LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-09-2010, 07:40 AM   #1
Mr. Alex
Senior Member
 
Registered: May 2010
Distribution: Arch + X.org + IceWM
Posts: 1,193

Rep: Reputation: Disabled
Question What is more secure - PC-router with Linux or hardware router?


What gives you more security - if you connect your PC to Internet via hardware router (like this one: http://www.ctfootscray.com.au/store/...k/DI-804HV.jpg ) or if you use a PC with firewall distro as a router?

Last edited by Mr. Alex; 06-09-2010 at 07:43 AM.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 06-09-2010, 07:42 AM   #2
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728Reputation: 728
why would it not simply be a function of the firewall rules and other settings?
 
Old 06-09-2010, 07:44 AM   #3
Mr. Alex
Senior Member
 
Registered: May 2010
Distribution: Arch + X.org + IceWM
Posts: 1,193

Original Poster
Rep: Reputation: Disabled
I am not that experienced to configure a firewall. Maybe just some basic configurations... So I have to use it mostly by default.
 
Old 06-09-2010, 09:20 AM   #4
never say never
Member
 
Registered: Sep 2009
Location: Indiana, USA
Distribution: SLES, SLED, OpenSuse, CentOS, ubuntu 10.10, OpenBSD, FreeBSD
Posts: 195

Rep: Reputation: 37
This is a hard question to answer without knowing a great deal about your setup and your goals.

If you are just needing to do basic NAT (Network Address Translation) to allow more than one computer to share your internet connection, then most of the routers on the market today would be up to that task, assuming you take the time to change passwords, and choose the correct settings.

On the other hand if you are going to want to set up a tunnel, do port forwarding or traffic shaping (for games or VOIP) then you might be better off using a software appliance such as PFSense or IPCop (not sure if it has traffic shaping).

Software appliance will have a look and feel very much like a hardware router. However, they often offer more flexibility than a hardware router as well.

Hope this helps.
 
Old 06-09-2010, 10:56 AM   #5
Mr. Alex
Senior Member
 
Registered: May 2010
Distribution: Arch + X.org + IceWM
Posts: 1,193

Original Poster
Rep: Reputation: Disabled
But all the security things in SmoothWall are configured professionaly, right? So I doubt a regular user can configure iptables better then "SmoothWall Limited" did...
 
Old 06-09-2010, 11:25 AM   #6
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,885

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
Quote:
Originally Posted by Mr. Alex View Post
What gives you more security
Probably, both give you excellent security...until you make the modifications that you need to make them usable in your situation. Then, if you have expertise, the security could still be very good, but there is still the potential to make it really quite bad.

Quote:
But all the security things in SmoothWall are configured professionaly, right? So I doubt a regular user can configure iptables better then "SmoothWall Limited" did...
You are comparing the results of what we will take as a professional outfit, but who knew nothing about your use case (and then you went and modified things, without fully understanding the considerations that they had when they did their bit, which has, at least, the potential to go badly) with a 'regular user' who does now really know enough, but at least understands their use case. And who could do a lot better, if they only went to trouble of reading and understanding a few tutorials.

I'm not going to call that one - my suspicions are that the smoothwall case may end up better, but it could go either way, depending on a number of variables- but I have to guess that security will not be optimal, in either case.
 
Old 06-09-2010, 11:35 AM   #7
fruttenboel
Member
 
Registered: Jul 2008
Posts: 270

Rep: Reputation: 48
Quote:
Originally Posted by Mr. Alex View Post
What gives you more security - if you connect your PC to Internet via hardware router (like this one: http://www.ctfootscray.com.au/store/...k/DI-804HV.jpg ) or if you use a PC with firewall distro as a router?
Hardware router.
 
0 members found this post helpful.
Old 06-09-2010, 12:49 PM   #8
never say never
Member
 
Registered: Sep 2009
Location: Indiana, USA
Distribution: SLES, SLED, OpenSuse, CentOS, ubuntu 10.10, OpenBSD, FreeBSD
Posts: 195

Rep: Reputation: 37
Most appliance software has an easy to use interface to adjust settings such as adding a port forward. It is not done 'professionally'. The advantage is there are far more options than what is offered by a consumer grade hardware router. For instance you can set a port forward to be from a specific IP or range of IPs.

You don't have to be a professional to set up a software appliance such as PFSense or IPCop. In all cases (hardware router or software) you need to understand the changes you are making. If you don't then you are likely to end up with an insecure setup. Now it is true because there are more options with a software router you could end up making things more insecure, but used properly that is not the case.
 
Old 06-09-2010, 10:55 PM   #9
catkin
LQ 5k Club
 
Registered: Dec 2008
Location: Tamil Nadu, India
Distribution: Servers: Debian Squeeze and Wheezy. Desktop: Slackware64 14.0. Netbook: Slackware 13.37
Posts: 8,524
Blog Entries: 27

Rep: Reputation: 1175Reputation: 1175Reputation: 1175Reputation: 1175Reputation: 1175Reputation: 1175Reputation: 1175Reputation: 1175Reputation: 1175
Isn't it harder for an attacker to alter code which is in hardware's firmware rather than code which is in files on a writeable file system? That being the case a hardware solution would, in general, be more secure.
 
Old 06-10-2010, 07:24 AM   #10
never say never
Member
 
Registered: Sep 2009
Location: Indiana, USA
Distribution: SLES, SLED, OpenSuse, CentOS, ubuntu 10.10, OpenBSD, FreeBSD
Posts: 195

Rep: Reputation: 37
@catkin:

First of all, one does not need to alter the firmware (code) in order to compromise security. All one needs to do is successfully gain admin access to the device in order to change the settings.

However, most hardware routers do provide a easy way to upload and install firmware upgrades. So just like any router or firewall appliance, once access has been achieved anything is possible. Many of these devices are based on linux as well.

I would make the argument that a software router is more secure because it is possible to run it from a "Live CD" which of course would make it impossible for any changes made by a hacker to survive a reboot (without physical access to the device). It is also easy with software appliances like PFSense to save settings to a USB Flash Drive or Floppy.

One could also make the argument that since a hardware router is mass produced, comes with a default password and often an insecure setup (in order to lessen support calls) that hardware routers are inherently less secure than their software appliance counterparts.

Software appliances on the other hand are normally used by people with a greater understanding of computing in general and are rarely left with "default settings" which are normally much stricter than default settings found on a hardware router. The developers are not concerned with support calls and can therefore make the software more secure without fear of having to add staff, to the help desk (and the associated costs).

The most important thing to always remember is to use strong passwords (at least 8 characters long and using capitalization and special characters), and to lock out access from the internet . . . and always install updates, be they firmware for a hardware router, or software for a software appliance, as soon as they are available.

I have been using software appliances for a very long time and I have never had one compromised. I have managed as many as a hundred of these devices at one time.
 
3 members found this post helpful.
  


Reply

Tags
router, routing, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hardware for Linux router diamond_D Linux - Hardware 10 05-18-2010 07:41 PM
LXer: Secure VPN the Easy Way With the Linux-based Untangle Router LXer Syndicated Linux News 0 08-17-2009 06:30 PM
Small Linux Router/firewall behind D-Link Hardware router dleidlein Linux - Networking 6 04-30-2007 05:12 AM


All times are GMT -5. The time now is 02:15 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration