Re: [fw-wiz] insecurity in internet connection thro cable modems

From: Brian Ford (brford@cisco.com)
Date: 02/15/03

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500" 
    To: firewall-wizards@honor.icsalabs.com
From: Brian Ford <brford@cisco.com>
Date: Sat, 15 Feb 2003 13:55:37 -0500

    Dave,

    >More than
    >likely, natting a home network behind a linksys soho router would be
    >sufficient.

    Yet another security policy that begins with "more than likely". What
    happens in the "likely" case when someone figures out where you are and
    wants to get at your stuff?

    >Putting in PIX 501's at someones home would be insane. If you have to
    >administer
    >it, a small Netscreen is much easier than dealing with PIX.

    Gee Dave. Why would it be insane to use a PIX?

    To set up a PIX at home all you need is the PIX. You don't need a PC and
    the setup disk that NetScreen ships.

    The 501 ships with a default "plug and play" configuration that for many
    installs (including folks sitting behind a cable modem) requires no
    modification to get up and running.

    The PIX also supports Cisco AUS (Auto Update Server) so that security
    policy, operating system image, and configuration updates can be securely
    downloaded to the PIX from a central site without end user intervention.

    You said "a small Netscreen is much easier than dealing with PIX". Have
    you really tried both products? Could it be that you just don't like
    PIX? Or that you just don't know about the PIX?

    Liberty for All,

    Brian

    At 12:00 PM 2/15/2003 -0500, firewall-wizards-request@honor.icsalabs.com wrote:
    >Message: 5
    >Date: Fri, 14 Feb 2003 14:03:11 -0700
    >From: Dave Mitchell <dmitchell@viawest.net>
    >To: "Perrymon, Josh L." <PerrymonJ@bek.com>
    >Cc: "'Chapman, Justin T'" <JtChapma@bhi-erc.com>,
    > "'firewall-wizards@honor.icsalabs.com '"
    > <firewall-wizards@honor.icsalabs.com>
    >Subject: Re: [fw-wiz] insecurity in internet connection thro cable modems
    >
    >For normal users I'd recommend some sort of appliance filter or firewall.
    >More than
    >likely, natting a home network behind a linksys soho router would be
    >sufficient. If you
    >want to do VPNing and what not, I think a Netscreen 5 would be the best
    >for the home
    >firewall. Putting in PIX 501's at someones home would be insane. If you
    >have to administer
    >it, a small Netscreen is much easier than dealing with PIX.
    >
    >-dave
    >
    >On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon, Josh L. wrote:
    > > Yeah... I ( Security Professional ) would implement IPChains or a PIX @
    > > home...
    > > But don't you think Linux is completely out of the question for a regular
    > > end user?????
    > >
    > > I'm looking for an application based firewall for my VPN users..
    > > So far ZONE ALARM is my choice.. I just wished I could integrate it with
    > > the PIX VPN client like the concentrator can.
    > >
    > >
    > >
    > > Any Ideas??
    > > -JP
    > >
    > > -----Original Message-----
    > > From: Chapman, Justin T [mailto:JtChapma@bhi-erc.com]
    > > Sent: Friday, February 07, 2003 11:29 AM
    > > To: 'firewall-wizards@honor.icsalabs.com '
    > > Subject: RE: [fw-wiz] insecurity in internet connection thro cable
    > > modems
    > >
    > >
    > > >
    > > >ipchains is old ( for the previous Linux Kernel 2.2 ), iptables
    > > >http://www.iptables.org would be a better choice.
    > >
    > > Agreed. If it's an option at all, choose iptables over ipchains. It's
    > more
    > > flexable and it's a stateful packet filter, which makes for a "smarter"
    > > firewall. IPtables (and ipchains for that matter) can be a bit
    > intimidating
    > > to work with, especially if you're new to the syntax. If you're going to
    > > "rolll your own" firewall, I would suggest searching Google/Freshmeat.net
    > > for "iptables generator". There are plenty of scripts/web frontends/guis
    > > that make creating simple "consumer-grade" firewalls a snap. One that I
    > > particularly like is a cgi-based one at:
    > >
    > > http://morizot.net/firewall/gen/
    > >
    > > Good luck!
    > >
    > > --justin
    > >

    Brian Ford
    Consulting Engineer
    Corporate Consulting Engineering, Office of the Chief Technology Officer
    Cisco Systems, Inc.
    http://www.cisco.com
    e-mail: brford@cisco.com

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    Relevant Pages

    • Re: Kindly help me with this PIX problem
      ... If you have read the configuration that I posted, ... firewall configuration didn't change over many years and it did work ... PIX, our company cannot send or receive email. ... That command allows ssh to the PIX, ...
      (comp.dcom.sys.cisco)
    • Re: Firewall for laptops, corporation with 1,000 laptops
      ... I disagree completely that all you need is a PIX to protect your network, ... PIX does nothing to protect you from VPN ... alerting, which are essential to a firewall solution, are lacking.] ... the PIX firewall does nothing to protect a roaming laptop from ...
      (microsoft.public.security)
    • Re: Cisco PIX fixup protocol command
      ... The PIX is a stateful firewall and maintains state on ... The reason why a security evaluation might result in a recommendation to ... is no need to have the SMTP fixup enabled. ...
      (Security-Basics)
    • RE: Hardware Firewall vs Software Firewall
      ... Hardware Firewall vs Software Firewall ... will drive the price to the point where the PIX is more cost effective. ... on a router ACL unless you're using the CSPM, ...
      (Security-Basics)
    • RE: [fw-wiz] Skip the PDM
      ... PIX and CheckPoint and the PIX 501 is a real contender as a firewall to ... So to "speed things up" I tried using the PDM. ... DHCP pool starts at .2. ...
      (Firewall-Wizards)