«

The above question is not for a business per-se but for home use..
I've got an 1841 router that I'll have running and was curious about
whether or not it will suffice to work both as a router and also a
firewall of sorts.. I see lots of information on the PIX firewall/VPN
devices and while I have no current need for VPN services now, I'm
curious if the firewall features on these devices are that much better
than what a plain router is capable of.. Ultimately, I'd like
something that will provide for more protection than what I'd normally
get with a consumer based product (e.g. netgear,linksys,etc).. Thanks!

Hi Rick,

Goodness, I can see a multitude of replies to this, so I will start at
the basics and let you work up from there....

> The above question is not for a business per-se but for home use..

It all comes down to what you are doing with your internet access.

If its just for regular home browsing use with perhaps some PRIVATE
(see below) Server operations, etc... then a decent Router that is
doing NAT and has the IOS Firewall S/W should provide most of what you
need, and this is exactly what I use at home. Of course past the
Network environment, you will also need application protection, such
as Email Anti-spam S/W (perhaps ISP implemented).

If you are doing more SERVING from your home site, then you may be
better off with something like a PIX.

My home Cisco has the F/W and full VPN IOS, however one thing to
remember is that VPN S/W in a Network device can often be configured
to serve ALL devices on one interface, or just a single device. The
best (IE most secure) VPN tunnel terminates at the actual VPN
end-points, and nowhere else, but it really all comes down to what you
wish to use the VPN for. I bought my Cisco 7 years ago, and while I
used the F/W from day one, I have never yet needed to use the SITE VPN
in the Router at all, as all my VPN's terminate on the actual HOST,
and the Router transparently passes them on.

In the context of this reply, PRIVATE Servers are Servers that you
operate from Home behind your Routers NAT environment, and the target
PORT for that Server is not one of the "Well Known addresses". IE a
standard WEB Server (IE HTTP) normally uses port 80. You can relocate
your server to a higher "unused" port number that is not normally used
(IE ports 1 - 512 are Well Known ports, 513 - 65535 are not Well Known
ports), however other people can still REACH your server as long as
they know which PORT to use. To do this YOU have to tell them which it
is first..... Your security needs for IOS are to block all incoming
requests EXCEPT those that -
1. Are replies to requests that ORIGINATE from you private LAN,
2. YOU specifically tell it to allow all EXTERNALLY initiated
requests through.
in this case IOS with the F/W feature set is usually enough (IMHO).

So there is no real one answer to the question without a lot of other
considerations being entered into the calculation, however for general
Home use I would not bother with a specific Firewall Appliance unless
I was offering Services on Well Known ports, but doing that is often
frowned on by ISP's.

I hope this helps..................pk.

--
Peter from Auckland.

On Jan 8, 4:57 pm, "Peter" <SOME...@orcon.net.nz> wrote:
> Hi Rick,
>
> Goodness, I can see a multitude of replies to this, so I will start at
> the basics and let you work up from there....
>
> > The above question is not for a business per-se but for home use..
>
> It all comes down to what you are doing with your internet access.

[ ... ]

> So there is no real one answer to the question without a lot of other
> considerations being entered into the calculation, however for general
> Home use I would not bother with a specific Firewall Appliance unless
> I was offering Services on Well Known ports, but doing that is often
> frowned on by ISP's.

Thanks much Peter.. After I posted this question I ended up doing
more
research on PIX, ASA's and whatnot and I think I've decided that my
1841
is more than capable of dealing with what I need to do today -- it's
got the
advanced IP services IOS version which I gather has the F/W portions
among other things.. Supposedly I believe I'm supposed to have the IPS
stuff as well, but in reading up on that, there's supposed to be some
sort
of SDF file sitting somewhere on the router but I can't find it so I'm
not sure
I can use that feature at this point until I get it under a new
support contract
and sort that out with Cisco TAC.. In the meantime, I do have a single
application server in use that I'm planning on expanding and running
from
home due to it being very expensive to host-off site. Anyway, I'll
keep all
of what you've said in mind..

Personally if I had the $$, I'd buy one of the ASA devices that has
all of
the anti-spam, anti-virus, content filtering, etc.. It sounds real
nice but the
annual costs to keep those database updated is prohibitive for the
average
home (cisco) user.. Anyway, thanks again..