The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
New to routers, please advise.
TetraNitroCubaneNot Angry...Just VERY Disappointed...Registered Userregular
Hi all. I've recently realized that it's about time that I broke down and got myself a quality router for my computer equipment and the like, both for security and ease of getting multiple devices online. Unfortunately, I'm a total idiot when it comes to routers, and not only do I have no idea which one to buy, I'm also clueless as to how it will impact my online habits. Currently I'm just using an old Linksys switch, which I assume is a terrible idea now that I think about it. I've heard that a good router can serve as a firewall, or at least make a firewall unnecessary, and the security benefits are appealing to me - though I assume that means that the router must be configured and used properly, which I have no idea how to accomplish.
I currently have one desktop and several gaming consoles that I take online (Four total devices, though only two ever go online at any given time). I've heard that using routers can lead to significant difficulties for online gaming, both on the PC end and with XBL, etc. I don't need, nor do I even want, wireless support on the router. Can anyone please advise me on where to start, or what router might serve the purpose I need? Thanks very much.
if you have 2 online at the same time I'm pretty sure that you have to have a router already. a standard switch isn't good enough to take 2 computers online at the same time unless one of them is acting as the router already. What model of linksys device are you using right now?
if you have 2 online at the same time I'm pretty sure that you have to have a router already. a standard switch isn't good enough to take 2 computers online at the same time unless one of them is acting as the router already. What model of linksys device are you using right now?
Crap, I guess you're right. I was told a long while ago that it was only a switch, but I guess it's a router I've just never configured properly. It's a Linksys BEFSR41.
oh yea, that's a router. It can do everything you want, except wireless. So think of it this way, if it's been doing all the work so well without you even touching it, how hard can it be
TetraNitroCubaneNot Angry...Just VERY Disappointed...Registered Userregular
edited February 2009
True enough, though I think my monsterous stupidity indicates that it's not exactly doing a great job of securing my desktop at this point! I think the router's rather transperant to my connection right now. But at least I don't have to go buy anything, I just have to read up and learn how to use it as a hardware firewall.
Thanks for the help - though sorry for the ignorant question.
essentially a router is anything that talks to two or more different interfaces, which forwards traffic between them. A packet comes in on one interface, and the router has to decide:
Is this packet addressed to a machine on one of my other interfaces?
Should I forward the packet, or drop it?
Should I change the packet before I forward it?
In the Bad Old Days, you'd buy a Cisco 1600 router and its job would be to route IP between your two properties. IP was strange and exotic back then. The device would be nearly as large as a blade server is now, and it would have only two Ethernet ports, one for each network. Or it'd have one Ethernet port and one CSU/DSU for a T1 or DS1. Or Ethernet/Token Ring, or whatever you needed.
Now you can spend $40 on a device that performs seven separate functions:
It has packet radio hardware for a 802.11b/g wireless network interface
It has wired Ethernet hardware for two 802.3 (or whatever they call the 100/1000mbit stuff) wired Ethernet network interfaces
It has a built-in four port Ethernet switch, so you can connect up to four devices without having to buy a separate Ethernet switch and run a cable to it
It performs routing logic between each interface, listening for traffic addressed to its own Ethernet MAC address, comparing the traffic to its internal routing table, and where appropriate copying the traffic to the interface the traffic needs to be on.
It performs Network Address Translation or NAT, changing forwarded packets so one interface ("WAN") sees traffic all going to and coming from one IP as if it's one computer, and the other interface ("LAN") sees only "fake" non-routable IP addresses with traffic correctly distributed among the different machines on the network.
It performs packet filtering (like a simple firewall), comparing all forwarded packets against a set of allow or drop rules, and allowing or dropping packets accordingly
Finally it offers other network services, like dynamic host configuration protocol (DHCP), making it easier to organize an otherwise-uncoordinated group of peer machines into an IP network.
If you're curious just about the firewall part, there are a couple of things to understand about security.
Computer security problems basically arise because computers can be tricked. They are gullible. In the worst case, your computer can be tricked into following someone else's instructions instead of your own, and these instructions can be very damaging.
A modern computer has lots of programs which talk to the network. These network-aware programs generally fall into two categories:
1) interactive clients: these work with the user to perform network tasks according to the user's instructions. These serve the user.
2) network services: these work with other machines on the network to offer computer resources to these other machines. These serve the network.
Network services generally work by receiving incoming connections from other computers and doing something with the request. When network services have bugs and flaws which make them gullible, this can create opportunities for people to do bad things to your computer by just talking to the computer -- not tricking the user in any way.
Interactive clients are usually only vulnerable when the user directs the client to talk to a malicious network host. The user didn't mean to tell their computer to let itself be tricked, but the computer is unfortunately tricked into doing something the user didn't want.
A basic router offers only two basic built-in security features:
Network address translation (NAT) will not allow random incoming traffic from the public Internet to reach your machine, unless you have left Universal Plug and Play (UPNP) enabled, or you have used port-forwarding or "DMZ" (ugh) features to manually direct incoming traffic to your computer. So network services can only be exploited from computers who don't need to traverse the router to reach your computer: anyone else connected to the "LAN" side of your computer.
Packet filtering can only differentiate between traffic which talks to different types of servers, because Internet convention is to have different types of servers use different port numbers for their services. You COULD run a web server that listens on port 21, for example, but that would be weird and users would have a little bit more trouble telling their computer to connect to you.
Unfortunately, because of this, you can use packet filtering to block unknown services by blocking port numbers which haven't been expressly allowed; and you can use packet filtering to block specific services you know that you don't want to use. Or you can block services in general, while allowing communication with those services only to specific hosts.
That's really pretty limited -- it does nearly nothing to prevent you from accidentally directing your computer to a site that tricks your computer. There are other methods you can use to protect yourself, and I recommend you also apply some of these if you want to be sure your computer stays secure.
You can make your computer more secure against attacks -- in the same way bullet-resistant armor makes you more "secure" against small arms fire -- by using antivirus and anti-malware software on your computer. This type of protection is not perfect: it operates by assuming that any threat your computer sees will already have been analyzed and defeated by your security product vendor. Eventually you will encounter a threat for which this is not true. You will eventually catch a bullet in the face, as it were, and modern malware is very good at making itself nearly impossible to remove from a running system.
So a good "security suite" helps protect you, but it isn't perfect.
Second, you can protect yourself by changing your browsing behavior, making it less likely that you will direct your computer to visit malicious sites. Use browser software and settings which strengthen it against attack. Be conscious of which types of content and subject matter will be financed by more legitimate or less legitimate sources, and avoid content that seems like to be offered only by criminals. Reduce your chances of visiting "typo" sites by using bookmarks and favorites for common sites, and when you must occasionally use the address bar, check the hostname part of the URL VERY CAREFULLY before submitting the URL. Stop installing adware-supported software.
Third, you can protect yourself by reducing the impact of a successful compromise. Buy spare hard disks and make backups, and keep the backups disconnected from your computer, so you can restore from a full system backup if your computer is compromised. Create and use multiple user accounts on your computer, using fast user switching if possible, and only do "unsafe" things using a low-priviledge user account.
Finally -- only do this if you're technical and you have computing resources to spare -- use a free version of VMware, or use Microsoft Virtual PC, and install multiple virtual machines. Anything that's known to be secure (nearly all Microsoft software, enterprise software, non-ad-supported games from legitimate sources, or anything that requires 3D acceleration) goes on the host OS like normal. Communication tools like email, your main web browser, instant messenging, etc. goes in one VM. Any other work domains (work for your employer, school, etc. where sudden system instability or data loss would be bad for your career) go in their own VMs. Finally any unsafe software, or software used for contact with unsafe network hosts (p2p, a web browser for unsafe sites, anonymizing software if you use it, etc.) goes in a VM that will NEVER be used to process any data you care about, especially anything personally identifable.
Security is a bigger [strike]program[/strike] problem than you can expect to be solved by a fancy, expensive router. If nothing else, security is an arms race -- attackers and defenders constantly defeating what the other does -- and any router you buy will only be able to protect you until someone finds a way to defeat its defenses. You need defense in depth.
Nothing wrong with your question.
mspencer on
MEMBER OF THE PARANOIA GM GUILD
XBL Michael Spencer || Wii 6007 6812 1605 7315 || PSN MichaelSpencerJr || Steam Michael_Spencer || Ham NOØK QRZ || My last known GPS coordinates: FindU or APRS.fi (Car antenna feed line busted -- no ham radio for me X__X )
Posts
Crap, I guess you're right. I was told a long while ago that it was only a switch, but I guess it's a router I've just never configured properly. It's a Linksys BEFSR41.
Thanks for the help - though sorry for the ignorant question.
essentially a router is anything that talks to two or more different interfaces, which forwards traffic between them. A packet comes in on one interface, and the router has to decide:
In the Bad Old Days, you'd buy a Cisco 1600 router and its job would be to route IP between your two properties. IP was strange and exotic back then. The device would be nearly as large as a blade server is now, and it would have only two Ethernet ports, one for each network. Or it'd have one Ethernet port and one CSU/DSU for a T1 or DS1. Or Ethernet/Token Ring, or whatever you needed.
Now you can spend $40 on a device that performs seven separate functions:
If you're curious just about the firewall part, there are a couple of things to understand about security.
Computer security problems basically arise because computers can be tricked. They are gullible. In the worst case, your computer can be tricked into following someone else's instructions instead of your own, and these instructions can be very damaging.
A modern computer has lots of programs which talk to the network. These network-aware programs generally fall into two categories:
1) interactive clients: these work with the user to perform network tasks according to the user's instructions. These serve the user.
2) network services: these work with other machines on the network to offer computer resources to these other machines. These serve the network.
Network services generally work by receiving incoming connections from other computers and doing something with the request. When network services have bugs and flaws which make them gullible, this can create opportunities for people to do bad things to your computer by just talking to the computer -- not tricking the user in any way.
Interactive clients are usually only vulnerable when the user directs the client to talk to a malicious network host. The user didn't mean to tell their computer to let itself be tricked, but the computer is unfortunately tricked into doing something the user didn't want.
A basic router offers only two basic built-in security features:
Network address translation (NAT) will not allow random incoming traffic from the public Internet to reach your machine, unless you have left Universal Plug and Play (UPNP) enabled, or you have used port-forwarding or "DMZ" (ugh) features to manually direct incoming traffic to your computer. So network services can only be exploited from computers who don't need to traverse the router to reach your computer: anyone else connected to the "LAN" side of your computer.
Packet filtering can only differentiate between traffic which talks to different types of servers, because Internet convention is to have different types of servers use different port numbers for their services. You COULD run a web server that listens on port 21, for example, but that would be weird and users would have a little bit more trouble telling their computer to connect to you.
Unfortunately, because of this, you can use packet filtering to block unknown services by blocking port numbers which haven't been expressly allowed; and you can use packet filtering to block specific services you know that you don't want to use. Or you can block services in general, while allowing communication with those services only to specific hosts.
That's really pretty limited -- it does nearly nothing to prevent you from accidentally directing your computer to a site that tricks your computer. There are other methods you can use to protect yourself, and I recommend you also apply some of these if you want to be sure your computer stays secure.
You can make your computer more secure against attacks -- in the same way bullet-resistant armor makes you more "secure" against small arms fire -- by using antivirus and anti-malware software on your computer. This type of protection is not perfect: it operates by assuming that any threat your computer sees will already have been analyzed and defeated by your security product vendor. Eventually you will encounter a threat for which this is not true. You will eventually catch a bullet in the face, as it were, and modern malware is very good at making itself nearly impossible to remove from a running system.
So a good "security suite" helps protect you, but it isn't perfect.
Second, you can protect yourself by changing your browsing behavior, making it less likely that you will direct your computer to visit malicious sites. Use browser software and settings which strengthen it against attack. Be conscious of which types of content and subject matter will be financed by more legitimate or less legitimate sources, and avoid content that seems like to be offered only by criminals. Reduce your chances of visiting "typo" sites by using bookmarks and favorites for common sites, and when you must occasionally use the address bar, check the hostname part of the URL VERY CAREFULLY before submitting the URL. Stop installing adware-supported software.
Third, you can protect yourself by reducing the impact of a successful compromise. Buy spare hard disks and make backups, and keep the backups disconnected from your computer, so you can restore from a full system backup if your computer is compromised. Create and use multiple user accounts on your computer, using fast user switching if possible, and only do "unsafe" things using a low-priviledge user account.
Finally -- only do this if you're technical and you have computing resources to spare -- use a free version of VMware, or use Microsoft Virtual PC, and install multiple virtual machines. Anything that's known to be secure (nearly all Microsoft software, enterprise software, non-ad-supported games from legitimate sources, or anything that requires 3D acceleration) goes on the host OS like normal. Communication tools like email, your main web browser, instant messenging, etc. goes in one VM. Any other work domains (work for your employer, school, etc. where sudden system instability or data loss would be bad for your career) go in their own VMs. Finally any unsafe software, or software used for contact with unsafe network hosts (p2p, a web browser for unsafe sites, anonymizing software if you use it, etc.) goes in a VM that will NEVER be used to process any data you care about, especially anything personally identifable.
Security is a bigger [strike]program[/strike] problem than you can expect to be solved by a fancy, expensive router. If nothing else, security is an arms race -- attackers and defenders constantly defeating what the other does -- and any router you buy will only be able to protect you until someone finds a way to defeat its defenses. You need defense in depth.
Nothing wrong with your question.
XBL Michael Spencer || Wii 6007 6812 1605 7315 || PSN MichaelSpencerJr || Steam Michael_Spencer || Ham NOØK
QRZ || My last known GPS coordinates: FindU or APRS.fi (Car antenna feed line busted -- no ham radio for me X__X )