?
Solved

Recommend Home office Firewall

Posted on 2003-03-17
10
Medium Priority
?
1,491 Views
Last Modified: 2013-11-16
I am looking for a firewall for my home pc (winodws XP pro) I use a cable modem to access the net and I also connect to a VPN for my work. Please advise on what is my best option for a firewall.
0
Comment
Question by:CUTTHEMUSIC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8153085
G'day, CUTTHEMUSIC
If you are connecting by VPN, you need to select something that will permit VPN passthrough options. Unfortunately, the best firewall (IMHO, the Cicso PIX) will not support that function. However, the lower-cost soho broadband router such as a Linksys BEFSR41 http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=20
Has a stateful packet inspection, supports VPN passthrough, and uses NAT as another basic firewall function, and can enforce ZoneAlarm Pro firewall features as well as anti-virus. Unless you have other people's financial information or other people's personal medical information, you will be relatively safe. Add an Intrusion Detection/firewall such as Black Ice Defender on your workstation, and you will be good to go.

Cheers!
0
 
LVL 2

Author Comment

by:CUTTHEMUSIC
ID: 8153139
Thanks for your comment. I had some bad experiences with Linksys so I think I want to stay away from them. One product that I had looked at was the Checkpoint Safe@ product line since I have a checkpoint firewall at my office. There products are also stateful inspection (although I'm not sure what stateful inspections is and what other types there are) Here is a link for review. http://www.checkpoint.com/products/solutions/safe.html 
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
ID: 8153246
Since you're using the VPN, you need to find out from checkpoint if this product supports nat-transparency or IPSEC/PPTP passthrough. Otherwise, it looks like a pretty solid product. Checkpoint has a good reputation.

What kind of bad experience did you have with Linksys? I've had mine running over two years with no problems (nothing that a firmware upgrade didn't fix, anyway). Tech support is non-existant, but the products are generally solid.

I've heard good things about the DLink firewall:
http://www.dlink.com/products/broadband/dfl300/
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 2

Author Comment

by:CUTTHEMUSIC
ID: 8153283
I bought 2 different cable modems from 2 different stores. Both of them were dead out of the box. Maybe it was just a quirk but I wound up going with a Motorola.

Could you explain more about the nat-transparency or IPSEC/PPTP passthrough.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8153423
Standard NAT/PAT features of the firewall would break the IPSEC negotiation, so the concept of Nat-transparancy came about because so many remote users are now using VPN's from behind soho/broadband routers/firewalls. Here's Cisco's explanation:
Before the introduction of this feature, a standard IPSec VPN tunnel would not work if there were one or more NAT or PAT points in the delivery path of the IPSec packet. This feature makes NAT IPSec aware, thereby, allowing remote access users to build IPSec tunnels to home gateways.

Feature Design of IPSec NAT Transparency
The IPSec NAT Transparency feature introduces support for IPSec traffic to travel through NAT or PAT points in the network by encapsulating IPSec packets in a User Datagram Protocol (UDP) wrapper, which allows the packets to travel across NAT devices.

IPSEC/PPTP passthrough is a feature long-used in the soho devices, but normally limits to only one VPN client at a time from behind the firewall. New processes are being sought to permit multiple clients:
http://quickstart.clari.net/qs_se/webnews/wed/cm/Bfl-nexland.R0Pn_DJ7.html

More info:
Microsoft's story on why it is necessary:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable.

From Cisco documentation on why VPN's don't work from inside a PIX firewall:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.



0
 
LVL 3

Expert Comment

by:nouellette
ID: 8154405
I have no idea why LMOORE is directing you to purchase Pix or Checkpoint for your home computer...

You are a HOME user with a cable modem, you don't need CHECKPOINT or PIX...those are expensive enterprise solutions for LARGE businesses office solutions.  They do have small office solutions but they start at $400 at the very LEAST...Unless you're making tons of money and are paranoid about security and store all kinds of financials and secure information on your PC, to even suggest those firewalls for a home user is a little absurd.  

Software based firewalls are just fine, you don't need a hardware based firewall for this scenario.  Zone Alarm is a great solution and starts at $39 (www.zonelabs.com).  Just be smart about the kinds of data you have on your PC...have an active and up to date anti-virus and anti-maleware system going on your PC...don't give out personal info...keep a handy firewall running like Zone Alarm...and keep up on Windows updates...you'll be fine.  Not to mention you'll save hundreds of dollars over LMOORE's ridiculous suggestions.  

:)





0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8154459
nouellette,
I appreciate your contributions, but I was NOT trying to sway CUTTHEMUSIC to buy either a PIX or Checkpoint firewall. I have been merely answering detailed questions posed by this asker. If you read carefully, I have stated in a couple of places why a PIX would NOT be an ideal solution, but perhaps a soho firewall such as the Netgear, and the Checkpoint was the asker's own idea.

So please, do not jump into the middle of a thread accusing me of posting "rediculous suggestions" until you have read the entire conversation. We would appreciate it if you keep your comments on a more professional level.
0
 
LVL 2

Author Comment

by:CUTTHEMUSIC
ID: 8154594
I am looking at the Checkpoint because of the known reliability. Here is why

My home pc has a vpn connection to my work LAN.
I have admin privs.
A hacker compromises my home pc.
The hacker uses my pc/vpn to access my LAN.
The hacker now has FULL access to my work LAN.

also the price for the safe@ line starts around $229 if you look hard.

I looked into zonelabs and many other software based Firewalls but I was unsure of there reliability and to be quite honest some of them looked 'cheezie' so I doubted there performance.

BTW: I work for a mid sized bank so I am very paranoid about security but thanks for looking out! :)
0
 
LVL 1

Expert Comment

by:Beerman
ID: 8156324
Checkpoint, sonicwall, and cisco are the 3 I recommend, depending on the situation.  I would first ask what kind of firewall you have at the bank, and if you can do a box to box vpn tunnel.  Checkpoint and sonicwall tele3 are extremely simple to setup, and the logs are easy on the eyes.  If you are familiar with cisco CLI, the cisco pix501 is also relatively easy to setup
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8187862
G'day, CUTTHEMUSIC
There has not been any activity on this question in 5 days.
Do you still need assistance, need more information, or have you solved your problem?
Can you close out this question?

Ways to close your questions:
http://www.apollois.com/EE/Help/Closing_Questions.htm

0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses
Course of the Month14 days, 22 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question