Need Advice on Routers

[Technomage]

Lisa,

not to knock your extensive experience with commercial equipment, but 
I've often found such to be
more trouble than they are worth. Now, I am not an "ordinary computer 
user" like most. I tend
to go with what works with a minimum of overhead on a powerful machine 
(900Mhz CPU. OpenBSD 4.2
and pf firewall and 3 NICS <one as DMZ>).

1 rul of thumb I have, if a service doesn't need to be on the firewall, 
THE DON'T INSTALL IT THERE!.
VPN, DNS, TOR, any of these should never go on a firewall (its one of 
the reasons why a home or
commercial devvice will fail, its a security risk). I don't even like 
wobservers on firewalls. I like having an internally
facing ssh or telnet server (I did say internally facing) and pf is very 
nice on rulesets 9its more easy to learn
than iptables/ipchains).

Now, I know I don't have the level of experienience you do, but from my 
point of view, I find that unless
I am rich, I simply cannot afford the expensive equipment (corporate 
level stuff) not can I afford the cheapo
off the shelf crapola at best buy. Given the choices, I'd rather build 
me own.

anyway, thats my 2 cents worth on this subject. :)


Lisa Kachold wrote:
> Hi Mark,
>
> As a technical professional, I have weighed the benefits and costs of SOHO
> "routers" against what can be expected in production equipment.
>
> I find that the stability, functions and maintenance of most of these
> LinkSys and Netgear devices are not worth the cost; generally they must be
> tinkered with extensively, rebuilt and upgraded to even partially work.
>
> I have had a couple of Netgear and LinkSys firewalls, including VPN so
> called "Small Business" firewalls.  I have built my own firmware, added
> second party firmware, WRT and studied extensively the image and
> configuration when the devices fail.  I find there are extensive security
> issues inherent in most of these devices that allow them to fail over under
> distributed packet assault and allow one of three things to happen:  remote
> access, firmware upgrade or management via http on wan side.  NOTE: I have
> not evaluated dlink or other manufactures offerings.
>
> Here's an at a glance comparison of home broadband "routers":
> http://compnetworking.about.com/od/broadband/tp/dslcablerouters.htm
>
> While I strongly liked OpenWRT, because I essentially had a sweet little
> linux system, I did not find that the security features were robust enough;
> no IDS function was available for real time packet inspection (like in a
> ProSafe LinkSys Business Router); no VLAN or IPS features.  Configuring the
> firewall, while easy for me might not have been so easy for another since
> extensive inbound and outbound rules needed to be set via IPTABLES.  And
> when I was done, the OpenWRT ssh and distributed networking STILL was not
> able to withstand a distributed DoS with low level fuzzing attack - again
> falling over and allowing escalated privs.
>
> With that said, I strongly suggest that you completely sidestep "home"
> versions and look at small business products.
>
> Cisco has some new offerings that should perform better and include some
> suite functions:
> http://www.infoworld.com/d/storage/cisco-delivers-security-storage-uc-small-business-624
>
> Also, you do realize you can just get yourself a used Cisco 877 ADSL or ASA
> 5500 (do you already have an ADSL modem too) and have a VPN via Cisco VPN
> client that works with Linux well:
>
> http://www.pcmall.com/pcmall/shop/detail.asp?dpno=562971&Redir=1&description=Cisco-877%20ADSL%20Security%20Router%20Wireless%20802.11g%20FCC%20compliant%20+%204-port%20Switch-WAN%20Routers,%20Gateways,%20etc
> .
>
>
>
>