Re: Linksys hardware firewall enough...?
From: Gary (garyd_at_efn.org.spamsux)
Date: 11/09/04
- Next message: Gary: "Re: Linksys hardware firewall enough...?"
- Previous message: Lars M. Hansen: "Re: Linksys hardware firewall enough...?"
- In reply to:(deleted message) Leythos: "Re: Linksys hardware firewall enough...?"
- Next in thread: Leythos: "Re: Linksys hardware firewall enough...?"
- Reply:(deleted message) Leythos: "Re: Linksys hardware firewall enough...?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 09 Nov 2004 14:30:33 GMT
Leythos wrote:
> I would never consider trying to break into a network that I was not
> paid to hack/test.
Then how much do you charge?
> Gary, most of us have been doing this for a LONG time. Most of us were
> using NAT to segment our networks long before the home/soho routers came
> out on the markets. Most of us know that ROUTING is part of NAT and has
> nothing to do with firewalls.
You are also implying that I know nothing about the subject. And I'm not
sure why you keep dragging routing and NAT into the subject of packet
filtering. Every box that has a TCP/IP stack routes packets. Every box
that routes packets between public IP space and RFC 1918 space must
perform network address translation. It just so happens that every
firewall provides routing, NAT, and packet filtering. As we've all made
perfectly clear, better firewalls (including some in the SOHO class)
offer things like stateful packet inspection, VPN, VLAN tagging, etc. I
never once claimed that using only NAT is a good security measure.
> I'm not encouraging anyone to spend anything on anything, I'm warning
> them that the devices marketed as firewalls, that are only NAT Routers
> in reality, are NOT FIREWALLS - they are simple routers with some
> additional "firewall like" features.
Including devices by vendors that have paid for ICSA certification?
http://www.netgear.com/products/details/FR114P.php
http://www.netopia.com/equipment/intl/emea/uk/products/3300_ent.html
> You don't have to like the idea that security experts don't agree with
> you, you don't have to agree with us, but we're never going to accept
> your notion that those simple devices are firewalls.
Here's what we've learned so far:
1) Packet filtering is also known as OSI layer 3 (network) firewalling.
2) It is included in SOHO, SMB, and corporate class firewalls.
3) Firewalls alone do not make an effective security policy.
> Look at it this way, with your definition, a VLAN capable managed switch
> could be a firewall - and it's not even as close as the SOHO units you
> keep talking about.
It's not my definition. It's a definition laid out by pioneers in the
security industry. If you want to take up this issue with Marcus J.
Ranum, original author of the firewall FAQ, please see his website for
contact info: http://www.ranum.com
You can also contact Rik Farrow, Fred Avolio, Matt Curtin, D. Brent
Chapman, Elizabeth Zwicky, Bruce Schneier, Bill Cheswick, Steven
Bellovin, Avi Rubin, Dan Geer, Tina Bird, Daniel Hartmeier, etc.
-Gary
- Next message: Gary: "Re: Linksys hardware firewall enough...?"
- Previous message: Lars M. Hansen: "Re: Linksys hardware firewall enough...?"
- In reply to:(deleted message) Leythos: "Re: Linksys hardware firewall enough...?"
- Next in thread: Leythos: "Re: Linksys hardware firewall enough...?"
- Reply:(deleted message) Leythos: "Re: Linksys hardware firewall enough...?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
