RE: Basic Protection

["LeGrow, Matt" <Matt_LeGrow () NAI com>]

Frank,

Your message is a little vague - i'll assume that you have multiiple
separate people who want to use one DSL line to connect to a service
provider behind one host and run with it...

In any event, you absolutely _cannot_ depend on your ISP in most cases to
provide your machines - not unless you want to get hacked or DoS'ed.  I've
found that for one person with a few machines, or small groups of people,
throwing an old 486 or low-end Pentium Linux machine doing ip-masquerading
can provide more-than-adequate security for the internal machines, and you
don't need to worry about cost.  Just set it up in front of your NT machine,
turn off every single service accessible to the outside (excepting maybe
sshd ;-), and trail a hub behind it.    Its a surprisingly cheap and
flexible solution for the cost of one IP.  And in the event someone totally
thrashes it, its not that hard or costly to replace. 

Barring that option, there are plenty of ways to lock down a single NT
machine and use something like MS-Proxy or WinGate.  If you don't have the
necessity to provide services to the outside world from behind or on the
firewall, just turn off everything visible from the outside.  Again, if
there aren't many people it should be more than adequate to handle the load
(although the machine will have to have a little more balls).  

IMHO a Linux solution is more flexible and trustworthy, as well as being
less costly in this situation.

Matt LeGrow
Network Associates, Inc.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Note: Opinions expressed herein are most certainly NOT that of my employer
:-)

> -----Original Message-----
> From: Frank R. Boecherer [SMTP:frank () computica com]
> Sent: Thursday, July 22, 1999 1:36 AM
> To:   firewall-wizards () nfr net
> Subject:      Basic Protection
>
> Hi....  this is my first time visiting this list and my first post.  I've
> been a subscriber a VPN list ( vpn () listserv secnetgroup com
> <mailto:vpn () listserv secnetgroup com>) for some time.  I have a question
> which is firewall related so I was referred here.  Since I haven't read
> all the posts yet, if there are some dealing with my questions, a quick
> pointer to them would be appreciated.
>  
> Thanks
>  
> Frank
>  
> ==========================================================================
> =
> I have some clients with NT server (typical vanilla setup) and they want
> to hook up DSL for Internet access.  If NAT or Proxy Server is used, is
> there enough protection or is a full firewall needed.  To phrase the
> question another way: How do I allow a client to have fast Internet access
> for all the workstations without haveing to spend a lot for firewall
> protection?
>  
> With all I've been reading, it seems like the only secure way to go is
> with a firewall.  But if NAT is used and the IP address of a workstation
> on the internal network isn't known or available to the outside, is it
> safe?  Does and ISP provide security so that I don't have to worry about
> it?
>  
> Thanks
>