LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   What is more secure - PC-router with Linux or hardware router? (http://www.linuxquestions.org/questions/linux-security-4/what-is-more-secure-pc-router-with-linux-or-hardware-router-813126/)

Mr. Alex 06-09-2010 07:40 AM

What is more secure - PC-router with Linux or hardware router?
 
What gives you more security - if you connect your PC to Internet via hardware router (like this one: http://www.ctfootscray.com.au/store/...k/DI-804HV.jpg ) or if you use a PC with firewall distro as a router?

pixellany 06-09-2010 07:42 AM

why would it not simply be a function of the firewall rules and other settings?

Mr. Alex 06-09-2010 07:44 AM

I am not that experienced to configure a firewall. Maybe just some basic configurations... So I have to use it mostly by default.

never say never 06-09-2010 09:20 AM

This is a hard question to answer without knowing a great deal about your setup and your goals.

If you are just needing to do basic NAT (Network Address Translation) to allow more than one computer to share your internet connection, then most of the routers on the market today would be up to that task, assuming you take the time to change passwords, and choose the correct settings.

On the other hand if you are going to want to set up a tunnel, do port forwarding or traffic shaping (for games or VOIP) then you might be better off using a software appliance such as PFSense or IPCop (not sure if it has traffic shaping).

Software appliance will have a look and feel very much like a hardware router. However, they often offer more flexibility than a hardware router as well.

Hope this helps.

Mr. Alex 06-09-2010 10:56 AM

But all the security things in SmoothWall are configured professionaly, right? So I doubt a regular user can configure iptables better then "SmoothWall Limited" did...

salasi 06-09-2010 11:25 AM

Quote:

Originally Posted by Mr. Alex (Post 3997768)
What gives you more security

Probably, both give you excellent security...until you make the modifications that you need to make them usable in your situation. Then, if you have expertise, the security could still be very good, but there is still the potential to make it really quite bad.

Quote:

But all the security things in SmoothWall are configured professionaly, right? So I doubt a regular user can configure iptables better then "SmoothWall Limited" did...
You are comparing the results of what we will take as a professional outfit, but who knew nothing about your use case (and then you went and modified things, without fully understanding the considerations that they had when they did their bit, which has, at least, the potential to go badly) with a 'regular user' who does now really know enough, but at least understands their use case. And who could do a lot better, if they only went to trouble of reading and understanding a few tutorials.

I'm not going to call that one - my suspicions are that the smoothwall case may end up better, but it could go either way, depending on a number of variables- but I have to guess that security will not be optimal, in either case.

fruttenboel 06-09-2010 11:35 AM

Quote:

Originally Posted by Mr. Alex (Post 3997768)
What gives you more security - if you connect your PC to Internet via hardware router (like this one: http://www.ctfootscray.com.au/store/...k/DI-804HV.jpg ) or if you use a PC with firewall distro as a router?

Hardware router.

never say never 06-09-2010 12:49 PM

Most appliance software has an easy to use interface to adjust settings such as adding a port forward. It is not done 'professionally'. The advantage is there are far more options than what is offered by a consumer grade hardware router. For instance you can set a port forward to be from a specific IP or range of IPs.

You don't have to be a professional to set up a software appliance such as PFSense or IPCop. In all cases (hardware router or software) you need to understand the changes you are making. If you don't then you are likely to end up with an insecure setup. Now it is true because there are more options with a software router you could end up making things more insecure, but used properly that is not the case.

catkin 06-09-2010 10:55 PM

Isn't it harder for an attacker to alter code which is in hardware's firmware rather than code which is in files on a writeable file system? That being the case a hardware solution would, in general, be more secure.

never say never 06-10-2010 07:24 AM

@catkin:

First of all, one does not need to alter the firmware (code) in order to compromise security. All one needs to do is successfully gain admin access to the device in order to change the settings.

However, most hardware routers do provide a easy way to upload and install firmware upgrades. So just like any router or firewall appliance, once access has been achieved anything is possible. Many of these devices are based on linux as well.

I would make the argument that a software router is more secure because it is possible to run it from a "Live CD" which of course would make it impossible for any changes made by a hacker to survive a reboot (without physical access to the device). It is also easy with software appliances like PFSense to save settings to a USB Flash Drive or Floppy.

One could also make the argument that since a hardware router is mass produced, comes with a default password and often an insecure setup (in order to lessen support calls) that hardware routers are inherently less secure than their software appliance counterparts.

Software appliances on the other hand are normally used by people with a greater understanding of computing in general and are rarely left with "default settings" which are normally much stricter than default settings found on a hardware router. The developers are not concerned with support calls and can therefore make the software more secure without fear of having to add staff, to the help desk (and the associated costs).

The most important thing to always remember is to use strong passwords (at least 8 characters long and using capitalization and special characters), and to lock out access from the internet . . . and always install updates, be they firmware for a hardware router, or software for a software appliance, as soon as they are available.

I have been using software appliances for a very long time and I have never had one compromised. I have managed as many as a hundred of these devices at one time.


All times are GMT -5. The time now is 03:45 AM.