Re: Suggest firewall for Win98se+ICS(dialup)+NAV
From:Date: 08/18/02
- Next message: : "Re: ZoneAlarm Pro 2.6 & mIRC6.2"
- Previous message: : "Re: Warning about Eset"
- In reply to: Joseph V. Morris: "Re: Suggest firewall for Win98se+ICS(dialup)+NAV"
- Next in thread: Joseph V. Morris: "Re: Suggest firewall for Win98se+ICS(dialup)+NAV"
- Reply: Joseph V. Morris: "Re: Suggest firewall for Win98se+ICS(dialup)+NAV"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 17 Aug 2002 18:01:40 -0500
> A lot of people are writing outdated responses based on Steve Gibson's
> animosity to earlier versions of BID (like, for example, the one _you_ are
> currently using ;) ). BID 3.5 (or is it now called BIP?) from ISS is a
> rather different beastie.
Yes, I've definitely gotten that message from reading all the shouting here
and elsewhere <g>
> Let me confirm that I understand what you're talking about here. As I
> understand it, you're planning on using an old Win98SE box as an ICS
> gateway for a peer-to-peer LAN with two workstations behind it? You don't
> identify the two workstations' OS(s), I note.
For the client, all o/s are Win98se - gateway will be Win98se only because
they have an available license. For me, I'm a programmer & hop around a lot
o/s-wise. Win9x - XP & (learning) Linux. Probably will change my gateway
to Win2k in the near future, as soon as I upgrade the hardware.
> You are then proposing to use some sort of software firewall, e.g., SPF,
as a network gateway
> installed on the old Win 98 SE box. Alternatively, perhaps BID.
This setup with BID is what I've been running myself for 2 years.
> Whatever software firewall you select should be capable of at least using
an
> authorized username and password (STRONG password) in order to ensure that
> some random individual doesn't simply go over to the gateway box and
> either disable the firewall or otherwise change its settings.
In general, I'd agree. In my client's case, don't think there's a big worry
about the random. These folks already have a Win98 "file server" (as it is
functionality-wise, at least) and are "scared to death" of changing anything
on it. There's no public access to the box. Right now only 1 user has web
access. And he was bitten even after I'd nagged at them for months about
using auto update on their NAV and opening any & all email. Fortunately not
too much damage because I'd forced them into a decent backup routine. So
now they *really* pay attention when I get on my soapbox <g> I'd just like
to make sure I'm spouting substance...
For my setup, I guess I 'm the only random individual to worry about. Son's
off to college & hubby (another IT-type) knows dinner is in danger if he
messes with my boxes. <g>
> There are to be NO internet-enabled applications (and preferably no other
> applications of any kind) on the gateway machine. There should be NO web
> server, mail server, news server, or FTP server running on the Win 98 SE
> box -- not now, not ever.
You bet. There are no apps at all on the box I'm building for the client
other than some of the applets that came with the o/s. No Communications
except dialup, no Internet tools except ICS, no mail. Only IE, which I may
take off of the task bar/Start menu. Mine here at the house is basically
the same except that I've got a seldom used scanner & shared, but seldom
used, printer hung on it.
> If this is correct, then, yes, you've basically
> not only just established a crude hardware NAT router, but (perhaps more
> to the point) a hardware firewall appliance.
Ooh, you make it sound so up-to-date & impressive. We know it's just the
cheapskate's way to use old boxes & o/s licenses <g>
> Furthermore, I assume you are using a simple hub to create the network.
> As I assume you already know, you need to have the ICS _client_ software
> installed and running on the two workstations.
Already using hub; workstations do not need any client software - just std
web via LAN works just fine.
> If this is anywhere near correct, you have two things to consider -- ICS
> and the peer-to-peer LAN itself. I think I've covered the ICS component
> above. That leaves the LAN functionality to consider. First, you
> obviously want to disable file and printer sharing (on the Win 98 SE
> gateway box) through the Internet NIC/modem. That's a no-brainer.
Right. Already done.
> However, I would also suggest that you _completely_ disable file and
> printer sharing on the Win 98 SE gateway box; if it doesn't run any apps
> whatsoever, then there's absolutely no reason why it should need to
> 'share' file or printers with the two workstations.
Good point. No problem on the client set-up. Have to think through mine,
though. No problem with file sharing (already like that), but that color
printer, hmm. Maybe when I phyically move my (NTW4) fileserver...
> However, you _may_wish to maintain the capability to share files and
printers between the
> two 'client' workstations. If so, I would be extremely careful in how you
> set up that sharing. Use strong password authentication and _only_ allow
> the minimal privileges necessary. Depending on the workstations' OS(s), I
> would further limit this 'sharing' to specific usernames and _only_ (the
> other) workstation.
Peer-to-peer sharing mandantory. Are you suggesting anything here other
than normal, internal LAN security considerations (because of the ICS
access?)
> And, as mentioned in my earlier response, I would strongly recommend the
> presence of some software firewall on the two client workstations. The
> software firewall on the gateway machine provides no outbound application
> control for anything originating from the two workstations. The biggest
> threat you confront is some clueless user of one of the two workstations
> installing (via floppy or download from the Internet) some truly dangerous
> application. Then, the gateway firewall becomes largely meaningless. So,
> on the client workstations, install some sort of PSF with
> application-level control (at a minimum). Again, you want the capability
> to LOCK down the firewalls on the two workstations to prevent some
> clueless user from simply disabling the PSFs on the workstation(s) or
> allowing some app that they've suddenly decided they simply can't live
> without. This is THE DANGER. Again, the workstation PSFs should have
> username and STRONG password authentication required to disable or
> re-configure the PSF settings (and I'm doubtful that ZA (free) provides
> this.)
Yes, I've been thinking about this. I've felt that my setup would do a
relatively decent job of keeping out the Klingons banging at the door -
that's what I am seeking confirmation about. But there's nothing protecting
from a LAN-based trojan or new app wanting to phone home. NAV can handle
some of it. But my client's already proved that he (the owner, a very
bright fellow) can click without the brain being engaged. For him, a
client-side firewall may well be prudent. Inexperience may bite the other
user. I'm concerned about observable speed (processing) degredation & the
amount of non-auto maintance required - that's why I'm in test mode with BID
& Sygate (free & Pro) now. For some reason, I'm not real enthusiastic about
checking the Norton Firewall. Strange. Must have been something I came
across that I can't remember now. Reading the manuals, newgroups, forums,
and reviews in addition to playing with them to make a decision. Oh, do my
eyes & head hurt <g>.
> At that point, you should be reasonably 'good to go'. You might also want
> to install some log analyzers on whatever PSF you install on the gateway
> machine; and AV and AT software would not be a bad idea (especially if you
> configure it to update regularly, run memory-resident, and run
> pre-scheduled full-system scans from time to time).
Plan to have NAV on the gateway as well as the workstations.
Many thanks for your detailed discussion.
Diane
- Next message: : "Re: ZoneAlarm Pro 2.6 & mIRC6.2"
- Previous message: : "Re: Warning about Eset"
- In reply to: Joseph V. Morris: "Re: Suggest firewall for Win98se+ICS(dialup)+NAV"
- Next in thread: Joseph V. Morris: "Re: Suggest firewall for Win98se+ICS(dialup)+NAV"
- Reply: Joseph V. Morris: "Re: Suggest firewall for Win98se+ICS(dialup)+NAV"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
