Hardware Router vs Linux Router security

exphiles · #1 10th February 2005, 04:06 PM

If you have a hardware router like a Linksys or D-Link Broadband router, is that more secure to use compared to using a Linux box as a router?

A broadband router has DHCP and uses an internal IP, blocks most ports unless you enable it. How would using a Linux box as a router compare?

awdac · #2 10th February 2005, 04:38 PM

if you're using the Linux box just as a router, it would do the same thing, but generally allow for finer tuning and the installation of other software such as IDSes and whatnot on it. It could NAT (your internal IP addressing scheme, DHCP or otherwise), block all unecessary ports, etc.

The thing that really generally makes a "hardware router" more secure for home users is that it is a separate dedicated piece of hardware that's simple (which is always better in security terms) and expendable. If it gets compromised, there are no files to steal or anything, though the intruder likely has access to the internal network at that point, if they didn't just cause a DOS. Even if that were the case at my house, for instance, my internal machines are then protected by iptables themselves. Though I guess the intruder could print to my printer and such or exploit weaknesses in it to attempt to gain access otherwise.

It's never a good idea to have your border routing/firewalling done by a box that you use all the time. It should be as simple as possible with as few things exposed as possible, whether it's a stripped-down, cheap Dlink, a dedicated Linux machine, or a Cisco PIX.

Does that answer your question?

exphiles · #3 10th February 2005, 05:00 PM

awdac,

Yes, that certainly clarified a lot of things for me.

Now all I have to figure out is what iptables is.

awdac · #4 10th February 2005, 05:50 PM

iptables is the packet filter software that comes with Linux. It allows you to inspect and control the packets that come across the wire on your network connection. It does this based on rulesets that you can configure directly through the iptables tool or you can use various interfaces to do it, the simplest of which is probably 'lokkit', which is installed by default on your system I think. I've heard good things about Firestarter as well, though I've never messed with it myself.

As usual, 'man iptables' will give you a qick description of its functions.

kosmosik · #5 10th February 2005, 06:01 PM

Quote:

Originally Posted by exphiles

If you have a hardware router like a Linksys or D-Link Broadband router, is that more secure to use compared to using a Linux box as a router?

HW router is more secure since it runs less code == less potential flaws. but also (such home HW router) is less configurable/capable... but to be honest you could run HW router and after it Linux router and after it your LAN

exphiles · #6 11th February 2005, 08:30 AM

Thanks for the info adwac

exphiles · #7 11th February 2005, 08:37 AM

kosmosik,

Wouldn't that be overkill?