Firewall Wizards mailing list archives
Re: Basic Protection
From: "Kevin T. Shivers" <kts () clark net>
Date: Fri, 23 Jul 1999 11:56:51 -0400 (EDT)
On Wed, 21 Jul 1999, Frank R. Boecherer wrote:
I have some clients with NT server (typical vanilla setup) and they want to hook up DSL for Internet access. If NAT or Proxy Server is used, is there enough protection or is a full firewall needed. To phrase the question another way: How do I allow a client to have fast Internet access for all the workstations without haveing to spend a lot for firewall protection?
Proxy Server will protect you some, but if I had the money I would get something better to protect myself with. You can probably get by with something that really doesn't cost that much. I am assuming that since they are using DSL, that they probably are a home office/small office setup. You can get a cheap PC and run FWTK, or Linux with ipchains and your only cost there will be the box and your time in setting it up. You could also get a firewall appliance type thing like a SonicWall or a Firebox and set it up. They are pretty cheap, and they work pretty well. Fred Avolio and myself tested a SonicWall recently and it was pretty good. You can see the review at: http://strom.com/awards/160.html . Any of these will probably cost less than a server running NT Server and Proxy Server. A little rant on Proxy Server: Proxy Server runs on NT, therefore it will be inherently insecure. I quick look into the NTBugTraq archives found a bunch of problems with Proxy Server. One of the more interesting problems if better described online at: http://www.infowar.co.uk/mnemonix/proxy.htm . Personally I wouldn't use it since it is far too easy to get Administrative rights on an NT machine and they use that machine to gain access into the whole network. If you also want some more infomation on Proxy Server check out: http://xbill.org/~kts/nt/ms2-proxyserver.txt .
With all I've been reading, it seems like the only secure way to go is with a firewall. But if NAT is used and the IP address of a workstation on the internal network isn't known or available to the outside, is it safe? Does and ISP provide security so that I don't have to worry about it?
I would strongly recommend a firewall in addition to using NAT. Just using NAT and not telling anybody what the internal addresses are is basically just "security through obscurity", and that is a bad thing [tm] by itself. Ever watched "Wargames"? :) When you do setup NAT, a thing that would be good to do is pick a different set of internal addresses than most people use. For instance, use something like 10.26.x.x instead of 10.0.x.x like many people do. I would doubt that the ISP is going to suppply much, if any, security. Most ISPs are just going to give you the connection. If they do firewall it will probably be from their uplink to their network, leaving you still vulnerable to the rest of the users of your ISP. And besides, would you trust something that you, or someone you knew and trusted, set up? Me, being the paranoid person I am, probably wouldn't. :) kts -- Kevin T. Shivers NT & UNIX Security Administrator Shivers Consulting http://www.clark.net/pub/kts kts () clark net
Current thread:
- Basic Protection Frank R. Boecherer (Jul 23)
- Re: Basic Protection Kevin T. Shivers (Jul 26)
- <Possible follow-ups>
- RE: Basic Protection LeGrow, Matt (Jul 26)