[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <D89E9C009C6E5B4381DCBE89CA703CEE02EF9C9F@MI8NYCMAIL04.Mi8.com>
From: pwicks at oxygen.com (James Patterson Wicks)
Subject: Re: January 15 is Personal Firewall Day,
help the cause
>Richard said " Linksys and Netgear. They only let thru packets from
the >outside world which are in response to packets originating from
inside the >LAN. That's how NAT routers work."
I understand how these NAT routers work. The problem is that these
routers also let OUT all packets originating from the PC or network
WITHOUT discretion. Sooooo, if you are using Internet Explorer and
happen upon a page with malicious code that the router is not equipped
to look at, you can catch all sorts of little nasties (that problem in
IE has not been patched for two months). If that malicious site happens
to drop in a little Trojan, your whole network can be compromised. Your
NAT router works at Layer 3. You still need a personal firewall or
proxy system that looks at as many layers as possible. You need
something like Sygate Personal Firewall that alerts you when an
application or process that you have not approved tries to go OUT to the
Internet from your PC.
The newer NAT routers work in conjunction with software firewalls like
Zone Alarm, but they are still are not as effective as having a software
firewall running on your system. Software firewalls receive frequent
updates that help defeat new threats that appear almost weekly. Router
firmware updates come every quarter or so.
At home I had a Linksys router, locked it down pretty good with
additional custom rules (so I thought). I was surprised to see the type
of messages that popped up when I installed a software firewall. I
finally broke down and bought a Cisco 501 hardware firewall.
So this is what I have at home: The Linksys is still on the network,
but it does not perform NAT. It mainly acts as a perimeter router
trying to keep the spoofers at bay. Static NAT is now performed by the
Cisco 501 firewall, on which I placed a very restrictive set of access
lists and some nice IDS rules. Norton Internet Security 2003 runs on
all the PC's. Mozilla is the browser on the three PC's and Linux
system. All Microsoft critical updates are installed on the PC's. The
PC's also have Ad-Aware 6.0 installed from Download.com. For a home
network, this is as about as secure as I plan on taking it.
Linksys Router - $80
Cisco Pix 501 firewall - $400
Norton Internet Security 2003 for three PC's - $180
(Linux system does not have commercial firewall installed)
Ad-Aware 6 - $0
Mozilla browser - $0
Total implementation time - About four hours
Knowing that it's going to take some real effort to compromise my
network without detection - priceless.
Is my home network hack-proof? Of course not! Will some snot-nosed
script kiddie running blind scans happen upon my network and enter
undetected? Not bloody likely. I still apply patches and test my home
defenses from time to time, but I think that I have a decent setup for
now. Can some of the people who read and post to this thread break
through my defenses? I think that some might be able to, which is why I
am sending this message from a friend's house :)
Bottom line, computer security is a process, not a product. This is why
there is a layered approach to security. You watch the doors on the way
in and on the way out (sometimes twice). You also have to watch the
people authorized to operate within your environment.
Makes you wonder why we even bother sometimes. Oh well, time to go look
at some new Brittney Spears photos ;)
-----Original Message-----
From: Richard M. Smith [mailto:rms@...puterbytesman.com]
Sent: Thursday, January 15, 2004 10:22 PM
To: James Patterson Wicks
Subject: RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day,
help the cause
Linksys and Netgear. They only let thru packets from the outside world
which are in response to packets originating from inside the LAN.
That's
how NAT routers work.
Richard
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of James
Patterson
Wicks
Sent: Thursday, January 15, 2004 9:33 PM
To: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day,
help
the cause
A router that protects you from "Future security holes in the Windows
networking software", huh? I would love a router like that! The thing
is, Cisco, Symantec, Network Associates and Trend Micro have joined
forces to try to do what you say your router is doing already. Tell me,
what is this router have?
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Richard M.
Smith
Sent: Thursday, January 15, 2004 6:28 PM
To: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day,
help the cause
I run a NAT router box at my house which acts as a hardware firewall for
my
home LAN. It protects me from the following problems:
- Messenger popup spam
- RPC worms
- Accidentally sharing a disk directory with the world
- Future security holes in the Windows networking software
This type of firewall seems like a bargain to me. I would use one of
these
router boxes even it I had only one computer to connect to the Internet.
Richard
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Brandon
Butterworth
Sent: Thursday, January 15, 2004 2:10 PM
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help
the
cause
> I just wanted to remind everybody that tomorrow is Personal Firewall
Day.
Yuk.
Whilst I support people taking care of their security I rank personal
firewalls on the same level as virus detection
They don't fix the real problems and lead to a dependency culture of
constant upgrades (if people bother) and alternative vendor sales fud
....
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This e-mail is the property of Oxygen Media, LLC. It is intended only
for
the person or entity to which it is addressed and may contain
information
that is privileged, confidential, or otherwise protected from
disclosure.
Distribution or copying of this e-mail or the information contained
herein
by anyone other than the intended recipient is prohibited. If you have
received this e-mail in error, please immediately notify us by sending
an
e-mail to postmaster@...gen.com and destroy all electronic and paper
copies
of this e-mail.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists