Re: How good are personal hardware NAT firewalls?
From: Michel Gallant (MVP) (neutron@istar.ca)
Date: 10/28/02
- Next message: Bill Sanderson: "Re: How good are personal hardware NAT firewalls?"
- Previous message: Tracy J: "Dial-up Password Saves"
- In reply to: Karl Levinson [x y] MVP: "Re: How good are personal hardware NAT firewalls?"
- Next in thread: Bill Sanderson: "Re: How good are personal hardware NAT firewalls?"
- Reply: Bill Sanderson: "Re: How good are personal hardware NAT firewalls?"
- Reply: Michel Gallant (MVP): "Re: How good are personal hardware NAT firewalls?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Oct 2002 12:27:14 -0500 From: "Michel Gallant (MVP)" <neutron@istar.ca>
"Karl Levinson [x y] MVP" wrote:
> "Michel Gallant (MVP)" <neutron@istar.ca> wrote in message
> news:3DBD4CC9.9EB1B418@istar.ca...
> > I am interested in getting experienced comments on how good
> > personal firewalls like the LinkSys BEFSX41 are:
> > http://www.linksys.com/products/product.asp?grid=23&prid=433
> >
> > With the *default* configuration, no inbound ports are open (i.e.
> "port-forwarding").
> > Also, this particular LinkSys firewall claims:
> >
> > "Protects PCs from Ping of Death,
> > SYN Flood, Land Attacks, IP Spoofing, and Other DoS (Denial of Service)
> Attacks
> > Supports Up to Two IPSec Virtual Private Network (VPN)Tunnels
> > Supports URL Filtering and Time Filtering
> > Blocks Java, ActiveX, and Cookies "
> >
> > I wanted to get some details on the final item (does packet filtering
> check
> > for .class file, object tags, .ocs, .cab etc.. in the data sections of
> inbound packets?)
> > from LinkSys but they will not disclose that level of technical detail?
>
> I doubt it does this. It probably just blocks based on port number. I'm
I don't think that this is correct. The port number (typically port 80 for web
server) is not blocked. The firewall evidently searches for reconnects and
a url of type http://originalserver/somepath/somejavabytecode.class
so it probably filters at the url request level, based on ".class" and variants.
The container page certainly loads.
Note that the BEFX41 does NOT filter out .cab files; hence all my signed
Java applets (IE only supports Authenticode signatures on cab files containing
class files) pass neatly through the BEFSX41. This is probably so that
installer urls (like .cab updaters) don't get screened.
So, the befsx41 capability to block simple .class url requests is not too useful,
since there is typically a pretty good sandbox already for various JVMs, not-withstanding
some known vulernabilities :-)
>
> not familiar with the new BEFSX41, but previous models didn't even allow you
> to write packet filtering rules, and they were pretty near useless at
> blocking any outbound traffic, so that you are still vulnerable to trojans
> and remote access tools such as Back Orifice through the firewall. This is
> somewhat serious, though you still get logging of outbound traffic.
the befsx41 has some extended packet filtering and other stuff not available
on the more basic befsr41. Also, there is not to-file logging capability (ref.
comment below)
- Mitch
>
>
> Note that you will also want to use a free syslog client to capture the
> logging to a PC, or else the logs disappear every few minutes / seconds.
- Next message: Bill Sanderson: "Re: How good are personal hardware NAT firewalls?"
- Previous message: Tracy J: "Dial-up Password Saves"
- In reply to: Karl Levinson [x y] MVP: "Re: How good are personal hardware NAT firewalls?"
- Next in thread: Bill Sanderson: "Re: How good are personal hardware NAT firewalls?"
- Reply: Bill Sanderson: "Re: How good are personal hardware NAT firewalls?"
- Reply: Michel Gallant (MVP): "Re: How good are personal hardware NAT firewalls?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
