Firewall Wizards mailing list archives
re: NAT for a simple network
From: Mike Hoskins <mike () adept org>
Date: Wed, 13 Aug 2003 18:32:42 -0700 (PDT)
Date: Tue, 12 Aug 2003 08:37:22 -0400 From: "Robert E. Martin" <rmartin () fishburne org>
I am setting up a simple network for a small office of 10 machines. The office users will only have internet access. There will be no mail server or web server (yet). Telco will provide DSL. I was thinking that a simple device like a DLINK DI804 or DFL80 would do the job for simple security and minimal overhead and provde for port forwarding for the future web server/mail server.
you may want to browse bugtraq or other archives and see which vendors have had the most reported incidents, etc. you may also want to correlate that with their average response time (if they respond at all). due to the relatively complex nature of these devices (simple in theory, not in practice), they are all prone to have some issues in their past or the future. that's nothing against any one vendor, just a given in my book. noting how vendors respond is often a good selection tool.
I had thought that NAT at the gateway would be secure enough for a situation like this. With reading the post about Home Appliances, the default is "allow any out", "deny any in" for appliances like this. Does this mean this is "stateful packet inspection"? Are there any thoughts about this?
not just NAT... at a mininum, you'll want to setup (or verify) some basic rules protecting the gateway device itself. many of the DoS and other attacks against these devices stem from remote and/or local traffic being allowed to the device itself. in general, you should verify packets are not allowed to the device from the big bad Internet. you may also want to only allow local access from select IP addresses or subnets. as an example... D-link (and again, many devices have had issues, so i'm not trying to target any one vendor...) has had some recent issues on bugtraq. many of those issues could have been bypassed by simply configuring a few rules on the devices during deployment. allowing packets from random hosts to admin (80, 8000, 8080, etc.), SNMP, TFTP or other ports is most certainly not a good idea. -mrh -- From: "Spam Catcher" <spam-catcher () adept org> To: spam-catcher () adept org Do NOT send email to the address listed above or you will be added to a blacklist! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- NAT for a simple network Robert E. Martin (Aug 13)
- Re: NAT for a simple network Mikael Olsson (Aug 15)
- <Possible follow-ups>
- re: NAT for a simple network Mike Hoskins (Aug 15)
- re: NAT for a simple network Robert E. Martin (Aug 15)
- Re: re: NAT for a simple network R. DuFresne (Aug 17)