block WAN to LAN and WAN to WAN but allow activity within the LAN, and LAN to WAN.
When things are blocked you can set up rules to allow certain traffic eg "block WAN to LAN but allow port x"
When things are allowed (eg LAN to WAN) you can set up individual rules to block certain things (eg FTP port 20).
You can also set alarms to be raised or logged when traffic does a particular thing (eg x tried to access y)
Its a regular firewall I guess.
With NAT switched on though the outside world still wont see my FTP server for example, no matter what the firewall is allowing/forwarding. It it only if I set the NAT server table to forward certain ports to particular LAN addresses that the firewall has any effect.
My feeling is that the firewall is there in case you need it. Perhaps you don't want to use NAT for some reason but want to be able to block certain activity for eg.
It seems to me that in my case I don't need this firewall as I have NAT switched on. I want to keep things simple. "just switch everything on" doesn't necessarily lead to better security. I am far from a network expert though and I wouldn't be surprised if I'm "missing something" here.
I welcome thoughts and comments
cheers
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
|
I'm not sure I fully get where you are coming from.
With NAT enabled a single port can only ever be forwarded to a single IP - you can't just open the FTP port and expect to be able to get at all machines. If you want that then it is NAT you would have to disable and you would need public IPs for all the PCs to be addressed externally.
|
|
|
I'm not sure I fully get where you are coming from.
With my NAT enabled, I am simply wondering if disabling my firewall will make my LAN vulnerable or less secure in any way. If so I'd like to know in what way. I don't want to switch on my firewall "just for good measure" without knowing how its helping me.
My previous ramble was in response to the last paragraph of your first response.
I can see reasons for maybe using both NAT and the firewall for office/corporate style networks, say with guest laptops connecting to wifi etc but for more meagre home set-ups like mine, I wonder if the firewall is just complicating matters.
In summary, is NAT alone (no firewall) safe enough?
|
|
|
|
I suspect that with NAT adding the firewall will make a pretty small difference to security. The firewall may even be there primarily for those who drop NAT and go for public static IPs in which case a firewall would be essential.
I'm not going to say you will be bullet-proof if you don't implement the firewall but the chance of getting a security issue because you hadn't is small.
|
|
|
|
Cheers for you time and thoughts Ian72.
Good to have confirmation in such matters
|
|
|
|
Just to add (if it helps) that I've had no firewall other than NAT for many, many years now without incident.
But it is important to understand that NAT's firewalling effect is strictly one way, you are protected from the outside world, but there is absolutely nothing that NAT can do to prevent a compromised device on your network spamming the rest of the internet. (Which is, incidentally, where a lot of Spam comes from).
Maintain a tight ship and that risk is low, and you save yourself the hassle of maintaining an outgoing firewall which can often seem more of a hindrance than a help.
|
|
|
Just to add (if it helps) that I've had no firewall other than NAT for many, many years now without incident.
What incident were you expecting ?
Surely if someone is hacking into your network, the last thing he/she would want would be to make you aware of it ?
|
|
|
|
Thanks medwayman,
That does help.
I totally concur about keeping a tight ship. Firewalls are only one part of keeping your system secure and, it seems to me, their usefulness "depends". It would be foolish for anyone to to think they are fully insulated from internet nastiness just by switching a firewall on and running virus checkers. Indeed I am of the opinion that keeping things simple and "being aware", is far more likely to result in a reliable, safe system.
cheers
|
|
|
As you say, the firewall rules can be pretty complicated. If you want to be able to validate whether you've configured your outbound rules correctly, you can use www.firebind.com. It has a simple web client you can plug TCP port ranges into to see if any firewall is blocking TCP connections from your machine to the Internet.
It's pretty handy whether you're trying to validate your own firewall rules or whether you're on the road and trying to figure out whether some other broadband provider (hotel, airport, coffee shop) is blocking ports you need.
ProtocolGeek
|
|
|
|
On the home routers I've seen the firewall is switched "on" but doesn't do anything unless you set up rules for it.
|
|
|
|
They sound like pretty pointless firewalls then!
Unless I mis-understand you.
|
|
|
Switched On, as in the NAT part is running, i.e. for simplicity many routers call the NAT part of the firewall.
Given NAT drops unsolicited incoming packets it does a pretty good job.
|
|
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
|
|
|
|
What rules would you like setting up out of the box?
NAT stops any incoming traffic unless you set up port forwarding.
|
|
|
What rules would you like setting up out of the box?
I'm not sure why you are asking me that question. I was simply questioning why a firewall would be switched on when it doesn't do anything.
--
My zyxel router has a separate NAT and firewall. In my original post i was asking if there was any reason why I might use both my NAT and the firewall together. I currently believe the firewall has its uses but in my case and in my home network, it is unnecessary. My original question was to check my belief was correct. I currently run NAT with a couple of ports forwarded for outside access to my NAS and the firewall is disabled.
|