I have a network like this:

The Modem/Router is Linux-based, and is structured like this:

wan0 => Internet
br0 (binding of Eth, Usb, WiFi) => Local network (2 Eth and 1 Wifi)


I am often connected to the internet, so I run a firewall on my PCs to "feel" more secure. However I wonder if I really need those.

the integrated Router (192.168.1.1 from the LAN side) is the gateway for the local-nework PCs, hence the router's routing table looks like this:
192.168.1.* -> br0
default -> wan0

The router has port 80 opened on the LAN side, and no ports opened on the WAN side (I can open them if I need but I didn't).

With this configuration, I feel that I don't need the firewalls because nothing should ever get past the router from the WAN side to the LAN side.

Am I right?

Yves.

[edit:]"wlan0" was to be understood as "wan0" of course... I spent too much time with WiFi lately [/edit]

Look at it this way, the firewalls on your individual computers certainly aren't hurting anything by being there and should someone get past your router, it is another layer they would have to deal with. Your network set-up is similar to mine and I've got firewalls on everything that can run one (by the way, I'm not a security expert by any means, but I am more paranoid than your average user )

In my opinion, the weak part of your network is the WiFi bit. If someone does manage to crack your WEP or WPA encryption (you are encrypting your wireless traffic, aren't you?), then they are behind your router and you're gonna need those firewalls.

I still welcome any view on the original question.

Thank you though, Hangdog42. You're indeed pointed at an interesting issue. As a matter of fact, I don't encrypt WiFi traffic, because "plug-n-play" is much easier without crypting. I use MAC-address filtering instead.

Do you think that WEP, or WPA, would be better than MAC filtering?

Now that makes two questions to answer

Yves.

I'd definitly add WEP or WPA encryption to the mix as MAC addresses are pretty trivial to spoof. On my network I do both WEP and MAC filtering. I've also seen suggestions here about putting the wireless network on a different subnet, but I'm not sure if you can do this with a single router. You'd probably need to set up a second DHCP server.

Personally I would get rid of DHCP server on the Linux router if you have it enabled. That would make feel a little better.

Also if you can, try and use WPA and MAC filtering together. I wouldn't mess with WEP.

Nothing is totally secure these days. Just do the best you can

Is your WiFi box also a router? Does it also have a firewall? If not, you may have locked the front door but you left a window wide open.

At this point there are two ways to get into the inner network from the "outside": through the router, and through WiFi. People do drive down neighborhood streets!

I think that it is a very sound investment to procure, either a WiFi router that supports VPN, or a VPN-enabled router that you can put 'downstream' of the existing router and WiFi. That is the only way that you can really expect to secure your communications. Put WEP and anything else that you can think of on top of that.

Yes I hadn't thought about it...

My devide is indeed all-in-one: it's a Toshiba modem with one access to the WAN (to my ISP actually) through ADSL, and one (interfaces binding) access to the LAN, through Eth and WiFi (I don't use USB). The firmware is Linux-based (I even had a printed copy of the GPL in the box ).

If I understand correctly, you all consider this device as intrusion-proof enough, were it not for the WiFi. Unfortunately, the WiFi makes the LAN sort-of part of the WAN by enabling people from outside my house to connect directly on the LAN side.

So it seems the consensus is to consider the door well locked, but the WiFindow wide open

And if I still understand correctly, I should enable both MAC filter and WPA, and then the "window" will seem to be closed "viewed from the street", but will not be quite so closed if someone is bold enough to come "next to it in the garden".

Conclusion:
- I should add WPA.
- I should still keep my firewalls.

Thanks for all the answers. Did I understand correctly?

Yves.

I think those are both very appropriate things to do. It will keep the casual interloper off of your LAN.

"WiFindow" .. I like that.

Your WiFi box can function as a router and it might have a firewall capability ... the only problem is that it can receive signals both from trusted machines (the ones you own) and untrusted ones (the evildoer at the street-corner). And what you need to do is to beef-up the mechanisms that will allow you to distinguish one from the other.

Realistically, the most probable "threat" will come from someone on the outside who simply wants to tap your network, probably to "borrow" your Internet connection, but who probably isn't going to go to a tremendous amount of effort to do so. That's what WEP is for, and it basically works okay. There are stronger encryption-schemes available in some WiFi boxes, and you ought to use all the ones that you have available, simultaneously. (Remember to use completely random keys, and change them from time to time...)

This is probably "good 'nuff" for an ordinary home-neighborhood network. You can get into more advanced things like VPN, even using the equipment you can buy at an office supply store, but there is such a thing as practical overkill.

Look thoroughly at the "advanced" options in the firewall capabilities of your router. Some boxes have the ability to regulate what "port #1" can say to "port #2." If the purpose of the WiFi boxes is primarily to talk to the Internet, and not to the hard-wired computers, then you can block them. A second router, downstream from the first, could be used to put the WiFi into a sort of "demilitarized zone" status... WiFi traffic could reach the Internet but would have a second hurdle to cross to get all the way "inside."

Most OSes these days have built-in firewalls, but I prefer to do the basic access-control schlep in hardware because, if I have to change something, I only have to change one box. Naturally, the "inside" machines do run firewalls, but mostly generic ones.

Thanks for this good explanation

My modem/router doesn't have a firewall (well, it's Linux inside, so probably I just don't have access to it via the web interface -on port 80 of br0-).

Anyway, This access to Internet is through my ISP, and I am legally responsible for anything that happens coming from it. So a DMZ between my LAN and the modem/router won't do. I have to be as sure as possible of this WiFi access somehow.

So you're one more vote for encryption, as I see it.

Yves.

I learned a lot when went through this post again....thanks to all the posters ^_^

I'm a newbie here...add some comment(s) here, hope it helps:

For running wi-Fi, NICs must be operated in promiscuous mode(a broadcast network), and the WEP is a weak form of encryption that can be cracked using standard desktop or laptop PCs, for it is RC4-based 64- to 128-bit encrypted key --- not that strong as we expect.

I'm in China, I aslo find many WLAN administrators do not even enable the WEP encryption here...:-P

Anyway, enabling the WEP does work in this scenario. And I prefer to have a firewall configured on your Linux router.