Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network
From: Randy Grimshaw (rgrimsha_at_syr.edu)
Date: 05/30/03
- Previous message: hermit921: "RE: [fw-wiz] Home Environment Cisco"
- Maybe in reply to: Hugh Blandford: "[fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <hugh@island.net.au>, <proberts@patriot.net>, <Bill@royds.net> Date: Fri, 30 May 2003 13:33:02 -0400
I did this at home also (using DI-604 firewall rules) but need to add these cautions... you are only allowed @ 9 rules (including the lowest priority deny-all due to memory limits) and you cannot also use internal MAC filtering at the same time (It was still allowing AIM traffic to defined hosts - which only last nights correction seems to have stopped - so I cannot completely vouch for the unit pending further results). But it does allow firewall rules by timer so I have outbound dns,smtp,pop3,ntp defined with acls and http,https,ssh and aim scheduled... period.
<><Randall
<><Randall Grimshaw
Room 203 Machinery Hall
Syracuse University
Syracuse, NY 13244
315-443-5779
rgrimsha@syr.edu
>>> "Bill Royds" <Bill@royds.net> 05/29/03 07:24PM >>>
I use a D-link cable modem swith at home. I have looked at it fairly
carefully as a firewall and it seems to be reasonable for an outbound only
network,
It has a default "deny all incoming, allow all outgoing" rule set, but does
allow one to tighten that by switching to deny all out with exceptions in a
table. It logs attempts to connect from outside (but only to a ring buffer
that overwrites earliest entries). It handles FTP properly and can act as a
DHCP client to ISP and DHCP server to LAN.
For $90CAN, it is a heck of a lot safer than connecting directly to
Internet or even a box that just does NAT.
Of course, you should also be running other security like host based NIDS
and virus scanners on the hosts behind the box. I was running Snort behind
it but only found one or two alerts a day and then only on traffic that was
allowed through (IRC).
----- Original Message -----
From: "Paul Robertson" <proberts@patriot.net>
To: "Hugh Blandford" <hugh@island.net.au>
Cc: <firewall-wizards@honor.icsalabs.com>
Sent: Wednesday, May 28, 2003 9:31 AM
Subject: Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network
: On Wed, 28 May 2003, Hugh Blandford wrote:
:
: > Hi Paul et al.,
: >
: > I recognise what you are saying, but what I was trying to understand
was,
: > are the low-end appliance 'firewalls' really providing much more
security
: > than NAT? In a small office/home situation if people are going to use
IRC,
:
: My point was that they're able to provide more security- but if you're
: going to align a security policy with a NAT device, then you're giving up
: a large part of the point of having a firewall. If we, as a community can
: get people to use *firewalls* for *firewalling* then we'll have done both
: ourselves and everyone else a better service than to say "oh, just use
: anything that'll let you connect."
:
: > they would just reconfigure their firewall to do so, after all they own
it.
: > I was just trying to get all the 'block xyz outbound' issues out of the
way.
: >
: > Can NAT sessions be hijacked or somehow abused to give access to the
: > internal network? There is the case of visiting a hostile website and
: > "inviting in" some problematic programs, but apart from that are the
: > appliance based firewalls doing more than that?
:
: In general, NAT based things aren't written for security, they're written
: for network re-mapping, so there can be things that escape the author that
: a firewall author shouldn't miss (or may have tested by a 3rd party for
some
: level of assurance.[1])
:
: Firewalls should handle things like source routed packets, overlapping
: fragments, etc. They also may handle things like VPNs, authentication,
: "enterprise" policy enforcement, etc.
:
:
: Paul
: [1.] Obviously, I'm highly biased about which certification program a
: firewall should pass to be on the market. My employer owns ICSA Labs,
: this list is hosted from there, etc.
: --------------------------------------------------------------------------
--- : Paul D. Robertson "My statements in this message are personal opinions : proberts@patriot.net which may have no basis whatsoever in fact." : probertson@trusecure.com Director of Risk Assessment TruSecure Corporation : : _______________________________________________ : firewall-wizards mailing list : firewall-wizards@honor.icsalabs.com : http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: hermit921: "RE: [fw-wiz] Home Environment Cisco"
- Maybe in reply to: Hugh Blandford: "[fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
