0

Summary

My old home-router/switch has died recently and I decided to buy the real stuff: Cisco switch 3500 series XL in prevision of further needs later on.

Meanwhile, I have received my Cisco switch and connected my ISP modem onto port 1x and plugged my other computers onto the other ports of the switch.

Great! I now have access to the Internet on all of my home PCs and works remarkably fine! Aside, I wonder if this works, what are routers for?...

Questions

  1. Do I over-expose my computers to the Internet and make them vulnerable to assaults from the Internet?

  2. Shall I badly consider installing a router between my Internet connection and my switch before something hurts my equipments?

Thanks for your time answering this question. =)

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Will Marcouiller
  • 256
  • 2
  • 5
  • 16
  • If I have a bit of time later (and nobody has beat me to it) I'll post a more in depth answer, but what's really happening here is two technologies being given the same name, which annoys me. Most people refer to a home ADSL-style device as a "router" which it isn't really, it's NAT, but a Cisco device really is a proper router, but it can ALSO be NAT. – Mark Henderson Feb 02 '11 at 19:58
  • I'm looking forward to have your thoughts then! Because I don't know of the difference between those two. I'll be glad to upvote for sure! =) – Will Marcouiller Feb 02 '11 at 20:01
  • This is about a home network, which is out-of-scope per the FAQ. – sysadmin1138 Jan 19 '12 at 03:40

2 Answers2

3

Some "modems" which are actually gateways have built-in firewalls that aren't full of features but get the job done. If this is the case the switch you've bought will simply extend the segment off the LAN port of the modem and your machines will receive private addresses.

If the modem is not a gateway your ISP would need to allot you more than one public IP as the LAN port and your switch along with it would now be publicly visible and each of your connected devices would need a static IP address. I do not remember if the 3500XL is a layer 3 capable switch, but if it is then it can certainly play "router" for your network and basic ACL's could logically permit or deny traffic. HOWEVER, this does not make it a stateful firewall.

My suggestion in either scenario is for you to purchase a router with a built-in firewall or a small dedicated firewall box like a Juniper SSG or SRX, or possible an ASA or even a SOHO linksys or netgear box.

SpacemanSpiff
  • 8,753
  • 1
  • 24
  • 35
  • I agree. Since this is a home network I would suggest Tomato-USB on the ASUS WL-520GU. This will give you a powerful stateful packet firewall, bandwidth shaping and a great wireless unit for about $50. – Antonius Bloch Feb 02 '11 at 20:11
  • I have purchased (not yet received) a Cisco 3640 router. Will it address any supplemental security concerns for my network? As for my IP address, it seems that I have one obtained from my ISP. I type `ipconfig/all`, and my IPv4 IP Address is 24.xxx.yyy.zzz. The default gateway is set to one of my ISP: 24.xxx.yyy.aaa. I seem to have IP addresses given by my ISP for each of my system. Sounds bad to my hears!... =S Is it bad? – Will Marcouiller Feb 02 '11 at 20:19
  • It's typical for an ISP to issue consumers only one address, and almost always via DHCP. Your router will "segment" your public IP and your private network, and provide you network address translation. A router's job by default is to FORWARD packets where a firewall's job is to filter them. The IOS on the device will determine what firewall capabilities it has. Typically a device like a Cisco router is used purely for routing. That's why we all suggest SOHO solutions or Juniper SSG/SRX, they are both a router and firewall in one device, and often, enough ports to negate the need for a switch. – SpacemanSpiff Feb 02 '11 at 22:07
  • I understand what you're saying, and thanks for your time. Besides, it seems that my equipment has an IP address per piece of equipment, so if I have three computers, I have three issued IP addresses from my ISP. That is what I was wondering whether it was bad. =) – Will Marcouiller Feb 02 '11 at 22:27
  • If the IP's you're getting are 10.x.x.x, 172.16.x.x, and 192.168.x.x then it is likely your modem is a gateway. If you're receiving addresses other than these like 24.14.10.5 or anything public then you'll want to firewall each individual host at the minimum, but everyone here is likely to agree you should implement a hardware firewall. – SpacemanSpiff Feb 04 '11 at 14:45
0

Most ISP modems have a built in firewall which you can confirm by logging in to the modem's web interface, if it has one and if you know the username and password.

You might be better served by asking your ISP about the modem and it's capabilities as a firewall and asking them for the modem login information.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • If I have an ISP obtained IP address for each of my pieces of equipment, does this mean that I'm running into troubles? I also have a Cisco 2514 router on my shelf, shall I install it meanwhile I receive my 3640 router or is it not worthy? – Will Marcouiller Feb 02 '11 at 20:22
  • Nah! Just thgought that I own no transceiver! Bad luck! =P – Will Marcouiller Feb 02 '11 at 20:26