Re: Suggestions for Firewall/Port selection hardware box
From: Ron Loewy (rloewy@transport.com)Date: 10/31/02
- Next message: mhicaoidh: "Re: Firewalls are useless??"
- Previous message: Jonathan: "Re: What if..."
- In reply to: Nig: "Re: Suggestions for Firewall/Port selection hardware box"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ron Loewy" <rloewy@transport.com> Date: Thu, 31 Oct 2002 22:03:22 GMT
Thanks. This is very useful.
I currently have a setup where I have a server sitting on one IP and a
Router/NAT sitting on the other - so the server is "isolated" from the rest
of the network. It sounds like you suggest that I keep doing it this way.
I will explore my options and decide what to do.
Thanks for the feedback - I am learning a lot just by reading it.
Ron.
"Nig" <nig@nigs.niet> wrote in message news:3DC19EFC.446C954D@nigs.niet...
>
>
> Ron Loewy wrote:
> >
> > Hi,
> >
> > I have a small LAN that currently sits behind a NAT connected to a DSL
> > modem.
> >
> > I would like to add a Windows 2K Server on this network, and expose some
of
> > it's ports to the "public". Specifically - I want to be able to expose
it's
> > mail server ports, web hosting port and several "custom" ports for my
> > application.
> >
> > I know that low end Router/NAT/Firewall devices like what LinkSys offers
> > have a DMZ port - but I do not think that this allows me to control the
> > ports that can be accessed.
> >
> > Any ideas for a reliable, not too expensive box that will allow me to do
> > something like this - so I will be able to use the W2K server for my
LAN,
> > but expose some functionality to the outside world?
>
> Most low-end routers support DMZ or port forwarding functionality but
> the problem with them is that the host that is either the DMZ or port
> forward host is still connected to your internal LAN, so if that host is
> compromised, all of your network could be got at. In the home router
> world, DMZ means 'forward all ports to the DMZ host'. Yeah, right!
>
> If you're serious about offering these services via your cable/ADSL
> link, then you should think about separation of your networks - trusted
> (your LAN), semi-trusted but still extremely dodgy (your DMZ host),
> un-trusted (everyone else!). Not always possible in the home, I'm sure,
> but if you are involved in running mail servers, web servers etc., you
> need to think about it, especially if involved in development
> activities. I'm not aware of any sub$300-$400 home routers that will
> allow you to do this, but a *nix box would do it quite nicely, I'm sure,
> as would some of the appliances (PIX, SonicWall, WatchGuard) available,
> but your costs are starting to rise with these.
>
> If you have to run these services behind a cheapo router, then make sure
> all patches are applied to the services you are running and they are
> set-up not to allow things like mail relaying, anonymous FTP put and so
> on, run some sort of IDS on the public host, run current AV, run
> firewalls on all other LAN machines and do not have any MS networking
> between the public host and your LAN. You may find MS's tools, IISLockd
> and URLScan useful if you are running a Windows host and the MS 'All
> Your' Base Security Analyzer can help with making sure your patches are
> current.
>
> Paranoid? Oh yes, indeedy;-)
- Next message: mhicaoidh: "Re: Firewalls are useless??"
- Previous message: Jonathan: "Re: What if..."
- In reply to: Nig: "Re: Suggestions for Firewall/Port selection hardware box"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
