Re: insecurity in internet connection thro cable modems

[Brian Ford <brford () cisco com>]

Dave,

> More than
> likely, natting a home network behind a linksys soho router would be 
> sufficient.

Yet another security policy that begins with "more than likely".  What 
happens in the "likely" case when someone figures out where you are and 
wants to get at your stuff?

> Putting in PIX 501's at someones home would be insane. If you have to 
> administer
> it, a small Netscreen is much easier than dealing with PIX.

Gee Dave.  Why would it be insane to use a PIX?

To set up a PIX at home all you need is the PIX.  You don't need a PC and 
the setup disk that NetScreen ships.

The 501 ships with a default "plug and play" configuration that for many 
installs (including folks sitting behind a cable modem) requires no 
modification to get up and running.

The PIX also supports Cisco AUS (Auto Update Server) so that security 
policy, operating system image, and configuration updates can be securely 
downloaded to the PIX from a central site without end user intervention.

You said "a small Netscreen is much easier than dealing with PIX".  Have 
you really tried both products?  Could it be that you just don't like 
PIX?  Or that you just don't know about the PIX?

Liberty for All,

Brian

At 12:00 PM 2/15/2003 -0500, firewall-wizards-request () honor icsalabs com wrote:
> Message: 5
> Date: Fri, 14 Feb 2003 14:03:11 -0700
> From: Dave Mitchell <dmitchell () viawest net>
> To: "Perrymon, Josh L." <PerrymonJ () bek com>
> Cc: "'Chapman, Justin T'" <JtChapma () bhi-erc com>,
>         "'firewall-wizards () honor icsalabs com '" 
> <firewall-wizards () honor icsalabs com>
> Subject: Re: [fw-wiz] insecurity in internet connection thro cable modems
>
> For normal users I'd recommend some sort of appliance filter or firewall. 
> More than
> likely, natting a home network behind a linksys soho router would be 
> sufficient. If you
> want to do VPNing and what not, I think a Netscreen 5 would be the best 
> for the home
> firewall. Putting in PIX 501's at someones home would be insane. If you 
> have to administer
> it, a small Netscreen is much easier than dealing with PIX.
>
> -dave
>
> On Fri, Feb 14, 2003 at 10:42:16AM -0600, Perrymon, Josh L. wrote:
> > Yeah...  I ( Security Professional ) would implement IPChains or a PIX @
> > home...
> > But don't you think Linux is completely out of the question for a regular
> > end user?????
> >
> > I'm looking for an application based firewall for my VPN users..
> > So far ZONE ALARM is my choice..  I just wished I could integrate it with
> > the PIX VPN client like the concentrator can.
> >
> >
> >
> > Any Ideas??
> > -JP
> >
> > -----Original Message-----
> > From: Chapman, Justin T [mailto:JtChapma () bhi-erc com]
> > Sent: Friday, February 07, 2003 11:29 AM
> > To: 'firewall-wizards () honor icsalabs com '
> > Subject: RE: [fw-wiz] insecurity in internet connection thro cable
> > modems
> >
> >
> > >
> > >ipchains is old ( for the previous Linux Kernel 2.2 ), iptables
> > >http://www.iptables.org would be a better choice.
> >
> > Agreed.  If it's an option at all, choose iptables over ipchains.  It's 
> more
> > flexable and it's a stateful packet filter, which makes for a "smarter"
> > firewall.  IPtables (and ipchains for that matter) can be a bit 
> intimidating
> > to work with, especially if you're new to the syntax.  If you're going to
> > "rolll your own" firewall, I would suggest searching Google/Freshmeat.net
> > for "iptables generator".  There are plenty of scripts/web frontends/guis
> > that make creating simple "consumer-grade" firewalls a snap.  One that I
> > particularly like is a cgi-based one at:
> >
> > http://morizot.net/firewall/gen/
> >
> > Good luck!
> >
> > --justin
> >


Brian Ford
Consulting Engineer
Corporate Consulting Engineering, Office of the Chief Technology Officer
Cisco Systems, Inc.
http://www.cisco.com
e-mail: brford () cisco com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards