What is more secure - PC-router with Linux or hardware router?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
This is a hard question to answer without knowing a great deal about your setup and your goals.
If you are just needing to do basic NAT (Network Address Translation) to allow more than one computer to share your internet connection, then most of the routers on the market today would be up to that task, assuming you take the time to change passwords, and choose the correct settings.
On the other hand if you are going to want to set up a tunnel, do port forwarding or traffic shaping (for games or VOIP) then you might be better off using a software appliance such as PFSense or IPCop (not sure if it has traffic shaping).
Software appliance will have a look and feel very much like a hardware router. However, they often offer more flexibility than a hardware router as well.
Probably, both give you excellent security...until you make the modifications that you need to make them usable in your situation. Then, if you have expertise, the security could still be very good, but there is still the potential to make it really quite bad.
But all the security things in SmoothWall are configured professionaly, right? So I doubt a regular user can configure iptables better then "SmoothWall Limited" did...
You are comparing the results of what we will take as a professional outfit, but who knew nothing about your use case (and then you went and modified things, without fully understanding the considerations that they had when they did their bit, which has, at least, the potential to go badly) with a 'regular user' who does now really know enough, but at least understands their use case. And who could do a lot better, if they only went to trouble of reading and understanding a few tutorials.
I'm not going to call that one - my suspicions are that the smoothwall case may end up better, but it could go either way, depending on a number of variables- but I have to guess that security will not be optimal, in either case.
Most appliance software has an easy to use interface to adjust settings such as adding a port forward. It is not done 'professionally'. The advantage is there are far more options than what is offered by a consumer grade hardware router. For instance you can set a port forward to be from a specific IP or range of IPs.
You don't have to be a professional to set up a software appliance such as PFSense or IPCop. In all cases (hardware router or software) you need to understand the changes you are making. If you don't then you are likely to end up with an insecure setup. Now it is true because there are more options with a software router you could end up making things more insecure, but used properly that is not the case.
Isn't it harder for an attacker to alter code which is in hardware's firmware rather than code which is in files on a writeable file system? That being the case a hardware solution would, in general, be more secure.
First of all, one does not need to alter the firmware (code) in order to compromise security. All one needs to do is successfully gain admin access to the device in order to change the settings.
However, most hardware routers do provide a easy way to upload and install firmware upgrades. So just like any router or firewall appliance, once access has been achieved anything is possible. Many of these devices are based on linux as well.
I would make the argument that a software router is more secure because it is possible to run it from a "Live CD" which of course would make it impossible for any changes made by a hacker to survive a reboot (without physical access to the device). It is also easy with software appliances like PFSense to save settings to a USB Flash Drive or Floppy.
One could also make the argument that since a hardware router is mass produced, comes with a default password and often an insecure setup (in order to lessen support calls) that hardware routers are inherently less secure than their software appliance counterparts.
Software appliances on the other hand are normally used by people with a greater understanding of computing in general and are rarely left with "default settings" which are normally much stricter than default settings found on a hardware router. The developers are not concerned with support calls and can therefore make the software more secure without fear of having to add staff, to the help desk (and the associated costs).
The most important thing to always remember is to use strong passwords (at least 8 characters long and using capitalization and special characters), and to lock out access from the internet . . . and always install updates, be they firmware for a hardware router, or software for a software appliance, as soon as they are available.
I have been using software appliances for a very long time and I have never had one compromised. I have managed as many as a hundred of these devices at one time.