desktop routers v. consumer routers

[imported_itr]

obviously if you build your own router with clarkconnect, smoothwall, etc., it is much more powerful and full featured than any consumer router (eg. linksys, netgear, etc). that is of course excluding the enterprise routers (eg. cisco).

i am woundering at about what level or price range these desktop routers are comparable to comercial products.

also, what are the advantages/disadvantages of these 2 products.

 

[amdskip]

Before the experts come in here ( I am not one ), what do you plan on using this router for?

 

[imported_itr]

Originally posted by: amdskip
Before the experts come in here ( I am not one ), what do you plan on using this router for?

as a router. my main concern is security. i'd like to get the most secure router that is affordable.

 

[networkman]

"Affordable" is a relative term, especially with an audience as large as that of the Anandtech forums.

 

[Haden]

I think it depends on what features you require.
On low end, cheap "boxes" do pretty well (PC's loose on price, size, noise and heat), my favorite solution here is probably linksys.
On rather high end, it's impossible to assemble PC which matches routing performance (and features) offered by say Juniper/Cisco core routers (not that I ever touched one)
However, somewhere in the middle range, where speeds are sub 200mbps, good PC with say Linux will beat the crap on both features and price (from my experience).

 

[halfadder]

If you don't know what you're doing with a Cisco router and/or don't have a SmartNet account to download the latest Cisco IOS updates, a cheap consumer D-Link router will be far more secure than an expensive Cisco!

However, if you know what you're doing, and have access to the latest Cisco software, you can do some amazing things with a high end router. The configuration combinations are endless.

 

[Kelemvor]

Can get the LinkSys WRT54G and use the 3rd party firmware to increase it's abilities quite a bit.

 

[JackMDS]

itr, you use the word Router as a language Idea connector and Not as a technology connector.

It is like saying I need a Vehicle. I heard that Bulldozers are stronger/safer than SUVs. Shell I get a Bulldozer to take my kids to school?

May be if you tell us what you are afraid of we can tell you how to secure it.

:sun:

 

[vi edit]

Unless you feel the need to tinker, or need to make a modem router, I really see no significant advantage that a desktop running a *nix client provides over a boxed product provided by Linksys, Netgear, ect.

They are smaller, quieter, cheap, require less power, and more easily configured.

I used FREESCO and Coyote linux for years and they worked great for what they were. But, for a vast majority of people out there, an out of the box product will be better for them.

The only significant downfall of the consumer products is that they have limited flexibility when it comes to port forwarding and rule structure. But, as I said, for most people that's a non issue. It's not a fault of the product, it's a marketing tool leveraged by the manufacturers to encourage the purchase of more feature laden products if that is what you require.

 

[Tazanator]

Looking at the replies in the forum, it really depends on what you are trying to route. For basic, low traffic applications, any of the routers listed, including the home-brew, will work. If you want performance under load, then you are into a commercial router like ImageStream. Most low-end (17xx/26xx/37xx) Ciscos will not run wirespeed if you ask the router to do more than terminate the circuit.

 

[melthemoose]

check out the new Cisco ISR's (1800/2800/3800's) they do wirespeed with everything turned on

 

[Tazanator]

well not sure about that model I do remember the review by network wold fussion http://www.nwfusion.com/reviews/2003/0714rev.html where cisco has been quoted as saying "...users are interested in issues other than performance. " personnally I hate having to buy a support contract every year just to get the updates and patches for the software. With little info from http://www.eweek.com/article2/0,1759,1725051,00.asp I'm waiting to see more spec's released.

 

[imported_itr]

from what i've read so far, consumer and home-brew routers have basically the same security features? SPI, NAT, etc. so if i wanted more enhanced security features, i'm better off looking at cisco products? the reason i am inquiring about router security is because, i am currently running a web, mail, ftp server, thus increasing the chance of being attacked.

 

[cleverhandle]

As others are getting at, your conception of routers and router security is a bit unclear. There are two basic concepts here that I don't think you've separated:

1) Security of the router itself - For a typical small home installation, this is pretty much a non-issue. Consumer-level routers don't have many features that leave them open to attack - they just route packets to wherever they're supposed to go. All you generally need to do here is set the router's admin password to something unobvious. Maybe also limit admin access so that only a particular IP address in your network can use the admin pages. I haven't checked out any of these units recently, but I think that most now deny any kind of remote access on the external interface, so you don't even need to worry about that. Using a high-end router (e.g. Cisco) or a custom *nix box is actually worse in this area because they contain lots more features for you to be aware of and secure properly.

2) Security of the services behind the router - This seems to be what you're thinking of. This part is really the job of a firewall program, which may or may not be part of the physical router itself. And this is where high-end or custom built routers have a lot more features, but I'd ask whether you really need them. Most consumer-level routers will let you forward specific ports to specific hosts, and unless you're a particularly high-value target, that along with keeping your servers up to date may be all you need. Just forward whatever ports you need (80 for HTTP, etc.) to the appropriate server. If you really want to geek out on security, a *nix box is the cheapest way to get a serious firewall program that will let you inspect packets, keep logs, and do other fancy tricks. But if you're going that route, you need to understand TCP/IP as well as the firewall's OS pretty well to make sure that you don't in fact make things less secure by leaving services unsecured.

Only you can decide what level of security you need, but given your statements so far, I'd suggest that a decent consumer router would be simple and secure enough for what you're protecting.

 

[imported_itr]

cleverhandle thank you for the clarification. when you're talking about high-end firewall programs, microsoft ISA (internet security accelerator) would be one of them, am i correct?

 

[vi edit]

Originally posted by: itr
cleverhandle thank you for the clarification. when you're talking about high-end firewall programs, microsoft ISA (internet security accelerator) would be one of them, am i correct?

I think he's more talking about hardware based firewalls - Cisco PIX, Sonicwall, Watchguard, ect. Those devices do SPI and provide far more flexibility in allowing/denying access to the devices and services on your lan side of things. There are some software packages that do it, but going with a hardware appliance is usually what most people opt for.

 

[JackMDS]

In order to run the server the ports concerning the server need to be open to begin with.

So the protecting involved the actual Server Software and the Web pages, email etc. rather then the appliances around it.

Web server should have only those services running that are absolutely needed to run it and nothing else. I.e. use a dedicated computer that run the Servers and not a general computer that does other things as well.

The OS and the applications should all have the most recent security patches.

All the ports that are not necessary for the Servers operation must be totally closed.

Use minimal Form inputs. Forms let the outsider legally input info into you system. Form input can be used for running ?Junk? through your own software.

There is also a simple Hardware trick that can be employed.

Put you regular Network behind one Cable/DSL Router. Plug into the first Router a second Router and put the Computer with the Web Servers on the second Router by itself.

Doing so enable you to open more ports for other applications on the first Router, and only the ports of the Web Server on the second Router. It also creates a more secure separation between what is exposed to the Internet and your LAN.

:sun:

 

[vi edit]

Put you regular Network behind one Cable/DSL Router. Plug into the first Router a second Router and put the Computer with the Web Servers on the second Router by itself.

Doing so enable you to open more ports for other applications on the first Router, and only the ports of the Web Server on the second Router. It also creates a more secure separation between what is exposed to the Internet and your LAN.

Or buy a firewall that has a DMZ port.

 

[JackMDS]

Originally posted by: vi_edit


Or buy a firewall that has a DMZ port.

Doing so will totally expose the server and will achieve the opposite of what we are looking for.

I might understand your desire to be oppositional to most of my posts, but not on the expense of others.

:sun:

 

[cleverhandle]

Originally posted by: itr
cleverhandle thank you for the clarification. when you're talking about high-end firewall programs, microsoft ISA (internet security accelerator) would be one of them, am i correct?

Like vi_edit said, I was thinking of hardware like a PIX, but ISA looks like it can do a lot of similar things (I don't have any experience with it personally).

But you've never answered the very first respondent's question - what are you doing? It sounds to me like you're getting way, way beyond what's necessary. If you're just hosting a couple of services for your household and your friends, get a simple router, forward the required ports, and concentrate on application-level security - keep things patched, study up on secure web and mail server configuration, and so forth. Which is what JackMDS said (hint: he's real good at this stuff - listen to him).

 

[cleverhandle]

Originally posted by: JackMDS
Doing so will totally expose the server and will achieve the opposite of what we are looking for.

Yup. A DMZ port is the shotgun solution. And since it sounds like all these services run off a single machine which is probably running internal-only services as well, opening up every port is the last thing you want. I'll keep my Windows file sharing ports off the Internet, thank you very much.

 

[vi edit]

Originally posted by: JackMDS

Originally posted by: vi_edit


Or buy a firewall that has a DMZ port.

Doing so will totally expose the server and will achieve the opposite of what we are looking for.

I might understand your desire to be oppositional to most of my posts, but not on the expense of others.

:sun:

The DMZ ports on the Sonicwall equipment I'm used to give me every bit as much of control over what goes in or out of that port as the normal LAN/WAN ports.

I can deny everything I want with the bonus of not having to stick the box on my lan. The same thing as you proposed. Sorry if I sounded disrespectful, as that was not my intent.

It's just that with the hardware I'm used to using you can accomplish the same goal without the extra equipment.

 

[Tazanator]

well I have the DSL line in to the comercial router, at this point I run a DMZ on one IP block and the internal network is on a different block. (think internal 192.xx.xx.xx and the servers on 10.x.x.x) Like JackMDS said the two networks are seperated and the servers are not allowed access to the internal network or even each other (I pulled all other services and protocols I could off the servers). this gives one layer of protection. a further is that neither network shares any connections (seperate switches and all they only come to gether at the router and the router has seperate eth ports for each network and they are firewalled from each other to a degree (harsher rules for server to internal..) the nix route is strong if you know nix, I spent a while learning nix to run my Imagestream box and than have D-links for the third net (wireless). But to run servers and other service requires several differnt aproaches and apliances. The commercial router helps me keep the networks devided and does some firewalling for each network, further down some networks have additional routers to firewall them and limit services in either direction (I have a lan party network where people bring all kinds of machines to play, it's VERY unsecured to itself (DHCP and all services open for the games) it is blocked from the house network (the housenet work uses the MAC address to allow systems onto it's net - with 48 guests that would take to long to put each MAC address into the table) each network has it's own needs). weigh what you want and look hard at how much you know in that area and how much you are willing to learn. Realize that commercials routers have lots of tools to go with the cost, homebrew depends on your skill to build, and the home based are for the simple and cheap. Balance your needs to your skill and cash flow.

Good luck.

 

[JackMDS]

Good post Tazanator thanks.

I might that this point when it comes to Home /SOHO Hosting a strategic decision has to be made.

If in order to be secure I need to buy a sub $1000 security appliance.

I will rather go with a Hosting service.

For $5 a month you can get commercial security faster connection, and computers that making Noise, and Heat production elsewhere. In most parts of the country the electricity of running run 24/7 server might be more expensive than an inexpensive hosting service.

The price of an Appliance will cover 10 years of humble Hosting services.

My post above was an example of relative security the might cost $30 (two wired Entry Level Routers), and a little ?Neuroware? effort to set.

:sun:

 

[Griffinhart]

Originally posted by: FrankyJunior
Can get the LinkSys WRT54G and use the 3rd party firmware to increase it's abilities quite a bit.

I agree. The WRT54G will do just about anything you'll need out of the box. It will do even more with 3rd Party Firmware.

PC based router vs Consumer Router:
The WRT54G:
Is only $60ish.
Gives you Wireless and Wired Access out of the box
Is much much much smaller and silent.
Uses very little power
Also fills the roll of a Hub/Switch.
Pretty secure out of the box.

PC's
Big and bulky.
Expensive (if you have to buy one)
Noisy, Use a lot of power and require mouse/keyboard/Monitor
Prone to all the problems inherent with PC's
Requires reasonable knowledge to set up and manage.
Requires you to have 2 Network Boards in the PC Plus a hub/switch for your network.

I'd definately go with a consumer router like the linksys. It's less of a headache and much more economical.