RE: [fw-wiz] Home Environment Cisco
From: Noonan, Wesley (Wesley_Noonan_at_bmc.com)
To: "'hermit921'" <firstname.lastname@example.org>, email@example.com Date: Fri, 30 May 2003 16:23:54 -0500
Filtering outbound... stateful inspection... DoS controls in place... proxy
filtering... SMURF, Flood, Teardrop, Land and exploit prevention, most of
the ICSA labs requirements... other than that, it sounds great!! :-(
Sometimes I think that GRC, NMap and Nessus are the worst security tools out
there. People run them, get negatives and think "wow, I must really be doing
great". Unfortunately it seems that a lot of folks seem to think that as
long as GRC "Shields UP" says everything looks good, it is.
I really wish the NAT proponents would read the RFC where the authors
themselves condemn NAT as a security solution in and of itself. It is a
great component of a security solution, but it is not alone a solution. If
the folks that authored it realize this, no offense but I doubt any of us
here are bright enough to find a flaw in that logic.
Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
Senior QA Rep.
BMC Software, Inc.
> -----Original Message-----
> From: hermit921 [mailto:firstname.lastname@example.org]
> Sent: Friday, May 30, 2003 12:29
> To: email@example.com
> Subject: RE: [fw-wiz] Home Environment Cisco
> Given all this discussion, I have to ask about NAT. I have a small
> DSL router (using NAT) at home. I consider it a great firewall because it
> doesn't let in any packets at all when I run nmap scans from the
> outside. It syslogs to my unix machine. What more could I want in a
> firewall for a home environment?
> At 10:26 PM 5/29/2003 +0200, Ben Nagy wrote:
> > > -----Original Message-----
> > > From: firstname.lastname@example.org
> > > [mailto:email@example.com] On Behalf
> > > Of firstname.lastname@example.org
> > > Sent: Thursday, May 29, 2003 9:39 PM
> > > To: email@example.com; firstname.lastname@example.org
> > >
> > > > -----Original Message-----
> > > > From: Nathan [mailto:email@example.com]
> > > > He has a Solaris ultra 60, and two win98 workstations at
> > > > home he wants to be able to communicate, as well as have access to
> > > > internet (NAT).
> > >
> > > Reminder: a 50-dollar router from BestBuy also includes a
> > > Firewall. A Cisco 1600 or 2500-series will not. And NAT is
> > > NOT a firewall.
> >I'm not going to run over the NAT / FW discussion again, I think my
> >on the matter is pretty well documented in the archives, but I am more
> >happy to use _dynamic_ NAT as a pretty effective security mechanism for
> >users. I do normally back it up with ACLs anyway, but that's just out of
> >general principle.
> firewall-wizards mailing list
firewall-wizards mailing list