Firewall Wizards mailing list archives

re: NAT for a simple network

From: Mike Hoskins <mike () adept org>
Date: Wed, 13 Aug 2003 18:32:42 -0700 (PDT)

Date: Tue, 12 Aug 2003 08:37:22 -0400
From: "Robert E. Martin" <rmartin () fishburne org>

I am setting up a simple network for a small office of 10 machines. The
office users will only have internet access. There will be no mail
server or web server (yet). Telco will provide DSL. I was thinking that
a simple device like a DLINK DI804 or DFL80 would do the job for simple
security and minimal overhead and provde for port forwarding for the
future web server/mail server.


you may want to browse bugtraq or other archives and see which vendors
have had the most reported incidents, etc.  you may also want to correlate
that with their average response time (if they respond at all).  due to
the relatively complex nature of these devices (simple in theory, not in
practice), they are all prone to have some issues in their past or the
future.  that's nothing against any one vendor, just a given in my book.
noting how vendors respond is often a good selection tool.

I had thought that NAT at the gateway
would be secure enough for a situation like this. With reading the post
about Home Appliances, the default is "allow any out", "deny any in" for
appliances like this. Does this mean this is "stateful packet
inspection"? Are there any thoughts about this?


not just NAT...  at a mininum, you'll want to setup (or verify) some basic
rules protecting the gateway device itself.  many of the DoS and other
attacks against these devices stem from remote and/or local traffic being
allowed to the device itself.  in general, you should verify packets are
not allowed to the device from the big bad Internet.  you may also want to
only allow local access from select IP addresses or subnets.

as an example...  D-link (and again, many devices have had issues, so i'm
not trying to target any one vendor...) has had some recent issues on
bugtraq.  many of those issues could have been bypassed by simply
configuring a few rules on the devices during deployment.  allowing
packets from random hosts to admin (80, 8000, 8080, etc.), SNMP, TFTP or
other ports is most certainly not a good idea.

-mrh

--
From: "Spam Catcher" <spam-catcher () adept org>
To: spam-catcher () adept org
Do NOT send email to the address listed above or
you will be added to a blacklist!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

NAT for a simple network Robert E. Martin (Aug 13)
- Re: NAT for a simple network Mikael Olsson (Aug 15)
- <Possible follow-ups>
- re: NAT for a simple network Mike Hoskins (Aug 15)
- re: NAT for a simple network Robert E. Martin (Aug 15)
  - Re: re: NAT for a simple network R. DuFresne (Aug 17)