RE: Home Environment Cisco

["Noonan, Wesley" <Wesley_Noonan () bmc com>]

Filtering outbound... stateful inspection... DoS controls in place... proxy
filtering... SMURF, Flood, Teardrop, Land and exploit prevention, most of
the ICSA labs requirements... other than that, it sounds great!! :-(

Sometimes I think that GRC, NMap and Nessus are the worst security tools out
there. People run them, get negatives and think "wow, I must really be doing
great". Unfortunately it seems that a lot of folks seem to think that as
long as GRC "Shields UP" says everything looks good, it is.

I really wish the NAT proponents would read the RFC where the authors
themselves condemn NAT as a security solution in and of itself. It is a
great component of a security solution, but it is not alone a solution. If
the folks that authored it realize this, no offense but I doubt any of us
here are bright enough to find a flaw in that logic.

Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan () bmc com
http://www.bmc.com


> -----Original Message-----
> From: hermit921 [mailto:hermit921 () yahoo com]
> Sent: Friday, May 30, 2003 12:29
> To: firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] Home Environment Cisco
>
> Given all this discussion, I have to ask about NAT.  I have a small
> Netgear
> DSL router (using NAT) at home.  I consider it a great firewall because it
> doesn't let in any packets at all when I run nmap scans from the
> outside.  It syslogs to my unix machine.  What more could I want in a
> firewall for a home environment?
>
> hermit921
>
> At 10:26 PM 5/29/2003 +0200, Ben Nagy wrote:
> > > -----Original Message-----
> > > From: firewall-wizards-admin () honor icsalabs com
> > > [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf
> > > Of salgak () speakeasy net
> > > Sent: Thursday, May 29, 2003 9:39 PM
> > > To: nathan.grandbois () cerdant com; firewall-wizards () honor icsalabs com
> > >
> > > > -----Original Message-----
> > > > From: Nathan [mailto:nathan.grandbois () cerdant com]
> > > > He has a Solaris ultra 60, and two win98 workstations at
> > > > home he wants to be able to communicate, as well as have access to
> the
> > > > internet (NAT).
> > [deleted]
> > > Reminder: a 50-dollar router from BestBuy also includes a
> > > Firewall.  A Cisco 1600 or 2500-series will not.  And NAT is
> > > NOT a firewall.
> >
> > [deleted]
> >
> > I'm not going to run over the NAT / FW discussion again, I think my
> opinion
> > on the matter is pretty well documented in the archives, but I am more
> than
> > happy to use _dynamic_ NAT as a pretty effective security mechanism for
> home
> > users. I do normally back it up with ACLs anyway, but that's just out of
> > general principle.
> >
> > ben
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards