Menu
Reply
  • 6
  • 0
  • 0
Arthur2Sheds
Joining in
429 Views
Message 1 of 8
Flag for a moderator

Can I trust the V6 firewall?

I'm new to Virgin media and have had their whole package installed a few e=weeks ago.

Colleagues of mine say that I should never trust the firewall settings on an ISP's ADSL home router and that I should have a self-managed internal firewall connected to a switch inside my home network for good security (to my personal wired and wireless devices). Or, replace the V6 device (if that's possible) with an alternate ADSL router.

Anyone got an opinion or, better still, experience of the configuration advised to me?

Answers appreciated in advance

Arthur 

0 Kudos
Reply
  • 16.07K
  • 1.33K
  • 3.25K
Superuser
Superuser
410 Views
Message 2 of 8
Flag for a moderator

Re: Can I trust the V6 firewall?

virginmedia dont use ADSL ran via cable, the firewall on the hub is very basic at filtering always best to have a software firewall, or could buy a hardware firewall these are around £300+ only really used on businesses.. a lot of customer use a 3rd party router to increase wifi range have additional features like port forwarding, QoS etc..
----------------------------------------------------------
If someone's helped you out say thanks by clicking on the thumbs up. If someone's solved your problem, why not mark their message as an Accepted Solution
0 Kudos
Reply
  • 6
  • 0
  • 0
Arthur2Sheds
Joining in
406 Views
Message 3 of 8
Flag for a moderator

Re: Can I trust the V6 firewall?

Hello paultechy, your swift response is much appreciated.  From your moniker your are very IT knowledgeable: can you answer this follow-on question?.

So, in order of Comms egress into my house does this set up sound right.  VM hub 3----> internal router/ (software firewall) ---> smart switch---> endpoint (Mac/Windows PCs), printer, iPad, NAS etc? Researching this provides several possible scenarios (clearly some confusing to baby techie level), and also some saying to buy and replace the VM hub!

0 Kudos
Reply
  • 21.6K
  • 771
  • 3.09K
Superuser
Superuser
400 Views
Message 4 of 8
Flag for a moderator

Re: Can I trust the V6 firewall?

unless ou have reason and knowledge of networks you are better leaving things as they are. leave the firewalls enabled on windows and mac devices and leave the SH as it is. it works as a NAT that gives a lot of security from inbound connections. If you do not know what you are doing its very possible for you to make thingd less secure trying to secure them.

What are you trying to secure/worried about?

i can tell you about £10,000 firewalls you can use but unless you are activally being targetted and have somehting worth people taking you dont need to worry
0 Kudos
Reply
  • 1.22K
  • 91
  • 228
stevedh2
Knows their stuff
397 Views
Message 5 of 8
Flag for a moderator

Re: Can I trust the V6 firewall?

1stly I assume you mean Hub3 as the V6 is a tivo tv cable box.

software firewall is what you'd usually have on your pc as part, or sometimes separate from your av software.

Unless you put your Hub3 in modem mode, then the hub3 is also your router.

For your average home use the protection software you have on your pc is probably more important then the firewall on the hub/router.

The router can protect you from some general hazards such as Dos Attacks etc, what probably provides more protection for your pc on the router side is that most of your internal devices will be accesed via nat so unless you've opened some ports (or have an easy router password etc), its very hard for someone on the outside to directly access your computer.

If however you manage to download a trojan or your computer is infected by some other form of virus then it can say hello to an external source but as far as your router firewall is concerned this just looks like normal legitimate traffic. Only your computer can determine that it isn't.

For a router to do this it would need to be constantly updated to know the source of all current threats..

0 Kudos
Reply
  • 6
  • 0
  • 0
Arthur2Sheds
Joining in
395 Views
Message 6 of 8
Flag for a moderator

Re: Can I trust the V6 firewall?

@apcyberax.  Thanks for the quick response.

I have bought a NAS drive to store photographs, films, Time Machine, backups, personal files/mail etc. They are very important to my family and was looking to ensure that I had the most appropriate (a moving feast  know) security wrapped around it/them.  Whilst doing research, there was some information on t'internet that indicated that ISP provided hub/routers weren't always the most secure (basic setup), suggesting replacing the VM hub or buying an internal router/firewall, and its often difficult to sort out the 'wheat from the chaff"... 

0 Kudos
Reply
  • 4
  • 0
  • 5
cannfoddr
Tuning in
381 Views
Message 7 of 8
Flag for a moderator

Re: Can I trust the V6 firewall?

Generally in my experience most ISPs will offer a firewall that provides the following capabilities:

  • NAT - this really does nothing for security (unless you count security through obscurity)
  • A stateful firewall - this is your first line of defence for security
  • Hopefully some level of their own security testing to ensure that the router itself has no inherent security vulnerabilities

By default most firewalls are setup to block ALL incoming traffic between the internet and anything connected to the LAN or WiFi networks on the router.  I simple firewall configured in this way would block all incoming traffic no matter what, this is where the stageful bit comes in.

A Stateful firewall looks at the traffic going from the machines on your home network, say a request to a web server for a page,  going out to the internet and will create a temporary rule that allows that web server to talk back to the machine on your local network that started the connection.  Your router spends most of its time handling these stageful rules that allow the local network to talk to the internet and get responses.

The problem with stateful firewalls is that by default they will allow anything on your local network to talk out to the internet and get a response back.  This might be fine for a browser talking to a web page but less fine for some Malware that you have just installed trying to send information out to its command and control server or establish a connection that can be used to take control of your computer.  This is where Windows Firewall, Mac Firewall and all the "Internet Security Suite" type programs from the Anti Virus guys come in.

These "Operating System" firewalls will as part of their operation look at the programs on a machine that are trying to talk to the internet and make a decision either automatically or based on user permissions whether they should allow that program to talk to the internet.  I personally use McAfee Internet Security Suite on all our windows machines to do this for me and a program called "Little Snitch" on the Macs which does a similar job.  These programs give me piece of mind that when I install new stuff I can see where they are talking back to on the internet and decide if that is a good thing or not.

I find the actual firewall piece of the "Operating System" firewalls less useful, more often than not McAfee (or Windows Firewall) is to blame for file sharing or printing or access to some online game not working.  My preference is to allow ALL incoming connections from these Operating system firewalls.

The other thing to be aware of is something called uPNP/NAT-PMP.  This is a capability on your router that allows a program running on a machine on your local network to "Punch" a hole (sometimes referred to as a "Pin Hole") in your router firewall which will allow something from the internet to talk directly to the program running on a machine, the program does not need to have talked first to the internet (stateful) but can instead start the communication from outside. There has been much controversy over UPNP over the years with some advising to turn it off and some saying to leave it on in some form or other.  Personally I do allow it but monitor it occasionally on the router just to be sure.

One last thing to think about is you can explicitly allow connections between the Internet and machines on your home network by setting up a "Port Mapping" this allows communication coming in to a specific port on your router to talk to a particular port running on a machine on your local network.

So to summarise, and this is my personal view:

  • I do trust the firewall on the router to handle all my incoming network security and the stateful bit
  • I do use "Operating System" firewall software but mainly to handle program connections to the internet
  • I use a combination of uPNP and Port Mappings to allow programs to receive incoming connections from the internet.

Hope that helps.

 

0 Kudos
Reply
  • 6
  • 0
  • 0
Arthur2Sheds
Joining in
365 Views
Message 8 of 8
Flag for a moderator

Re: Can I trust the V6 firewall?

@cannfoddr. Thank you for a very comprehensive reply. I'll study it tomorrow and will probably need to read through the detailed information a few times to get a real understanding of your response. Once again, I appreciate the time and effort you've taken in replying.

It does help :-)
0 Kudos
Reply