A Comparison of 802.11g Firewalls?

peoria kid asks: "Does anybody know how to compare the firewall effectiveness between the different providers of 802.11g networking solutions? I am considering purchasing a base station for my parents and I do not know if the Apple Airport base station or others such as Lynksys, or Lucent have better encryption and firewall protection."

Most of them are only firewalls because..

[Anonymous Coward]

They do NAT, and it's a side effect. If you want a real firewall, you need a real firewall or a computer running a real software firewall.

Zyxel

[astrashe]

Take a look at Zyxel [zyxel.com].

It's a NAT device, not a real firewall, but it's in the same category as the products you've mentioned, and it's more secure.

I haven't used it, and can't vouch for it. But it's gotten some good press.

As I understand it, if you can sniff enough packets that use the same key, you can crack the crypto. This thing uses a better (and standard) protocol that keeps changing the keys, so no one can sniff enough packets to recover the key.

I'm not sure I understand why they've kept the weak algorithm and shored it up by changing keys. My guess is that the cyrpto is built into a lot of wireless card hardware, and you can still use the built in hardware by rotating keys. A new algorithm would offload all of the crypto to the processor. That's just a guess, though.

In any event, I think this is believed to be secure now. I think that recent patches to XP support the new protocol with most wireless net adapters -- if you run XP, you don't have to worry about vendor support on the client side.

None of these are actually firewalls

[DA-MAN]

It just happens to be a side effect of doing network address translation. Nothing comes in that isn't requested or related to connections made.

They also have a default DENY policy which means that they are all about as secure as the other. The only problem would be if they came out with a new teardrop-like exploit that crashes the tcp/ip stack of the little routers, and that wouldn't affect security internally and would probably be solved by a firmware update.

Because most are black boxes, you have to take whoever the manufacturers word for it that they have a solid tcp/ip stack that won't be susceptible to this sort of attack.

Main thing I would worry about is the speed, find out what wireless firewalls are rated as the fastest. Make sure WEP is enabled and you have Mac Address filtering. It's still not going to be nearly as secure as a cable.

If you want to be secure, get a software firewall as well (ZoneAlarm, Tiny Personal, Norton, etc.), run Spybot or Ad-Aware, run a Virus Scanner and keep your software up to date.

Re:None of these are actually firewalls

[DA-MAN]

WPA isn't all that great either. But you are right, WPA is better than WEP.

Wireless is never going to be all that secure, so long as it is transmitted in the airwaves, someone will be able to pick it up. The best line of defense is knowing this and changing your habits accordingly. I always use encryption at the protocol level, when there is important data whizzing by.

imaps, instead of imap
pop3s, instead of pop3
ssh, instead of telnet or ftp
https, instead of http

The list goes on and on. By using these protocols you are also not nearly as susceptible to man in the middle attacks.

SIDE NOTE: The latest WPA patch from Microsoft (KB826942) broke my wireless capability severly. I could no longer connect to any wireless access point that had encryption disabled, like coffee shops or T-mobile. If anyone else is having problems connecting to unsecured access points, try uninstalling this. Just passin on the knowledge...

linksys...

[josepha48]

I think that the linksys has ipsec, which is about as secure as you are gonna get when doing wireless.

The real important thing is to change the ssid and add a password. That will force someone to be scanning for the wireless and also require them to spend 20 minutes craking the wpa / wep encryption. But if you get teh BEFW11P1 it has ipsec too. Not sure which ones of their products also have this. If you need wireless then try the WRV54G. Look for VPN capability as most vpn systems out are using ipsec.

Re:Zyxel

[PapaZit]

Cisco (commercial) wireless APs do the same trick.

Essentially, the WEP key that you type into the client is only used to get a new randomly-generated "session" key. It IS a part of the 802.11b/g spec, but many wireless cards don't expect the key changes, so you need to be careful about which products you buy (or, at least, you had to be careful when I looked at this stuff a year or so ago).