Re: How safe is WinRoute?
From: eri (eric[no_spam)Date: 01/22/02
- Next message: Ken Hagan: "Re: Why Does WinNT Re-Authenticate Users?"
- Previous message: eri: "Why Does WinNT Re-Authenticate Users?"
- In reply to: Sue Gier: "How safe is WinRoute?"
- Reply: Sue Gier: "Re: How safe is WinRoute?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: eric[no_spam]@pmcipa.com Date: Tue, 22 Jan 2002 03:33:08 GMT
On Wed, 16 Jan 2002 10:50:04 -0500, "Sue Gier" <suegier@shentel.net>
wrote:
>1. If I set up the packet filtering correctly, will that along with the NAT
>in WinRoute be adequate to protect a small NT network? I have no html or ftp
>servers on the LAN. I do plan to use the Mail server in WinRoute.
WinRoute is an adequate firewall for very small networks, even if Tiny
Software fudges the truth a bit when they say that it is stateful.
What they mean by stateful is simple packet filtering based on ACK and
SYN flags--which is not stateful filtering at all. I chewed them out
about this once and their reaction was "Oh well." Also, the product
claims to operate "below" the Windows NT protocol stack, which they
say allows it to start up before any of the other communications
services, making the system more secure. This, too, is not true.
Simply do a contiuous ping to a WinRoute machine during the boot
process and you will observe replies for a short period before the
WinRoute service starts. This demonstrates that a WinRoute machine is
at least partially vulnerable for a period during boot. This leads to
the biggest problem with WinRoute. It does not "fail closed," which is
to say that if something goes wrong with the WinRoute service and it
fails to start, then it can leave the host wide open. Ugh.
>
>2. Does it make a difference security-wise whether I run WinRoute on my
>main file server that has sensitive data or on a workstation?
>
Yes it makes a difference because of the "fail open" problem above and
various other issues such as system overhead, difficulty of
administration and troubleshooting and other stuff. Plus its just not
done. You want a cheap 133Mhz machine with 64MB RAM running WinRoute
between you and the Internet. Believe it or not, such a machine is
perfectly adequate for that application and is available on eBay for
about $50.00.
Better yet, buy a NetScreen firewall appliance for about $300.00 on
eBay. These ASIC-based, stateful firewalls make WinRoute look silly
and provide lots of functionality that WinRoute does not, including
IPSEC VPN. (WinRoute claims to support IPSEC, but they just mean that
it passes through. That's a far cry from being a VPN gateway.) That's
why I ditched WinRoute and bought a bunch of NetScreens.
Oh, and I just remembered on other problem I had with WinRoute. It did
not handle FTP very well. I had to switch my browsers to passive mode
to make FTP work. Again, yuck.
After all that, if you want WinRoute, I'll make you a great deal on
WinRoute Pro 4.0, 10-User.
--Eric
- Next message: Ken Hagan: "Re: Why Does WinNT Re-Authenticate Users?"
- Previous message: eri: "Why Does WinNT Re-Authenticate Users?"
- In reply to: Sue Gier: "How safe is WinRoute?"
- Reply: Sue Gier: "Re: How safe is WinRoute?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
