This may be a stupid question, but I am new to cable modems and being
connected all the time.

Is it safer to use a router with NAT between the modem and the computer
rather than just go from the modem direct to the computer using a
firewall? I know the advantages of the router regarding additional
computers having access.

Thanks to the experts.

--
To respond by Email remove never- from address

100% YES. A router blocks unsolicited inbound traffic to your system.
Recent news releases show that unprotected systems can be infected in as
little as 20 minutes(some reported even less time). Any broadband
connection at a minimum should have a NAT device between the modem and
computer.

It doesn't hurt to go into the Router and specifically block TCP/UDP ports 135~139 and 445.

Dave





"Jbob" <nobody@SpamCox.net> wrote in message news:mrmdnahDMaYS5rvcRVn-rA@comcast.com...
| 100% YES. A router blocks unsolicited inbound traffic to your system.
| Recent news releases show that unprotected systems can be infected in as
| little as 20 minutes(some reported even less time). Any broadband
| connection at a minimum should have a NAT device between the modem and
| computer.
|
|

Bill M. wrote:

Thank you all.

--
To respond by Email remove never- from address

On Linksys BEFSR41 and BEFSR81 v1 and v2 Routers the URL is --
http://192.168.1.1/Filters.htm
Linksys BEFSR41 and BEFSR81 v3 Routers use a different URL but utilize the same construct.
I have also done it on other routers such as Asante. I have also received feedback that it
can be done on many other vendor's Routers.

The Routers don't default to block any ports. They are analagous to a closed door. Using
the right request, an Internet node (I-worm or hacker) can open the port's door.
Specifically blocking the port is analogous to locking the port's door. You can't can't go
out that blocked port from the LAN side nor can you get in that port via the WAN side.

Dave




"Bill M." <wbillups@hotmail.com> wrote in message
news:h9idi0hijivkc5ig1g1pn8ni2sr5hnajp4@4ax.com...
| On Sat, 21 Aug 2004 00:25:57 GMT, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:
|
| >"Jbob" <nobody@SpamCox.net> wrote in message news:mrmdnahDMaYS5rvcRVn-rA@comcast.com...
| >| 100% YES. A router blocks unsolicited inbound traffic to your system.
| >| Recent news releases show that unprotected systems can be infected in as
| >| little as 20 minutes(some reported even less time). Any broadband
| >| connection at a minimum should have a NAT device between the modem and
| >| computer.
|
| >It doesn't hurt to go into the Router and specifically block TCP/UDP ports 135~139 and
445.
|
| I've never seen a consumer router that allows you to specifically
| block ports since all ports are generally blocked by default, except
| for the ones that are specifically opened.
|
| --
| Bill

ok, but why doesn't your software firewall do the same thing just as well?


"Jbob" <nobody@SpamCox.net> wrote in message
news:mrmdnahDMaYS5rvcRVn-rA@comcast.com...

Chip Orange wrote:
it harder to FIND you.

Chip Orange wrote:

A software firewall on the same machine it is trying to protect can't be
as effective as a firewall prior to the machine it's trying to protect.
The difference is like placing a guard outside the door to protect the
door vs. placing a guard inside an unlocked door to keep the intruders
already in the room from doing any damage.

Additionally, the software firewall needs to integrate itself into the
TCP/IP stack which can result in an unstable stack. While the software
designers have gotten better, and the OS's have gotten tougher, this is
still a problem.

NAT routers with SPI are inexpensive and effective. They don't let the
intruder into the protected machine, and they don't add instability to
the network stack. What they don't do is prevent user errors.

By user error I mean the user letting in a trojan that opens the machine
to attack from the inside. To the router, it appears that the incoming
attack was invited. This is also the case for software firewalls that
only look at incoming communications, such as the built-in firewall of
Windows XP. The advantage of a firewall that looks at outgoing
communication is that it can stop these trojans -- assuming the user
understands the messages it displays, and does not grant permission to
the trojans to initiate the communication. So in the hands of an
uninformed or careless user, even those software firewalls have little
or no benefit.

--
Warren H.

==========
Disclaimer: My views reflect those of myself, and not my
employer, my friends, nor (as she often tells me) my wife.
Any resemblance to the views of anybody living or dead is
coincidental. No animals were hurt in the writing of this
response -- unless you count my dog who desperately wants
to go outside now.
Blatant Plug: "The Simpsons" 2005 Calendars and Books:
http://www.holzemville.com/mall/simpsons/books.html

Charlie wrote:

Yes. The more layers, the more secure you are. Also, it's harder to tamper
with one of those boxes and address translation also adds some security.

--

(This space intentionally left blank)

Chip Orange wrote:

It's a lot easier to comprimise a computer that someone might run a virus or
or trojan on. One of them might open an entry point into the computer.

--

(This space intentionally left blank)

In article <h9idi0hijivkc5ig1g1pn8ni2sr5hnajp4@4ax.com>, Bill M. says...

I can do it with an antique SMC Barricade 7004BR. Not that I would waste two
of only eight SPI fields on ports already effectively blocked by the native
NAT feature.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

In article <_zHVc.4394$Nn2.643@trndny05>, David H. Lipman says...

All the SOHO routers thatI am aware of use NAT/PAT for sharing a single WAN
IP address with multiple computers on the LAN. Such routers need a
forwarding table to process incoming packets. No entry in the table for the
unsolicited packet, and it gets dropped. There is no request that can make a
router forward an unsolicited packet; if the router does not know where to
forward the packet, the router drops it.

As for "opening doors"; real world analogies to the Internet rarely work.
The port is not at all like a "closed door"; it is just a part of the memory
address block, which can accept data, if it is enabled, or not. To access a
port, there must be an application listening on that port. If there is no
application listening, there is no place for the packet addressed to that
port to go. WRT the router, the only ports available on the LAN side,
depending upon make and model, are usually IdentD and Remote Administration.
Turn them off, and there are no ports answering to remote connections.

You are trying to describe an electrical "latch" (a memory register) using a
physical barrier between spaces as an analogy. It doesn't work like that.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

In article <DMqdnZWCfZG247rcRVn-rg@comcast.com>, Chip Orange says...

I have watched my computer boot. The computer is already making making
TCP/IP broadcasts over the LAN before the software firewall is loaded. If my
computer was connected directly to the Internet, instead of behind a router,
that is a window of opportunity for Sasser/Blaster, and the like.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

In article <10if2mbauspru12@corp.supernews.com>, Ron Hunter says...

{Looking around the outfield, trying to see where that came from...}

Most routers are fairly easy to find, if set up out of the box. Every one
I've ever worked with leaves port 113 in a "closed" state; and the Linksys
BEFSR11 (Firmware Version: 1.46.00, Jun 24 2004) I have only shows as
"stealth" those ports blocked my my ISP (TCP 135, 139, 445, and 1025). All
else show as closed; it is a very response device, and you would have no
trouble finding it on the Internet.

I don't know all the "ring 0, ring 1" stuff happening at the lowest machine
level, but I know that the TCP/IP stack is active long (in terms of computer
cycles) before the Windows registry Run keys start the firewall. That is a
window of opportunity for Sasser/Blaster, and the like.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

I beg to differ. I have been through these discussions before and ports 135~139 and 445 are
open on the LAN side with MS Networking.

An ounce of prevention is worth a pound of cure but, it is not worth arguing over (again !).

I will state that I have seen WAN addresses on a LAN side Win2K platform's NetBIOS cache
(Linksys BEFSR41 forget the FirmWare version of that time). If a node can appear in the
NetBIOS cache then packets have crossed the WAN/LAN NAT Router barrier. This behaviour was
stopped by explicitly blocking the above stated ports.

Dave




"NormanM" <spammail@blackhole.invalid> wrote in message
news:MPG.1b91801f8c4a4ca98971e@news.sf.sbcglobal.n et...
| In article <_zHVc.4394$Nn2.643@trndny05>, David H. Lipman says...
|
| > The Routers don't default to block any ports. They are analagous to a closed door.
Using
| > the right request, an Internet node (I-worm or hacker) can open the port's door.
| > Specifically blocking the port is analogous to locking the port's door. You can't can't
go
| > out that blocked port from the LAN side nor can you get in that port via the WAN side.
|
| All the SOHO routers thatI am aware of use NAT/PAT for sharing a single WAN
| IP address with multiple computers on the LAN. Such routers need a
| forwarding table to process incoming packets. No entry in the table for the
| unsolicited packet, and it gets dropped. There is no request that can make a
| router forward an unsolicited packet; if the router does not know where to
| forward the packet, the router drops it.
|
| As for "opening doors"; real world analogies to the Internet rarely work.
| The port is not at all like a "closed door"; it is just a part of the memory
| address block, which can accept data, if it is enabled, or not. To access a
| port, there must be an application listening on that port. If there is no
| application listening, there is no place for the packet addressed to that
| port to go. WRT the router, the only ports available on the LAN side,
| depending upon make and model, are usually IdentD and Remote Administration.
| Turn them off, and there are no ports answering to remote connections.
|
| You are trying to describe an electrical "latch" (a memory register) using a
| physical barrier between spaces as an analogy. It doesn't work like that.
|
| --
| Norman
| ~Win dain a lotica, En vai tu ri, Si lo ta
| ~Fin dein a loluca, En dragu a sei lain
| ~Vi fa-ru les shutai am, En riga-lint

On 2004-08-20, Jbob <nobody@SpamCox.net> wrote:
Yup.

I installed XP Pro on a system that was logically outside my firewall (on
purpose--this was an experiment). It took approximately three minutes from
the time it got to the desktop to it being infected and scanning to find
other systems to spread the infection to.

--
--Tim Smith