funsec mailing list archives
Re: Router speeds...
From: "Dr. Neal Krawetz" <hf () hackerfactor com>
Date: Sat, 26 Nov 2005 09:57:33 -0700 (MST)
On Fri Nov 25 15:14:33 2005, Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:
Can I piggyback on that?
Sure!
Now that I've got high-speed Internet (yes, I know, I'm a dinosaur), I'm in the market for a decent, cheap, firewall router. NAT, possibly, since I want to use it to farm out the connection to a few machines behind it if that isn't too hard. Nothing terribly fancy, but tuneable so that I can start getting a bit of a handle on firewall ACLs, but nothing that I need to spend enormous amounts of time on. Preferably something common enough that I can get it at London Drugs, but I'd go for an oddball if there was sufficient reason. Suggestions?
So far, I have played with Netgear, Linksys, SMC, D-Link, Belkin, and Cisco. (the "Cisco" brand as opposed to the Cisco owned Linksys brand.) NOTE: All of these support: - NAT - Discard ping from WAN - Logging (and emailing logs!) - Virtual servers - Disable UPnP (I hate this protocol) - One pseudo-DMZ host - Port triggers (usually for games or FTP -- traffic on one port opens a second port. I use it for knock-knock protocols.) My impression: - SMC: Very fast and reliable (until the unexpected and untimely death at the age of 5). But, I still recommend these to people. SMC makes for a good home/SOHO NAT system. + Fast. Their wired routers can get over 6Mb throughput. Newer ones can get nearly 10Mb. I don't know about wireless speeds. + Relaible -- handles outgoing nmap and scanrand without a problem. Handles external DoS/scans without a problem. (I went under a 72 hour DoS once -- never portscan organized crime -- and the little firewall had no problem.) + Virtual servers can be on different ports! E.g., WAN port 9992 translates to LAN host:22. Very cool feature. + Allows assigning static DHCP addresses to specific MAC addresses. - Limited port triggers. + Easy web GUI. (The best of the bunch.) - Not sold in stores. (When you absolutely need one *now*, you need to wait a week for the package to be delivered.) - Netgear: Poor quality, poor performance. I cannot recommend these. - Slow. I only tried their wireless routers, but I could never get more than 2Mb -- even when only using the wired ports. - Unreliable. Outbound nmap and scanrand slow the router. Do not try more than one nmap at a time, or it crashes!!! After a few nmap scans, be sure to reboot the router. + Allows assigning static DHCP addresses to specific MAC addresses. + GUI is nice, but doesn't make up for speed/reliability. - Linksys: ok, but buggy - A "reset to factory default" does not clear the IP/gateway settings for the wireless connection. (Wired/dhcp becomes 192.168.1.1, but the wireless/dhcp remained at 192.168.100.1 (I had moved it there before the factory reset). This caused over 2 hours of debugging.) + Wired routers are fast. - Wireless routers are slow, even if the wireless network is disabled. Expect 2-3 Mb max. - Poor web GUI. Non-intuitive layout, cannot - Does not allow assigning static DHCP addresses to specific MACs. (If it does allow this, I haven't found it yet.) - Way too many stickers. "Do not plug in cables until you read the CD-ROM". WTF! + The box is open source, and there are some cool open source projects that turn this $40 router into a $1000 gateway/firewall. (This is a huge plus. But I haven't played with this yet.) + Supports disabling admin from the WiFi. (A feature missing from Netgear.) - Inconsistent. Different routers are better than others. The WRT56G is supposed to be one of the better ones. The WRT56GX is supposed to suck. Avoid it like the plague. - D-Link: Surprisingly good. 5 years ago, I wouldn't recommend D-Link to anyone. They've become much better. (Opinion based on the DI-604.) + Fast. My wired router benchmarks at 8Mb. (I suspect it could go faster, but my cable modem is only doing 10Mb on its network connector.) + Reliable. So far, nmap and scanrand do not crash it. + Great logging! It doesn't just reject, but tells which rule caused the rejection! + Supports firewall rules, not just virtual server. The rules can be LAN-WAN, WAN-LAN, or LAN-LAN! - Rules are a little buggy. I think the GUI doesn't display them correctly. I've needed to delete/re-add rules a few times in order to make changes. + Supports VPN tunnels - Configuring is not for the noobie. GUI sucks. + Built-in support for Zone Alarm (if you're into that sort of thing). - GUI sucks. (Did I say that already?) Every change requires a separate "apply". Every apply brings up a confirmation page rather than just doing it. Non-intuitive layout. (Have they ever heard of a "usability study"?) - Help sucks. Many of the GUI items are not mentioned in the "Help button" menus, or not described well. - Cisco: Good product, bad support. (PIX and other true gateways.) + A true gateway, not just a NAT with special additions. + "Name brand" - Expensive (How many D-Links can I buy for the same price as a PIX?) + Fast, reliable - Non-intuitive configuration. Unless you know networking and cisco rulesets, this is a reason to avoid them. - Unless you pay for the $10,000/yr support, don't expect anyone to help you with any problems. Since I don't know you, I cannot make a recommendation for you. But I can suggest that you look at D-Link or SMC. I'm very fond of the SMC Barricade series, and so far, the D-Link DI-604 seems very good. (Give me a week and I'll let you know if my opinion changes for the D-Link.) As for wireless... I suggest you buy three routers: two wired and one wireless. (In the US, the cost is less than $70 at Circuit Shitty and Office Max. Office Max has the DI-604 for $10 after rebate.) Internet -> wired #1 -> wired #2 -> LAN Internet -> wired #1 -> wireless -> WiFi network Basically, this gives you a DMZ. Wired connections keep their high throughput, without being slowed by the wireless router. Any wireless compromises do not get into the LAN. Ideally, you want different brands for wired #1 and #2. This way, a compromise to one does not get through the other. I'm right now seeing if the D-Link's "LAN-LAN" ruleset can keep the wireless out of the LAN without needing "wired #2". This is looking very good. (I lose the DMZ, but keep the security from the WiFi. I want to move the wireless router out of the cage next week, so it reaches the whole house.) If your max throughput is 3Mb or less (dialup, DSL, etc.) then you can get away with: Internet -> wireless -> wired -> LAN You won't notice the slowness from the wireless router. -Neal -- Neal Krawetz, Ph.D. Hacker Factor Solutions http://www.hackerfactor.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Router speeds..., (continued)
- Re: Router speeds... Nick FitzGerald (Nov 25)
- Re: Router speeds... Dude VanWinkle (Nov 25)
- Re: Router speeds... Dr. Neal Krawetz (Nov 26)
- Re: Router speeds... Chris Buechler (Nov 28)
- Re: Router speeds... Chris Buechler (Nov 25)
- Re: Router speeds... Roland Dobbins (Nov 25)
- Re: Router speeds... Valdis . Kletnieks (Nov 25)
- Re: Router speeds... Chris Buechler (Nov 28)
- Re: Router speeds... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 25)
- Re[2]: Router speeds... Ilfak Guilfanov (Nov 25)
- Re: Router speeds... Dr. Neal Krawetz (Nov 26)
- Re: Router speeds... Martin Wehlou (Nov 26)
- Routers Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 27)
- Re: Routers Martin Wehlou (Nov 27)
- Re: Routers Dr. Neal Krawetz (Nov 27)
- Re: Routers Blue Boar (Nov 27)
- Re: Routers Martin Wehlou (Nov 27)
- Re: Routers James Eaton-Lee (Nov 27)
- Re: Routers Dude VanWinkle (Nov 27)
- Re: Router speeds... Nick FitzGerald (Nov 25)
- Re: Routers Valdis . Kletnieks (Nov 27)
- Re[2]: Routers Pierre Vandevenne (Nov 27)