After many years of waiting, I finally got a laptop at work last week. One of the first things I tried out on it was bringing it home and seeing if I could VPN into work from home. I was unsuccessful at getting the VPN client to connect until I completely disabled the firewall on my wireless cable modem (Motorola SurfBoard SBG900). If I put it back to even the minimum level of firewall protection, the VPN client was unable to connect.
The IT folks at work have not been at all helpful about troubleshooting this. Their opinion is that if I can connect with the firewall down, then it’s not an issue with the laptop and therefore not their problem.
I’ve always been under the impression that having the firewall on the modem configured for maximum protection was a good idea, but I’m wondering if it’s overkill and if firewall software will provide sufficient protection?
Does your cable modem have a “VPN pass through” option that you can enable? I briefly glanced through some manuals for the SBG900 and they suggest the feature exists but doesn’t go into detail about how to enable it, sorry.
And to answer your question: There’s always a tradeoff between convenience and security. Every layer of security you add helps but potentially makes your setup more difficult to use (as you’re finding out).
My opinion is that you’re probably fine with a software firewall + a router, but I’m not sure if “wireless modem” qualifies as a router. On your laptop, do you get an internal IP address like 192.168.1.1 or an Internet-accessible address? If you’re not sure, go to www.whatismyip.com and remember what you see there. Then, if you’re on XP, go to Start -> Run and type in “winipcfg”. If you’re on Vista, go to Start -> Run and type in “cmd”, click OK, then type in “ipconfig” in the resulting window.
Compare the two IP addresses.
If they are different, you’re probably as safe as you need to be.
If they’re the same, however, that means you DON’T have the protection of router – your cable modem is forwarding all inbound traffic directly to your laptop – and so a hardware firewall (i.e., on the cable modem) WOULD be helpful in case your laptop and its software firewall gets compromised.
(To get technical, I think a hardware SPI firewall would grant questionable (minimal) protection over a standard router if you already have a software firewall. Basically, the only thing it’ll protect against is malware smart enough to make an outgoing request prior to listening for a response but dumb enough to route its traffic over nonstandard ports AND wait beyond standard timeout for a return signal. That particular combination of factors would be really odd.)
If you don’t have a router, I would definitely recommend getting one and making sure it is WEP enabled with the passkey. We have three computers (two desktops and one laptop) running on a wireless network that is WEP enabled. This basically means that unless you set up the computers wireless device with the passkey, you can’t get onto the router. Drive around your neighborhood with the laptop and open the network and sharing center (Vista) or similar for XP. You’ll probably be able to see dozens of networks broadcasting. Some will say they are security enabled, which means you need the WEP passkey, others will not and you could probably connect to them.
I really dont think the router firewall is a big deal. A software firewall does what it does and considering youre probably using NAT then incoming connections that you havent initiated are blocked by default.
Seconding checking for a VPN passthrough option or calling your ISP and seeing if they have a solution for you.
Two things: Apparently the SBG900 IS a hybrid modem + router, so you’re probably ok, but I’d check using the whatismyip.com method I described earlier to make sure it is operating in the correct mode (meaning non-passthrough/non-DMZ). What you’re primarily looking for is a different IP address on whatismyip.com than the 192.x.x.x that you should get from ipconfig.
Ideally, you should still leave firewall settings on high and turn on VPN passthrough if you can find it (I wasn’t able to with the manual). If you can’t, you’re probably ok even with the firewall on something lower because of the nature of the NAT (network address translation) that your router/modem performs behind the scenes.
Secondly, the SBG900 supports WPA-PSK using AES, which is safer than WEP, so if your laptop supports that I’d go with that. Instructions for configuring this are on printed page 66 (or PDF page 73/139) of the manual. Note that “WPA-PSK over AES” is just technobabble for “password protecting your wireless access using a safer technology” and isn’t as terrible as it sounds
Reply, I checked the IP addresses like you described, and I did get two different ones. The IP address from whatismyip matched what the Motorola settings show as the WAN address, and the IP address from ipconfig matched what the Motorola settings show as the LAN address.
I do currently have WEP enabled on the modem, but I’ll take a look at the WPA-PSK over AES.
I looked in the manual and on-line and yeah, there’s not a whole lot of information about the VPN passthrough. I will do some more digging around and see if I can come up with something.