RE: [fw-wiz] Home Environment Cisco

From: Noonan, Wesley (Wesley_Noonan_at_bmc.com)
Date: 05/30/03

  • Next message: R. DuFresne: "RE: [fw-wiz] Home Environment Cisco"
    To: "'hermit921'" <hermit921@yahoo.com>, firewall-wizards@honor.icsalabs.com
    Date: Fri, 30 May 2003 16:23:54 -0500
    

    Filtering outbound... stateful inspection... DoS controls in place... proxy
    filtering... SMURF, Flood, Teardrop, Land and exploit prevention, most of
    the ICSA labs requirements... other than that, it sounds great!! :-(

    Sometimes I think that GRC, NMap and Nessus are the worst security tools out
    there. People run them, get negatives and think "wow, I must really be doing
    great". Unfortunately it seems that a lot of folks seem to think that as
    long as GRC "Shields UP" says everything looks good, it is.

    I really wish the NAT proponents would read the RFC where the authors
    themselves condemn NAT as a security solution in and of itself. It is a
    great component of a security solution, but it is not alone a solution. If
    the folks that authored it realize this, no offense but I doubt any of us
    here are bright enough to find a flaw in that logic.

    Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
    Senior QA Rep.
    BMC Software, Inc.
    (713) 918-2412
    wnoonan@bmc.com
    http://www.bmc.com

    > -----Original Message-----
    > From: hermit921 [mailto:hermit921@yahoo.com]
    > Sent: Friday, May 30, 2003 12:29
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: RE: [fw-wiz] Home Environment Cisco
    >
    > Given all this discussion, I have to ask about NAT. I have a small
    > Netgear
    > DSL router (using NAT) at home. I consider it a great firewall because it
    > doesn't let in any packets at all when I run nmap scans from the
    > outside. It syslogs to my unix machine. What more could I want in a
    > firewall for a home environment?
    >
    > hermit921
    >
    > At 10:26 PM 5/29/2003 +0200, Ben Nagy wrote:
    > > > -----Original Message-----
    > > > From: firewall-wizards-admin@honor.icsalabs.com
    > > > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    > > > Of salgak@speakeasy.net
    > > > Sent: Thursday, May 29, 2003 9:39 PM
    > > > To: nathan.grandbois@cerdant.com; firewall-wizards@honor.icsalabs.com
    > > >
    > > > > -----Original Message-----
    > > > > From: Nathan [mailto:nathan.grandbois@cerdant.com]
    > > > > He has a Solaris ultra 60, and two win98 workstations at
    > > > > home he wants to be able to communicate, as well as have access to
    > the
    > > > > internet (NAT).
    > >[deleted]
    > > >
    > > > Reminder: a 50-dollar router from BestBuy also includes a
    > > > Firewall. A Cisco 1600 or 2500-series will not. And NAT is
    > > > NOT a firewall.
    > >
    > >[deleted]
    > >
    > >I'm not going to run over the NAT / FW discussion again, I think my
    > opinion
    > >on the matter is pretty well documented in the archives, but I am more
    > than
    > >happy to use _dynamic_ NAT as a pretty effective security mechanism for
    > home
    > >users. I do normally back it up with ACLs anyway, but that's just out of
    > >general principle.
    > >
    > >ben
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: R. DuFresne: "RE: [fw-wiz] Home Environment Cisco"

    Relevant Pages