FW: [fw-wiz] Home Environment Cisco

From: Noonan, Wesley (Wesley_Noonan_at_bmc.com)
Date: 05/31/03 

To: firewall-wizards@honor.icsalabs.com
Date: Sat, 31 May 2003 09:28:33 -0500

This occurred offlist, but I thought it was a good conversation and hermit
agreed for posting it back onlist.

In regards to your statement about running OSX at home and not being too
worried about your systems being compromised, I will just say "famous last
words". Also, in the context of the "normal" home user, this is not the
case, which puts us squarely back at the reasons that NAT does not replace a
firewall as a security device.

Thanks.

Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan@bmc.com
http://www.bmc.com

-----Original Message-----
From: hermit921 [mailto:hermit921@yahoo.com]
Sent: Friday, May 30, 2003 18:28
To: Noonan, Wesley
Subject: RE: [fw-wiz] Home Environment Cisco

Go ahead and put it on the list if you like. Since I have Macs - OSX - at
home and none of them offer services and I don't open attachments, etc,
etc, I am not too worried about my systems being compromised. For the
firewall I manage at work, I do block outbound because who knows
what **those** bozos might do.

hermit921

At 05:57 PM 5/30/2003 -0500, Noonan, Wesley wrote:
>If anything goes out, and your system gets compromised, you are correct you
>only have you to blame. With that being said, if your system is
compromised,
>and because anything goes it is able to be used to attack something else,
>then that is just not cool to put it bluntly. We all have an obligation to
>not only protect ourselves from the outside, but to protect the outside
from
>us. Security is not simply a question of protecting ourselves, with the
>worlds networks interconnected the way that they are, we have an obligation
>to protect others from us as well. Simply put, you need to care about
>outgoing connections as well. I think that is what you are missing.
>
>I would like to put this back on list if you don't mind. You raise a valid
>question which I think is worth sharing with the group. Let me know so I
can
>forward the email accordingly.
>
>Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
>Senior QA Rep.
>BMC Software, Inc.
>(713) 918-2412
>wnoonan@bmc.com
>http://www.bmc.com
>
>
> > -----Original Message-----
> > From: hermit921 [mailto:hermit921@yahoo.com]
> > Sent: Friday, May 30, 2003 17:02
> > To: Noonan, Wesley
> > Subject: RE: [fw-wiz] Home Environment Cisco
> >
> > Question off list. I was quite serious - as long as my little Netgear
> > doesn't accept any incoming connections, how much better can I be
> > protected? Since I am the only person behind the box, I don't care
about
> > outgoing connections - anything goes wrong and I can only blame
> > myself. You imply there is a significant gap in my understanding, and
> > there may be, but could you tell me what I am missing?
> >
> > Thanks,
> > hermit921
> >
> > At 04:23 PM 5/30/2003 -0500, Noonan, Wesley wrote:
> > >Filtering outbound... stateful inspection... DoS controls in place...
> proxy
> > >filtering... SMURF, Flood, Teardrop, Land and exploit prevention, most
of
> > >the ICSA labs requirements... other than that, it sounds great!! :-(
> > >
> > >Sometimes I think that GRC, NMap and Nessus are the worst security
> tools out
> > >there. People run them, get negatives and think "wow, I must really be
> doing
> > >great". Unfortunately it seems that a lot of folks seem to think that
as
> > >long as GRC "Shields UP" says everything looks good, it is.
> > >
> > >I really wish the NAT proponents would read the RFC where the authors
> > >themselves condemn NAT as a security solution in and of itself. It is a
> > >great component of a security solution, but it is not alone a solution.
If
> > >the folks that authored it realize this, no offense but I doubt any of
us
> > >here are bright enough to find a flaw in that logic.
> > >
> > >Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
> > >Senior QA Rep.
> > >BMC Software, Inc.
> > >(713) 918-2412
> > >wnoonan@bmc.com
> > >http://www.bmc.com
> > >
> > >
> > > > -----Original Message-----
> > > > From: hermit921 [mailto:hermit921@yahoo.com]
> > > > Sent: Friday, May 30, 2003 12:29
> > > > To: firewall-wizards@honor.icsalabs.com
> > > > Subject: RE: [fw-wiz] Home Environment Cisco
> > > >
> > > > Given all this discussion, I have to ask about NAT. I have a small
> Netgear
> > > > DSL router (using NAT) at home. I consider it a great firewall
> because it
> > > > doesn't let in any packets at all when I run nmap scans from the
> > > > outside. It syslogs to my unix machine. What more could I want in
a
> > > > firewall for a home environment?
> > > >
> > > > hermit921
> > > >
> > > > At 10:26 PM 5/29/2003 +0200, Ben Nagy wrote:
> > > > > > -----Original Message-----
> > > > > > From: firewall-wizards-admin@honor.icsalabs.com
> > > > > > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> > > > > > Of salgak@speakeasy.net
> > > > > > Sent: Thursday, May 29, 2003 9:39 PM
> > > > > > To: nathan.grandbois@cerdant.com;
> firewall-wizards@honor.icsalabs.com
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Nathan [mailto:nathan.grandbois@cerdant.com]
> > > > > > > He has a Solaris ultra 60, and two win98 workstations at
> > > > > > > home he wants to be able to communicate, as well as have
> access to the
> > > > > > > internet (NAT).
> > > > >[deleted]
> > > > > >
> > > > > > Reminder: a 50-dollar router from BestBuy also includes a
> > > > > > Firewall. A Cisco 1600 or 2500-series will not. And NAT is
> > > > > > NOT a firewall.
> > > > >
> > > > >[deleted]
> > > > >
> > > > >I'm not going to run over the NAT / FW discussion again, I think
> my opinion
> > > > >on the matter is pretty well documented in the archives, but I am
> more than
> > > > >happy to use _dynamic_ NAT as a pretty effective security
> mechanism for home
> > > > >users. I do normally back it up with ACLs anyway, but that's just
> out of
> > > > >general principle.
> > > > >
> > > > >ben
> > > >
> > > > _______________________________________________
> > > > firewall-wizards mailing list
> > > > firewall-wizards@honor.icsalabs.com
> > > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> > >_______________________________________________
> > >firewall-wizards mailing list
> > >firewall-wizards@honor.icsalabs.com
> > >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: protecting computer
    ... > are 3 steps to protect our computer. ... Microsoft gives you the base guidelines. ... disable your Windows Messenger service. ... by the normal home user and in cooperation with a good firewall, ...
    (microsoft.public.security)
  • Re: Firewalls
    ... To enable or disable Internet Connection Firewall ... Open Network Connections ... protect, and then, under Network Tasks, click Change settings of this ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Adware Problem
    ... > know what to install to protect my computer. ... > Norton Antivirus, Black Ice, and Spyware Nuker. ... Windows Update ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Symantec said dump FTP SERVER
    ... > Well I am researching proactive practices to protect Security of our ... What version of Windows XP do you have? ... If you are concerned about security, ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: virus in windows system
    ... >> their in my windows operating system help if u can. ... > better protect your Windows system: ... You should at least turn on the built in firewall. ... That's one facet of a secure PC, ...
    (microsoft.public.windowsxp.security_admin)