• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1492
  • Last Modified:

Recommend Home office Firewall

I am looking for a firewall for my home pc (winodws XP pro) I use a cable modem to access the net and I also connect to a VPN for my work. Please advise on what is my best option for a firewall.
1 Solution
If you are connecting by VPN, you need to select something that will permit VPN passthrough options. Unfortunately, the best firewall (IMHO, the Cicso PIX) will not support that function. However, the lower-cost soho broadband router such as a Linksys BEFSR41 http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=20
Has a stateful packet inspection, supports VPN passthrough, and uses NAT as another basic firewall function, and can enforce ZoneAlarm Pro firewall features as well as anti-virus. Unless you have other people's financial information or other people's personal medical information, you will be relatively safe. Add an Intrusion Detection/firewall such as Black Ice Defender on your workstation, and you will be good to go.

CUTTHEMUSICAuthor Commented:
Thanks for your comment. I had some bad experiences with Linksys so I think I want to stay away from them. One product that I had looked at was the Checkpoint Safe@ product line since I have a checkpoint firewall at my office. There products are also stateful inspection (although I'm not sure what stateful inspections is and what other types there are) Here is a link for review. http://www.checkpoint.com/products/solutions/safe.html 
Since you're using the VPN, you need to find out from checkpoint if this product supports nat-transparency or IPSEC/PPTP passthrough. Otherwise, it looks like a pretty solid product. Checkpoint has a good reputation.

What kind of bad experience did you have with Linksys? I've had mine running over two years with no problems (nothing that a firmware upgrade didn't fix, anyway). Tech support is non-existant, but the products are generally solid.

I've heard good things about the DLink firewall:
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

CUTTHEMUSICAuthor Commented:
I bought 2 different cable modems from 2 different stores. Both of them were dead out of the box. Maybe it was just a quirk but I wound up going with a Motorola.

Could you explain more about the nat-transparency or IPSEC/PPTP passthrough.
Standard NAT/PAT features of the firewall would break the IPSEC negotiation, so the concept of Nat-transparancy came about because so many remote users are now using VPN's from behind soho/broadband routers/firewalls. Here's Cisco's explanation:
Before the introduction of this feature, a standard IPSec VPN tunnel would not work if there were one or more NAT or PAT points in the delivery path of the IPSec packet. This feature makes NAT IPSec aware, thereby, allowing remote access users to build IPSec tunnels to home gateways.

Feature Design of IPSec NAT Transparency
The IPSec NAT Transparency feature introduces support for IPSec traffic to travel through NAT or PAT points in the network by encapsulating IPSec packets in a User Datagram Protocol (UDP) wrapper, which allows the packets to travel across NAT devices.

IPSEC/PPTP passthrough is a feature long-used in the soho devices, but normally limits to only one VPN client at a time from behind the firewall. New processes are being sought to permit multiple clients:

More info:
Microsoft's story on why it is necessary:
PPTP traffic consists of a TCP connection for tunnel maintenance and GRE encapsulation for tunneled data. The TCP connection is NAT-translatable because the source TCP port numbers can be transparently translated. However, the GRE-encapsulated data is not NAT-translatable.

From Cisco documentation on why VPN's don't work from inside a PIX firewall:
Because the connection is initiated as TCP on one port and the response is GRE protocol, it is necessary to configure ACLs to allow the return traffic into the PIX, as the PIX Adaptive Security Algorithm (ASA) does not know the traffic flows are related. PPTP through the PIX with NAT (one-to-one address mapping) works because the PIX uses the port information in the TCP or User Datagram Protocol (UDP) header to keep track of translation. PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE.

I have no idea why LMOORE is directing you to purchase Pix or Checkpoint for your home computer...

You are a HOME user with a cable modem, you don't need CHECKPOINT or PIX...those are expensive enterprise solutions for LARGE businesses office solutions.  They do have small office solutions but they start at $400 at the very LEAST...Unless you're making tons of money and are paranoid about security and store all kinds of financials and secure information on your PC, to even suggest those firewalls for a home user is a little absurd.  

Software based firewalls are just fine, you don't need a hardware based firewall for this scenario.  Zone Alarm is a great solution and starts at $39 (www.zonelabs.com).  Just be smart about the kinds of data you have on your PC...have an active and up to date anti-virus and anti-maleware system going on your PC...don't give out personal info...keep a handy firewall running like Zone Alarm...and keep up on Windows updates...you'll be fine.  Not to mention you'll save hundreds of dollars over LMOORE's ridiculous suggestions.  


I appreciate your contributions, but I was NOT trying to sway CUTTHEMUSIC to buy either a PIX or Checkpoint firewall. I have been merely answering detailed questions posed by this asker. If you read carefully, I have stated in a couple of places why a PIX would NOT be an ideal solution, but perhaps a soho firewall such as the Netgear, and the Checkpoint was the asker's own idea.

So please, do not jump into the middle of a thread accusing me of posting "rediculous suggestions" until you have read the entire conversation. We would appreciate it if you keep your comments on a more professional level.
CUTTHEMUSICAuthor Commented:
I am looking at the Checkpoint because of the known reliability. Here is why

My home pc has a vpn connection to my work LAN.
I have admin privs.
A hacker compromises my home pc.
The hacker uses my pc/vpn to access my LAN.
The hacker now has FULL access to my work LAN.

also the price for the safe@ line starts around $229 if you look hard.

I looked into zonelabs and many other software based Firewalls but I was unsure of there reliability and to be quite honest some of them looked 'cheezie' so I doubted there performance.

BTW: I work for a mid sized bank so I am very paranoid about security but thanks for looking out! :)
Checkpoint, sonicwall, and cisco are the 3 I recommend, depending on the situation.  I would first ask what kind of firewall you have at the bank, and if you can do a box to box vpn tunnel.  Checkpoint and sonicwall tele3 are extremely simple to setup, and the logs are easy on the eyes.  If you are familiar with cisco CLI, the cisco pix501 is also relatively easy to setup
There has not been any activity on this question in 5 days.
Do you still need assistance, need more information, or have you solved your problem?
Can you close out this question?

Ways to close your questions:


Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now