Hello folks,
I had just bought a Nexland ISB SOHO router last week and I am very happy with it. I have a question about the robustness of the firewall though.

Is it a very secure firewall? How does it compare against the $500 sonicwalls and other expensive hardware firewalls security-wise? Does the less money that I spent on the Nexland translate into less robust security?

I did the shields-up test at steve gibson's grc.com site and got good results though.

Well, Sonics, upper model Cisco's, etc...do have higher end firewalls. Even Linksys came out with a robust firewall model, the BEFSX41...note the "X" instead of the usual "R".

First, lets separate what is considered firewalls that are in home NAT routers.

All of the home market broadband, and SOHO broadband router, share a single WAN IP address to an internal network on a private class C subnet mask using a method called NAT...Network Address Translation. NAT is NAT is NAT...a Linksys router is the same as a Nexland router is the same as a Netgear routers is the same as an SMC router in this area. This in itself, by design, happens to hide your network completely.....the router is the only device seen on the WAN side...it completely hides all of your computers on the network...unless you DMZ a box. This provides a good "basic" network protection....and is the hardware firewall routers claim to protect your network with. This is pretty much all a home network needs, and the smaller basic office setups.

Now, larger networks, such as at a business, they'll often run servers from behind their routers...meaning ports are open...say for a website, or Citrix, or VPN, mail SMTP, etc. The home router can deal with that, by forewarding ports. So now those ports are open for attack...as a NAT router either..blocks all ports, or lets certain ports through. When you have certain ports open...a basic NAT router simply lets traffic through..."bad" traffic, and good.

The higher end routers that have more of a true firewall, such as those listed up top, will inspect that incoming traffic....and weed out the bad traffic, and also have much more logging features. Also higher end routers can inspect traffic going out...say a computer on the network picks up a trojan or something else. Sonic's are fully ISA certified firewalls. What does that mean, well, I'm as well versed in those, I'll let TWWBA or Cyberskye take over in this department.

What you have to look at...is what are you doing? Hosting servers? Then yes be more protective...keep your OS updated, keep good anti-virus protection, be smart with your downloads, and you're quite safe. I don't like software firewalls, some people prefer to use them as well as a NAT router....but I find they mess up your system, slow it down, get in the way of gaming and everything....I prefer to keep things simple, and be smart in the way I do things. But really to sum things up....for the home user, if you're not running servers and having computers in your routers DMZ or tons of ports open, then basic NAT does the job for you fine. Plus if you're DSL, you prolly get a diff IP now and then. Also, hackers look for easy fish to fry...a basic NAT router will be bypassed...there are tons of totally unprotected people to mess with, and more so, they love going after larger companies and offices with interesting things. Plus no matter what you spend, if they want to get in, they can. Enterprise companies and government offices that spend hundreds of thousands or millions on protecting their network get broken into.

Thanks YOSC. Very informative reply.

Thanks for taking the time to write up the long explanation. I appreciate it.

Ya home, NAT routers do packet filtering. This means they just check the headers of an incoming packet against rules for forwarding. Outbound traffic is not filtered

SPI (stateful packet inspection) takes it to the next level by keeping 'state' of all communications. Thie significance here is that someone cannot send a packet with a phony header that it is a reply and get in - the SPI firewall knows about all outgoing connections and will drop the attack.

The weakness of home NAT routers really comes out when you do ANY kind of forwarding. That's why most manuals recommend that you only do this when used and not leave holes open all the time.

If you're hosting public servers you really do want something better than homeNAT. with spoofed packets they aren't impossible to get into - especially if you do any port forwarding.

The key is not the perimeter. As YOSC said, updated AV, OS patches, and not donwloading warez and the like are you best defense. Password protect your your shares (if you are sharing files on your LAN) and use GOOD passwords - something with special characters that isn't in any dictionary ( @ # $ !, etc)