Would a hardware firewall be beneficial for this network?

Hi readers,

The image

Observe the image attached to this post first please. It displays a setup of the network i’m trying to protect from all evil harm that’s possible.

The setup

The DSL modem + wireless + firewall is one of those all-in-one solutions including wireless connectivity, dsl modem, wifi access, voip and a built-in firewall. One of those software thingies you can setup via your browser, it’s configured to block the standard things, but not properly fine tuned.

The wireless setup uses WPA TKIP PSK on a fixed channel with a hidden SSID as protection schematic. Perhaps later on i’m going to change this to WEP PSK with hidden SSID to enable old wireless devices on this network, but i’m not convinced i should. At the moment two other devices use the wireless network to connect to the internet 24/7.

Both switchs are simple autosensing 100mbit switches. No extra fancy stuff.

The majority of the devices (more computers and even more computerS) are connected via a UTP LAN to said switches. A simple wired network so to speak.

The question

I was wondering if it would be beneficial to extra harden the security of this network setup with the aid of a hardware firewall. To my best opinion it should then be placed between DSL modem and UTP switch 1. (Number 2).

The problem here is, how to protect the wireless devices as well?

Question: Would a hardware firewall give me any protection enhancement and is there a hardware firewall that can also protect the wirelss devices?

Personally I wouldn’t bother with an extra firewall for that setup since the firewall in the modem/router/ap protects you from most things that a firewall can protect you from anyway, and another firewall would only protect your wired computers but not the wireless computers.

The wireless devices can be protected with software “firewall” (same is true for the wired devices) but in order to protect them further with a hardware firewall, you would need to get a firewall as well as another access point.

BTW “hiding” the SSID is one of the common myths about wireless security; it doesn’t actually suppress all broadcasts of the SSID, so the SSID isn’t really hidden, and the security isn’t improved. It can make the wireless devices less likely to reconnect to the network if/when they are disconnected. So it decreases stability with no increase in security.

I agree with Drage… You don’t need another hardware firewall. I would get a software firewall on each pc. I use CA’s Internet security, but there are many others out there as good or better. They can be a little tricky at times, as they can block things you don’t want blocked, and it can be a bugger to get what you want back, but they work very well. Even simple things like Spybot Search and Destroy’s TEATIMER work well by not allowing anything to update your registry, without you giving an okay each and every time. There are lots of software options…

I’d recommend the following setup for a small office / home

DSL/Cable modem (without router/firewall capability) --> Router (Linksys WRT54GL or Asus WL-500G Premium) --> Switch --> Clients

Router acts as Firewall (both wired and wireless (tightly secured for office network), DHCP Server, Fileserver (WL-500GP only), QoS and additional services if needed. If you want to protect users from each other I’d recommend you to get a managed switch which can block ports etc. Since the router supports QoS it’ll also prevent net congestion on the Internet-link.

Software firewalls for Windows are just plain crap and causes more issues than they protect from…

If SSID broadcasts affects “stability” you really need to get new hardware that actually works…


With the Wilreless client update, you can tune things, but that favours having the access point braodcasting, so the clients can be set for a broadcast network, so that thay do not leak the SSID when out of range - you cannot totally hide an SSID, so at nest, it stops accidental connection to an unsecured network - in fact, that is about the only worthwhile “security” that hidden SSID provides - as it is entirely useless against any deliberate attack.

WEP - WEP is WEAK - unless you have parts that support the nonstandard 256 bit extension, using WEP is a significant reduction in attack resistance.

Hardware firewall? The NAT router does pretty much what is needed in the “traditional firewall” sense… outside is outside. and incoming is by invitation (port forward/trigger/UPNP) only. Unless you would like to put the WEP equipment on an outer layer, consider the possibility that WEP may be compromised, and use another wireless router/firewall for WPA and to isolate the WEP, though that is perhaps a paranoid approach.

Software firewalls? A permanent battleground of protection versus annoyance level - many need far too much “nursing”, but if you have half an idea what may or may not be legitimate traffic, go for it. If you don’t get one as part of a bundle, then Comodo Personal Firewall (free) is probably as much as you need.

Thank you for your time and effort.

I have decided not to enable WEP for the DSL mode, since it will cause more harm than good. If i want an old WEP device enabled for this network i will use my Asus WL 500G which i still have somewhere and connect that via one of the switches. The Asus router can be configured pretty tightly so i can make sure even if that remote connection is hacked the other systems could not be contacted.

For the rest of the network i will trust on the security settings i configured in the operating systems of the computers. These computers are not enabled to see each other via software (though it should be possible via ip access, i don’t think potential harmful software will find its way throughout the entire network easily).