[X4U] Router/Firewall selection

Neil Laubenthal neil at laubenthal.net
Mon Jun 23 06:16:58 PDT 2008 

Hi folks . . . wanted to get some info/discussion about the relative  
merits of the various flavors of firewalls available for my new FIOS  
coming Friday.

I'm upgrading from SpeakEasy DSL and have been using a Netgear FWG114p  
with an Airport Extreme behind it for WPA2 wireless access.

With the FIOS . . .Verizon may or may not force me to use their  
Actiontec router which is advertised as being both NAT and SPI. In  
addition, Verizon may or may not (depending on who you talk to at  
Verizon) have a back door into the Actiontec even with WAN management  
disabled and the userid/password changed.

I'm not overly concerned about Verizon having a back door since from a  
corporate standpoint they're unlikely to have much interest in  
snooping . . . but if they've got a back door then all it takes is a  
disgruntled employee or smart router/firewall guy to figure out what  
it is and post it on the net for all to use.

The options I'm considering are:

1. Actiontec alone for firewall and my Airport Extreme in bridge mode  
for wireless.

2. Actiontec in non NAT mode with my existing Netgear FWG114p  
downstream of it for firewall, wired connections downstream of the  
Netgear, and my Airport in bridge mode downstream of the Netgear for  
wireless.

3. Actiontec in non NAT mode with my Airport Extreme in NAT/firewall  
mode and both wireless and wired connections downstream of the Airport.

4. Skip the Actiontec entirely and either use the Airport alone with  
everything downsteam of it or the Airport in bridge downstream of my  
Netgear as with my current DSL connection.

We've been having a discussion about this on the local user group  
forums; the general consensus there is that the 4 year old NAT/SPI  
FWG114p is not as capable as the year or so old Airport Extreme since  
newer devices have more capabilites built into their NAT firewall. In  
addition, the consensus is that NAT firewalls are sufficient for home  
users. I'm not running any servers at home but will be doing port  
forwarding for SSH connections to a single inside system.

The local recommendation is to try to get a standard ethernet  
connection run from the Verizon ONT to my network closet then

1. Connect it directly to the Airport Extreme and use that alone.

2. Connect it to the Actiontec and use that alone including wireless.

3. Connect it to the Actiontec, use the Actiontec for firewall/router,  
and use the Airport in bridge mode for wireless clients.

I don't know much about the internal workings of either the combined  
NAT/SPI in the 4 year old Netgear or the NAT/firewall but it doesn't  
say SPI in the Airport . . .it seemed to me  that NAT + SPI has to be  
better than NAT alone but the much more technically savvy than me  
folks on our local forums have convinced me that this is not true  
because the NAT in the Airport is better implemented than the NAT in  
the older Netgear and includes a lot of the security provided by the  
SPI in the Netgear.

Anyway . . . I figured I would toss this out for discussion . . . it  
never hurts to get smart people's ideas . . . and I decided that since  
I have only Mas in my home LAN it's kinda/sorta on topic if you  
stretch it only a little.

Thanks for any thoughts you might have.



-- 

There are only three kinds of stress . . .your basic nuclear stress, cooking
stress, and A$$ho1e stress. The key to relating them is . . . Jello.

neil

More information about the X4U mailing list