Okay, thanks. I use a Linksys N router and settings that I can see offhand are
router username:*****
router password: ******
network name (SSID): ********
network security type: Higher Security (WPA / WPA2)
network security key: *********
connection type: Keep Alive
Does that tell you if it's safe to not use a software firewall? What is the NAT
you mention? I don't see it on any of the tabs in the software for the router. I
set it up when I bought it 3 years ago using the wizard. There is a box "SPI
Firewall Protection" checked disabled. I didn't set it like that. Is it a
problem?
http://en.wikipedia.org/wiki/Network_address_translation
192.168.1.2 Port 80 ---> NAT ---> 203.128.17.64 Port 1234
__. ---> 203.128.17.64 Port 4567
192.168.1.3 Port 80 /
192.168.x.x is a "private" address, and isn't intended to be "seen"
on the Internet. The Network Address Translation step, achieves that
goal. It's done inside your router. The source IP and port, are translated
in such a way, that the NAT knows where to send a returning response from
some server on the Internet.
If you wanted to run a web server on your home computer, you can
override NAT on the incoming direction. That's called "Port Forwarding".
Without Port Forwarding, depending on the type of NAT, an external
computer can't really talk to the home computer, unless it has some
connection already in place. So your typical home router, is set up
by default, to enable "web surfing", rather than running "servers"
from your basement.
SPI is "Stateful Packet Inspection". It's possible for an external
agent, to spoof a communications with your home gear. What they
can't know though, is what the "sequence number" is, of the most
recent connection going through the NAT. When you enable SPI,
it checks sequence numbers on the packets. If your normal web
surfing sent packets 1,2,3,4... and the sequence number coming
back was way out of sequence 3489, then the SPI would know
someone was trying to break in. Without SPI, it would presumably
be a bit easier to do.
http://en.wikipedia.org/wiki/Stateful_packet_inspection
Anyway, without getting all the details right, those
are some basic ideas. You get a small measure of security,
as soon as there's at least one router box in your home setup,
and you haven't done your utmost to defeat it
For
example, if you enable DMZ on your home router, then
the script kiddies go wild.
http://en.wikipedia.org/wiki/DMZ_(computing)
"The DMZ host provides none of the security advantages that a
subnet provides and is often used as an easy method of forwarding
all ports to another firewall / NAT device"
Some people use DMZ on their router, when they want a single
machine in the home to function as a "game server" and need
a whole bunch of ports open. At one time, home routers didn't
support the insertion of very many port forwarding rules, and
DMZ was a quick and easy way to "bust a hole" in NAT. But also,
a dangerous thing to do. Someone could send a "ping of death"
to your game server, and knock it over.
Suffice to say, with all the stuff we have access to now, there
can be some overlap in the protections provided. The "ship" we
float in, still leaks, but the holes aren't as large.
Paul
