RE: [fw-wiz] Home Environment Cisco

From: Ben Nagy (ben_at_iagu.net)
Date: 05/29/03

Next message: Chuck Swiger: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"

Previous message: Noonan, Wesley: "RE: [fw-wiz] Home Environment Cisco"
In reply to: salgak_at_speakeasy.net: "Re: [fw-wiz] Home Environment Cisco"
Next in thread: hermit921: "RE: [fw-wiz] Home Environment Cisco"
Reply: hermit921: "RE: [fw-wiz] Home Environment Cisco"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <salgak@speakeasy.net>, <nathan.grandbois@cerdant.com>, <firewall-wizards@honor.icsalabs.com>
Date: Thu, 29 May 2003 22:26:10 +0200

Curmudgeon time.

> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> Of salgak@speakeasy.net
> Sent: Thursday, May 29, 2003 9:39 PM
> To: nathan.grandbois@cerdant.com; firewall-wizards@honor.icsalabs.com
>
> > -----Original Message-----
> > From: Nathan [mailto:nathan.grandbois@cerdant.com]
[...]
> > I seek your advice regarding which Cisco router to choose,
> if any. I know
> > this is a firewall list, but [...]

> > He has a Solaris ultra 60, and two win98
> workstations at
> > home he wants to be able to communicate, as well as have
> access to the
> > internet (NAT).

Win98?? C'mon. Let's try a real OS if we're going to ask questions on a
security list, shall ? ;)

> >I can worry about the details of the
> internal network, so my
> > question is, which cisco router should I get for this
> purpose. I really know
> > nothing about Cisco, and don't feel like searching through
> all the different
> > models and prices if someone know the "base" cisco router.
> Any suggestions
> > would be nice, I can do the homework from there, I just
> need some model
> > numbers to look at.

How about letting us know the one important thing, which is what kind of WAN
interface you want?

> Pick up a used 1600 or 2500 series router on EBay or
> whichever other online auction service you prefer.

Or not.

The 1600 was a nice box, given the single module support, but it's not going
to do fancy VPN or voice stuff. I also don't know if even ADSL is supported
as a module yet. The 2500 is...um... I love the 2500, the same way mechanics
love classic cars. If all else fails you can use it as a weapon in a pinch.

I would look at a 1720 / 1750 or it's kin, unless you need cable, where my
knowledge of the models gets hazy. The 17xx series will do pretty much
anything with the right modules. Make sure you get one with more than the
basic level of flash and RAM. This will be critical for running IOS versions
that support Cool Stuff.

Do not get a 6xx series - they don't run IOS, and they will probably give
you SARS.

> Coupla
> hundred bucks, max. THEN get a support contract from Cisco,
> so you can get the latest IOS, access to updates, etc.
>
> Caveat: learning one Cisco router is not enough. You also
> need to learn switches, etc. I'd spend cash on Cisco
> simulation software as a better way to learn Cisco. . .
>
> Reminder: a 50-dollar router from BestBuy also includes a
> Firewall. A Cisco 1600 or 2500-series will not. And NAT is
> NOT a firewall.

We love it when people speak their mind. That's just peachy. It's even
better when they say things that have some basis in reality, but I guess you
can't have everything.

If you seriously think that a 50 buck Bestbuy router can compare to the
security features in even the absolute base model Cisco IOS box then you are
insane. Not to mention that you can get the IOS firewall feature set which,
although not amazing, is pretty good. Please read about ACLs, CBAC (in base
IOS) and then IOS/FW.

I'm not going to run over the NAT / FW discussion again, I think my opinion
on the matter is pretty well documented in the archives, but I am more than
happy to use _dynamic_ NAT as a pretty effective security mechanism for home
users. I do normally back it up with ACLs anyway, but that's just out of
general principle.

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Chuck Swiger: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"

Previous message: Noonan, Wesley: "RE: [fw-wiz] Home Environment Cisco"
In reply to: salgak_at_speakeasy.net: "Re: [fw-wiz] Home Environment Cisco"
Next in thread: hermit921: "RE: [fw-wiz] Home Environment Cisco"
Reply: hermit921: "RE: [fw-wiz] Home Environment Cisco"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Cisco Workaround
... The key to a conspiracy theory is that the facts have ... The support money that cisco makes is just the point ... all collapse into a single IOS version. ... I think cisco got lucky that no one was very inventive ...
(Security-Basics)
RE: Cisco Workaround
... | theory related to Cisco support and the IOS flaw: ... | The theory is that Cisco had far to many IOS versions ... | Do you Yahoo!? ...
(Security-Basics)
Re: Cisco Workaround
... As to support, ... The theory is that Cisco had far to many IOS versions ... Do you Yahoo!? ...
(Security-Basics)
RE: Cisco Workaround
... IOS this patch did not bring them all in line. ... Subject: Cisco Workaround ... | theory related to Cisco support and the IOS flaw: ...
(Security-Basics)
Re: Cisco Workaround
... are not something you'd intentionally target at a router. ... understanding is with PIM support in the IOS and enabled, ... How exactly would Cisco "conveniently" find this flaw? ... it is apparently in every IOS since 1994? ...
(Security-Basics)