Which Router for VPN and Webhosting

Discussion in 'Computer Security' started by wendy, Sep 12, 2003.

  1. wendy

    wendy Guest

    Hi,

    I need help on which wireless router to get? It's for home use, so the
    802.11b standard is good enough. My requirements are...

    1. VPN pass-through (I use a VPN box to connect to work. I'm not trying to
    setup a VPN at home.)
    2. Webhosting (I'm hosting my own website at home. So, some hardware
    security/firewall would be nice).
    3. Print server (Nice to have).

    There're the ones I found, leaning towards 1, and 2. Some guy told me that
    belkins use cheap transformer in their routers!?! If I do get a belkin,
    make sure that I use UPS for it.

    1. Linksys BEFSR41 4-port wireless
    http://www.buy.com/retail/product.asp?sku=10273558&loc=101&PageFormat=1

    2. Netgear FM114P
    http://www.buy.com/retail/product.asp?sku=10325914&loc=101&queryType=comp

    3. Netgear MR814
    http://www.buy.com/retail/product.asp?sku=10328497&hdwt=30704&loc=101&sp=1

    4. Belkin
    http://www.buy.com/retail/product.asp?sku=10314370&loc=101&PageFormat=7

    TIA
    -wen
     
    wendy, Sep 12, 2003
    #1
    1. Advertisements

  2. wendy

    wendy Guest

    wendy, Sep 12, 2003
    #2
    1. Advertisements

  3. wendy

    Duane Arnold Guest

    I use a Linksys BEFW11S4 router and it has VPN and I VPN to work.

    I also used it for port forwarding the WEB and FTP ports to the WEB
    server Win 2k machine, until the ISP told me to close the ports, because
    a WEB server was not allowed on their network, otherwise, service would
    be dropped.

    The router doesn't have a firewall and most routers in the class don't
    have FW(s). That have NAT and maybe SPI, but most are good in the
    protection of the device behind it.

    It's good until you start port forwarding ports opening the ports to the
    Inthernet, then you will need a host based FW on the machine.

    At least that's how it works on that 11S4 router.

    http://www.homenethelp.com/web/explain/about-NAT.asp

    Duane :)
     
    Duane Arnold, Sep 13, 2003
    #3
  4. wendy

    wendy Guest

    Hi Duane,

    Thx for your input. Since I'll be hosting my own website, I really have no
    choice but to use port-forwarding. I'm not sure what you meant by
    "hosted-based" firewall. Do you have a reference. The Netgear [1] that I
    mentioned provides Dos and SPI. I thought those would be secure enough?
    Even those can be replaced by a software firewall if the router does not
    support it?

    TIA
    -wen

    [1] Netgear FM114P
    http://www.buy.com/retail/product.asp?sku=10325914&loc=101&queryType=comp
     
    wendy, Sep 13, 2003
    #4
  5. wendy

    Jim Watt Guest

    There are a lot of good reasons for not hosting your own website,
    its pretty cheap to outsource it these days, and the cost is less than
    running a dedicated PC.

    You also really need a static IP and a ISP that does not prohibit
    people running servers.

    Transformers are more reliable than switched mode power
    supplies, just heavier to move around.

    don't neglect to enable the encryption on the wireless segment.
     
    Jim Watt, Sep 13, 2003
    #5
  6. wendy

    Duane Arnold Guest

    Yes, the Netgear router seems to be very good. However, the protection of
    the router that is port forwarding ports to an IP/machine disappears and
    you will be allowing all IP(s) *opening the ports to the public Internet*
    to reach the machine, at least that's how the Linksys router I have
    works. And I would think would be the same for any router in this class
    of routers.

    You port forward the ports, then the machine needs a host base FW such as
    BlackIce, Outpost, Sygate, ZA, Norton to protect it.

    I suggest that you use BlackIce, because of the IDS/FW that will close
    the ports to attack, if someone decides to launch an attack coming down
    port 80 with the machine accepting all IP's to your Website, that's
    assuming you'll be accepting all IP(s).

    I assume, that you're using an NT based O/S. If it's not NT based
    Workstation O/S, then it can only allow one user at a time to access your
    Website. You'll need a NT based Server O/S, if you want more than one
    user to access your Website at a time.

    I'll assume you're using a NT based O/S with IIS. If this is true, then
    you'll need to lockdown IIS and *harden* the O/S. The link provides the
    how to on all the MS O/S(s).

    http://www.uksecurityonline.com/husdg/windows2000.php

    basic wireless security link

    http://netsecurity.about.com/library/weekly/aa022703a.htm

    I'll say that unless your ISP has given you *clear* indication that you
    can run a Webserve, then most likely you cannot. The ISP's do scan for
    the machines on their network and they will send that email to close the
    ports or service to you will be dropped.

    I only open the ports for the Webserve and FTP sites when I need to have
    them open, otherwise, they are closed.

    If you're in the US, then www.britsys.com (nation wide) will allow a
    machine running Web services on their network.

    Duane :)
     
    Duane Arnold, Sep 13, 2003
    #6
  7. wendy

    Jim Watt Guest

    No you can run a webserver on /98 if you like.

    see: http://www.xitami.com

    For a nice alternative to IIS
     
    Jim Watt, Sep 13, 2003
    #7
  8. wendy

    Leythos Guest

    [snip]
    This is how all of the home based NAT routers work, at least the ones
    under $200. From within IIS you can deny access to specific IP addresses
    by adding them to the site's configuration.
    Since you are only forwarding a SPECIFIC PORT or PORTS, not all of them,
    you need to protect your OS/Application by having NIGHTLY UPDATES if
    it's a Windows computer. You also need a good antivirus program. In most
    cases, the router is your best line of defense - get a good router, av
    software, and PATCH THE OS NIGHTLY.

    Last, really it should be first, you need to read about how to secure
    your internet application (such as reading about how to secure IIS from
    Microsoft's web site). IIS Lockdown tool from MS and the Security
    Scanner (looks for updates installed on your computer) are great ways to
    ensure that you are secure.
    And just how will BID stop normal access of port 80?
    Actually, if it's not Windows NT Server or Windows 2000 Server or
    Windows 2003 server it will allow up to 10 connections at a time -
    providing your running a windows OS (Win XP Prof, 2000 Prof).
    In most cases you can run a HTTP server on the ISP's networks as long as
    you require authentication to the server - meaning that you can not
    allow anonymous access to it (easy to change in IIS).
     
    Leythos, Sep 13, 2003
    #8
  9. wendy

    Duane Arnold Guest

    If someone is going to run a Web server on Win 98, than more power to
    them. :)

    Duane :)
     
    Duane Arnold, Sep 13, 2003
    #9
  10. wendy

    Jim Watt Guest

    I think you are confusing a file server with a web server.
     
    Jim Watt, Sep 13, 2003
    #10
  11. wendy

    Duane Arnold Guest

    Well, I was accepting all IP(s) on ports 20, 21 and 80 and any IP doing
    normal things in contacting my IIS machine, BlackIce let them through.
    Any IP that was doing TCP or UDP port scans O/S Finger Prints or SQL
    Slammer probes or scans things of this nature, BI would close the port to
    that IP, although I never exposed SQL Server, except for putting the
    machine into the DMZ. And that was just to see what BI would do with
    accepting all IP(s) on the above ports. And this was being done for hours
    and days at a time just to see what would happen and nothing came pasted
    BI. Like I said before, the machines do not have anything of importance
    to me and I can rebuild and have rebuilt them at the drop of a hat.

    That's not what I was told about the Workstation versions of those O/S's,
    when I asked about connectivity by multiple users coming at IIS on a
    Workstation O/S as opposed to IIS on the Sserver O/S. The information
    could have been wrong. I'll take your word on it.
    Again, I'll take your word on it. I never use anonymous login on
    anything. What my ISP came at me on was the FTP ports. Also, I would
    think that by the ISP doing HTTP://ip and it popped a page or a login
    screen, that would be proof enough that something was there an easy
    program to write, in addition to other scanning the ISP may be doing.

    Duane :)
     
    Duane Arnold, Sep 13, 2003
    #11
  12. wendy

    Leythos Guest

    The Slammer and Port Scans on anything but forwarded ports would never
    make it to BI - that's the great thing about a router - nothing makes it
    into the LAN unless you forward it there.

    If you put a machine in the DMZ you may as well not have a router - the
    DMZ IP is for a machine that gets ALL Ports not identified by specific
    forwarding rules.
    If you use the DMZ on one of those routers you may as well not use the
    router - DO NOT USE THE DMZ.
    I can assure you that Windows 2000 Professional and Windows XP
    Professional support 10 connections. Windows Server support many
    connections, and with a CPU license they can support unlimited anonymous
    connections from FTP, IIS, etc...
    Duane, I was on Road Runner using a router and running two web servers
    and an exchange 2000 server at the same time. I use a simple Linksys
    BEFSR41 and never had anyone get in. I called the local ISP and asked
    them about the TOS and was told that as long as I was not running a
    business, or that as long as I was not allowing anonymous access, that
    it was permitted - YMMV.
     
    Leythos, Sep 13, 2003
    #12
  13. wendy

    Duane Arnold Guest

    I am not confusing anything.

    I'll put it to you this way. The day will never come again for me that I
    use a Win 9'x or ME machine to do anything. They are still viable
    soultions, just not for me.

    Duane :)
     
    Duane Arnold, Sep 13, 2003
    #13
  14. wendy

    Duane Arnold Guest

    I understand that. But the fact that I was port forwarding the ports on
    the router to an IP/machine and BI was ACCEPTING ALL IP(S), but closing
    the ports when it detected something out of the norm from an IP has
    meaning to me. The only other host based FW solution that I know of for
    home use and affordable that can do what BI can do is Sygate. But Sygate
    is not there with BI, because Sygate only uses a signature based IDS
    engine while BI uses signature and protocol analysis IDS engines and BI
    can see what's coming in the HTTP traffic. Sygate cannot do this at this
    time.
    I guess you're saying this for the benefit of others that are reading
    this and don't know.
    Leythos - that may be true for RR. But I know for a fact that Insightbb
    which uses AT&T as its network backbone and AT&T are not going to allow
    any customer to run a WEB/FTP server on their network. I got that email
    to close the ports.

    Duane :)
     
    Duane Arnold, Sep 14, 2003
    #14
  15. wendy

    wendy Guest

    This is how all of the home based NAT routers work, at least the ones
    Are you saying that there's no difference getting the Linksys ($60) vs the
    Netgear ($120) with Dos and SPI support???
    It seems that the host-based (software) FW can do what the Netgear router
    (Dos and SPI) can do. As a matter of fact, what is the advantage of using
    hardware FW? Is speed the only reason?
    NIGHTLY updates/patches!?! You mean FW vendors actually release patches on
    the daily basis?

    thx,
    -wen
     
    wendy, Sep 14, 2003
    #15
  16. wendy

    wendy Guest

    I guess it's a matter of how much speed that extra $60 can buy me. My
    webserver (IIS on W2K server) is not going to be running on a very fast
    machine (Celeron 1.4 with 512M of RAM).

    I'm still leaning towards the Linksys... Just because that's what most
    people (SOHO) uses. And, the flexibility of using whatever S/W FW I want
    instead of whatever Netgear has built-in to its box.

    thx,
    -wen
     
    wendy, Sep 14, 2003
    #16
  17. wendy

    Jim Watt Guest

    Your personal tastes have nothing to do with what is possible and what
    is not. As I stated in the beginning the best solution for most
    webhosting is not to do it yourself at all but to outsource it because
    its cost effective and provides a robust solution. I calculated that
    it cost me less to pay for hosting than the electricity involved in
    running one machine here. Web severs on intranets are another
    matter. However I would rather have a totally seperate public web
    presence with its own connectivity, power backup, intrusion detection
    and backup than have it on my network as a gateway for trouble.

    Thats an opinion, but that Xitami runs on win/98 is a fact. It also
    runs on NT, Win2000, Linux etc and is easier to use than IIS.
     
    Jim Watt, Sep 14, 2003
    #17
  18. wendy

    Leythos Guest

    No, I don't think I said anything like that - get the most bang for the
    buck and make sure it's installed. I have no issues with DLink, Linksys,
    NetGear, etc... Anything that blocks uninvited INBOUND is what most
    people need.
    Hardware and software comparisons have been posted many times in this
    group - here are a couple items:

    Hardware
    1) hardware means they stop BEFORE they hit your computer
    2) hardware means users have LESS chance to misconfigure their
    protection
    3) hardware means they can share their connection with more than one
    computer and all are protected

    Software
    1) Users will be Alerted and asked to make a choice to Allow, Deny -
    hope they make the right choice every time.
    2) Users must rely on their computers to be stable before installation
    3) Users OS may be impacted (broken) by installation (slim, but
    possible)
    4) User's CPU and Memory are used, machine may crawl during a large
    attack.
    5) Users may have to configure subnet exceptions if already running a
    small network - hope they get this right
    6) Users may have to open outbound DNS in firewall (manually) to get to
    internet (latest version of free ZA did this to 8 people I know).

    For technical users I don't have a problem with software firewalls
    (personal firewalls), but for the cost of registering the product they
    could install a router with NAT and be protected from INBOUND also.
    Some release patches every couple days - but I was talking about
    Microsoft - if you are port forwarding to a machine running a MS OS, and
    you are not an IT person with a real firewall (not just a personal one)
    then you should set Windows Update to run at least nightly around 2AM
    and then reboot the computer. Most home users forget to do the update -
    that's why the last wave of worms was able to propagate so quickly.
     
    Leythos, Sep 14, 2003
    #18
  19. wendy

    johnny Guest

    I'm using the Netgear MR814v2. Works great. But, I should've spent more for
    a router with more configuration options. If you buy the older MR814, be
    sure to get the firmware upgrade that fixes the NTP problem as well as the
    added configuration options.
     
    johnny, Sep 14, 2003
    #19
  20. wendy

    NARColepsy Guest

    Is Microshaft even supporting 98 anymore? ;-)
     
    NARColepsy, Sep 14, 2003
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.