Firewall Wizards mailing list archives
RE: Basic Protection
From: "LeGrow, Matt" <Matt_LeGrow () NAI com>
Date: Fri, 23 Jul 1999 13:07:11 -0700
Frank, Your message is a little vague - i'll assume that you have multiiple separate people who want to use one DSL line to connect to a service provider behind one host and run with it... In any event, you absolutely _cannot_ depend on your ISP in most cases to provide your machines - not unless you want to get hacked or DoS'ed. I've found that for one person with a few machines, or small groups of people, throwing an old 486 or low-end Pentium Linux machine doing ip-masquerading can provide more-than-adequate security for the internal machines, and you don't need to worry about cost. Just set it up in front of your NT machine, turn off every single service accessible to the outside (excepting maybe sshd ;-), and trail a hub behind it. Its a surprisingly cheap and flexible solution for the cost of one IP. And in the event someone totally thrashes it, its not that hard or costly to replace. Barring that option, there are plenty of ways to lock down a single NT machine and use something like MS-Proxy or WinGate. If you don't have the necessity to provide services to the outside world from behind or on the firewall, just turn off everything visible from the outside. Again, if there aren't many people it should be more than adequate to handle the load (although the machine will have to have a little more balls). IMHO a Linux solution is more flexible and trustworthy, as well as being less costly in this situation. Matt LeGrow Network Associates, Inc. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Note: Opinions expressed herein are most certainly NOT that of my employer :-)
-----Original Message----- From: Frank R. Boecherer [SMTP:frank () computica com] Sent: Thursday, July 22, 1999 1:36 AM To: firewall-wizards () nfr net Subject: Basic Protection Hi.... this is my first time visiting this list and my first post. I've been a subscriber a VPN list ( vpn () listserv secnetgroup com <mailto:vpn () listserv secnetgroup com>) for some time. I have a question which is firewall related so I was referred here. Since I haven't read all the posts yet, if there are some dealing with my questions, a quick pointer to them would be appreciated. Thanks Frank ========================================================================== = I have some clients with NT server (typical vanilla setup) and they want to hook up DSL for Internet access. If NAT or Proxy Server is used, is there enough protection or is a full firewall needed. To phrase the question another way: How do I allow a client to have fast Internet access for all the workstations without haveing to spend a lot for firewall protection? With all I've been reading, it seems like the only secure way to go is with a firewall. But if NAT is used and the IP address of a workstation on the internal network isn't known or available to the outside, is it safe? Does and ISP provide security so that I don't have to worry about it? Thanks
Current thread:
- Basic Protection Frank R. Boecherer (Jul 23)
- Re: Basic Protection Kevin T. Shivers (Jul 26)
- <Possible follow-ups>
- RE: Basic Protection LeGrow, Matt (Jul 26)