NotebookForums.com › Forums › Off Topic › Desktop and Hardware Discussion › File Sharing with Router
New Posts  All Forums:Forum Nav:

File Sharing with Router

post #1 of 12
4/27/04 at 6:07pm
Thread Starter 
I am going to buy a firewall/router, but I think there will be some problems with a few apps that I use. I think NAT would not let my file sharing apps (specifically DC++) work in active mode. The software firewall I used (ZoneAlarm) get around this by recognizing specific apps as server apps and open up ports just for that app. However, I am not aware of any routers that does this, which means I would have to forward the ports or put the computer in DMZ. I really don't want to do that and wish the router could recognize specific apps and open ports for just those apps. Do any of you know of any routers that can do this? I've heard of something called triggered mappings and NAT-Traversal that may be just what I need, but not sure.

Also, what is the best SPI Firewall router with at least one VPN channel through IPSec in your opinion?
Reply
Reply
post #2 of 12
4/27/04 at 6:59pm
Quote:
Originally Posted by deltawalkerl
Also, what is the best SPI Firewall router with at least one VPN channel through IPSec in your opinion?
There lies the rub. If you want a SPI router that selectively permits apps access without DMZ or port forwarding rules, the basic (read inexpensive) routers are all out. I got around this problem by spending $$$ and purchasing a Sun Cobalt Qube3 (no longer in production) and using the Sun Adaptive Firewall to govern permissions. Unfortunately for me, the applications supported by my Qube were relatively limited but it is almost bulletproof for webmail, webserver and file access.

A number of companies sell deep scan SPI products, like Fortinet (www.fortient.com), Checkpoint Software (www.checkpoint.com). I would also recommend Sonicwall or Symantec's vpn appliance.

What kind of applications are you wishing to be scanned?
Reply
Reply
post #3 of 12
4/27/04 at 7:02pm
Thread Starter 
I think getting one of those really expensive enterprise routers will be overkill for what I wish to do. I only want to selectively allow some file sharing apps like DirectConnect and BitTorrent and multiplayer games to pass through. I just hope there are consumer level routers that can do this...
Thanks for the suggestions. I will check them out. But I really can't spend too much.
Reply
Reply
post #4 of 12
4/27/04 at 7:06pm
Opps. Didn't read your post completely. Actually, unless you are willing to spend $500+ on a router, it's best to use software firewall (as you are now using) and couple it with a basic SPI router. If it is for home use only and VPN logging is for one computer at a time plus you have limited bandwith, less than 3kpbs, then stick with something like Linksys' routers. If you want dedicated bulletproof vpn access in compliance with vpn protocols for multiple platforms, Dlink's business router DFL-300 is a good buy, along with Sonicwall's 170TZ. Likewise, Linksys' RV082 is pretty good. I am considering the RV082 since my Qube is getting old...
Reply
Reply
post #5 of 12
4/27/04 at 7:14pm
Thread Starter 
Quote:
Originally Posted by [silentwind]
Opps. Didn't read your post completely. Actually, unless you are willing to spend $500+ on a router, it's best to use software firewall (as you are now using) and couple it with a basic SPI router. If it is for home use only and VPN logging is for one computer at a time plus you have limited bandwith, less than 3kpbs, then stick with something like Linksys' routers. If you want dedicated bulletproof vpn access in compliance with vpn protocols for multiple platforms, Dlink's business router DFL-300 is a good buy, along with Sonicwall's 170TZ. Likewise, Linksys' RV082 is pretty good. I am considering the RV082 since my Qube is getting old...
I see. I suspected that it may be best to stick with a software firewall with my light use of router features. Thanks. However, even with a basic SPI/NAT router, it will still block inbound traffic for my apps unless I forward ports, wherein lies the problem. I suppose I am stuck with port mapping then? I guess its not so bad. Actually I looked at the CheckPoint routers and they have some below $500. You mentioned that some of CheckPoint's routers have application recognization? Could you explain how this is accomplished and which ones do this? I fear only the really expensive ones can...
Reply
Reply
post #6 of 12
4/27/04 at 7:24pm
About Nat-Traversal, a good primer:
http://www.isp-planet.com/technology...ipsec_nat.html

Checkpoint Software is considered a leader in "deep scan" SPI technology (or at least that's what there press releases always claim). Deep scan really exists only at Enterprise level. Frankly, buying deep scan spi for the software and gaming stuff described would be the equivalent of purchasing a tank because you live near a golf course... It's overkill, unnecessary and cost would defeat purpose. Deep scan products typically start around $2k which is why I bought my Sun server... However, I used it for business and home office links so it's worth it for me...

Deep scan SPI monitors applications as they communicate to the outside. From the outside, a deep scan SPI appears to be a firewall - from the inside it appears to be a communications client. It's sort of like a proxy that the firewall predefines for each application. Its not found in SOHO class products because of need to monitor applications as well as speed to track/approve data as well as shunt to proper ip address.

I don't know if this helps because (1) its a complicated process involving the equivalent of proxies plus (2) I wound up purchasing intermediate solution because of the hardware costs (so didn't ever complete research) and (3) I gotta pee!
Reply
Reply
post #7 of 12
4/27/04 at 8:07pm
Thread Starter 
Thanks for the help. I guess I will use a basic SPI/NAT router. You mentioned that the Linksys ones are good for low bandwidth, 3kbps. What if you have a bigger bandwidth, say, 10mpbs?
Reply
Reply
post #8 of 12
4/28/04 at 6:45pm
If you have 10mbps class worth of bandwith, I expect you will run into problems with basic routers. Most basic routers use 50 mhz ARM processors that simply do not have throughput to analyze packets and redirect. I would suggest the RV082, DFL 300, Sonicwall, or any other small business class router because they tend to have fast processors 150 mhz+ plus expanded flash memory for upgrades and ram for the processing. Of course, this stuff will cost between $300 - $500. I am currently unhappy with the Netgear stuff largely because of really limited warranty (90 days) plus they offloaded support to India and frankly the language issues outweigh the limited knowledge base/scripts tech support reads.

If you have cash, I recommend the Sonicwall products. I've used them and my wife's office uses one with great success. They also have excellent tech support. I like DLink though not so much for the product but because they provide good tech support and techs are based here in California...
Reply
Reply
post #9 of 12
4/28/04 at 11:08pm
Thread Starter 
Thanks for the recommendations. I didn't know basic routers will have trouble with the bandwidth...that was really important information for me. Thanks for the article on NAT traversal, too. I can rule it out for doing what I need, as it seems to only work with VPN pass through and uPnP software. There is still a bit of hope, though: do you know how dynamic (triggered) mapping works?
Reply
Reply
post #10 of 12
4/29/04 at 5:57pm
For your needs, I don't think triggered mapping will work. Triggered mapping works best when there are multiple computers or multiple requests communicating with the port for short bursts of data. A continuous stream will cause the application (LAN side) to continuous operate and will eat into your CPU cycle times (unless you are running a fast server with lots of memory AND managed switch/adapter card). Triggered mapping only allows one computer at a time within the LAN to use the port so if you have an internal lan with a separate server, then only one system at a time can use the port. You are better off mapping a single port and directing it to a specific LAN address and simply operate a software firewall rather than application based triggered mapping.

A good primer:
http://www.smallnetbuilder.com/Secti...le18-page5.php
Reply
Reply
post #11 of 12
4/29/04 at 6:04pm
Thread Starter 
Thank you very much. Your help saved me a lot of time that would've been spent searching for this information myself. You also saved me a lot of money as well since I probably would've made the wrong choice! As per your suggestion, I will go with a not-so-expensive small business class router, open some ports, and use software firewall to block those ports. Again, thanks a lot!
Reply
Reply
post #12 of 12
4/29/04 at 6:07pm
No problem. Glad to be of help!
Reply
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Desktop and Hardware Discussion
NotebookForums.com › Forums › Off Topic › Desktop and Hardware Discussion › File Sharing with Router