Re: firewalls (was Re: AGP)

From: Duane Arnold (darnold92@Insightbb.com)
Date: 08/08/02


From: "Duane Arnold" <darnold92@Insightbb.com>
Date: Thu, 08 Aug 2002 04:55:32 GMT

I feel for you as my thoughts turn towards the REDS. However, that is why I
think IDS such as BlackIce with its IDS/firewall or something like Snort/IDS
would come into play on public or forwarded ports by the router. I am not
saying that IDS a cure all, but at least it's, a little something extra in
the protection locally on the machine.

I don't know how many times I have seen a post where person has Web services
running no router/NAT or NAT period, and something like cheese cloth ZA,
Outpost, Norton, Tiny etc. etc setting in front of the services. I am not a
security expert, but I do know better then that, along with keeping Critical
Updates up to date.

Well time for bed. Hey, look at it this way, football season will be upon us
soon and maybe my RAIDERS will do some damage this year and get lucky.

Duane

"Lars M. Hansen" <badnews@hansenonline.net> wrote in message
news:frh3lu4j98a54b5tlplj488r50rjvea9rc@4ax.com...
> On Wed, 07 Aug 2002 11:33:24 GMT, Duane Arnold spoketh
>
> >I don't see how anyone can mis-configure a Linksys router. For the most
> >part, NAT on the Linksys router will protect the average home user. But
I
> >was not the one saying that the router had a firewall, and the router was
> >the end all solution either.
> >
> >The line is becoming more and more blurred everyday as to what home users
> >can do with their home network and what is happening in a corporate
> >environment along these same lines
> >
> >Like me and my little home network where I am setting up my FTP/Website.
I
> >am keenly aware that the router's NAT and its SPI are not going to
protect
> >the machine while the port is open to the public. One had better have
some
> >additional defenses in place to protect it.
> >
> >But for someone to say that all they need is the router to protect their
> >network is being a little naive.
> >
> >There are many ways to protect the network and I only know a few of them,
> >but who cares how it's done as long as it is being done.
> >
>
> Even my very expensive Raptor firewall doesn't protect the computer it
> forwards services for, at least not for the services it does not have a
> proxy for. If SSH is poorly configured on an exposed host behind a
> Raptor, the Raptor will do nothing to protect it. The same holds true
> for the Linksys routers (and all similar routers, SMC, Netgear,
> whatever) as well. Once packets are allowed through the firewalls
> through port forwarding (also called public servers, service redirects
> and virtual servers, depending on product), the exposed host is left
> vulnerable to any and all exploits of the service in question.
>
> For most home users, a simple device such as the Linksys BEFSR does a
> good job without the addition of any software firewalls on the hosts.
> Even for those who runs web or ftp servers, these little routers are
> sufficient.
>
> As for the BEFSX41, it appears to have a few additional features such as
> protection against PoD attacks, SYN flood and other DoS attacks. How
> necessary these are is a matter of opinion ... I have never seen a DoS
> attack on any of my firewalls over the past 3 years ... I've seen
> script-kiddes with their lame (sic) scripts, but no PoDs or SYN floods.
>
> There is a little too much hysteria surrounding this whole security
> thing. It's absolutely a good thing that people want to protect their
> computers to prevent their computers from being used as tools for
> others. However, for home users to load up with a hardware firewall and
> two or even three personal firewalls on their computers is total
> overkill, especially when the user have no idea what they are
> protecting, what they are protecting it against, and what a "ping" is.
> Of course, getting advice by perfect strangers with badly chosen aliases
> on a use net group doesn't always make things better.
>
> Sorry for the rant ... the Red Sox are losing again
>
>
> Lars M. Hansen
> http://www.hansenonline.net
> (replace 'badnews' with 'lars' in e-mail address)



Relevant Pages

  • Re: firewalls (was Re: AGP)
    ... NAT on the Linksys router will protect the average home user. ... >The line is becoming more and more blurred everyday as to what home users ... good job without the addition of any software firewalls on the hosts. ...
    (comp.security.firewalls)
  • Re: setup? 2-routers(Belkin & D-Link), Lan1(web serv), Lan2(secure ntwk)
    ... >>Protected network with no forwarding ... Neither router has to use DHCP, but you might as well enable it. ... Both, the routers work to protect you by means of NAT, they are NOT ... them being firewalls, ...
    (comp.security.firewalls)
  • Re: ACS-Law and the Copyright Speculative Invoicing
    ... if you protect your router as well as you can. ... Leaving it open just so that you can claim it might have been ... required which would be beyond the capabilities of many home users. ...
    (uk.legal)
  • Re: ACS-Law and the Copyright Speculative Invoicing
    ... if you protect your router as well as you can. ... Leaving it open just so that you can claim it might have been ... I could prove it's been used by persons unknown to me as their computer name would be registered by the router. ... Proving abuse would be impractical as some packet capture would be required which would be beyond the capabilities of many home users. ...
    (uk.legal)
  • Re: Routers Firewall
    ... > indicates that it has firewall technology, then the router doesn't have a ... What your router does have is NAT. ... ZA is a fine product which will protect a computer ... Port 80 is the WEB access port and port 21 is the FTP ...
    (comp.security.firewalls)