| Author |
Message |
Clive
Guest
|
 Posted:
Wed Jan 12, 2005 2:10 am Post subject:
Does anyone get hits on their firewall |
|
|
I have 3xPC's connected to 2mb Broadband via Netgear Router. All the PC's
have Zonealarm installed. I never see any intrusions on any of the PC's.
Is this normal and is this all because of the Router? If so what is the
point of a Software firewall?
Thanks
Clive |
|
| Back to top |
|
 |
Juergen Nieveler
Guest
|
| Posted:
Wed Jan 12, 2005 2:49 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
"Clive" <someone@nospam.com> wrote:
| Quote: | I have 3xPC's connected to 2mb Broadband via Netgear Router. All the
PC's have Zonealarm installed. I never see any intrusions on any of
the PC's.
Is this normal and is this all because of the Router? If so what is
the point of a Software firewall?
|
You're using a router that does NAT? Then it's easy to explain - your
router wasn't configured to route incoming connections, so nothing is
coming in, therefore nothing can hit those software-firewalls.
NAT isn't nearly as secure as a packetfilter, but it will protect you
at least from normal internet worms and the dumber variety of script
kiddies.
Juergen Nieveler
--
Computers don't laugh at a three-and-a-half-inch floppy |
|
| Back to top |
|
|
henry
Guest
|
| Posted:
Wed Jan 12, 2005 2:50 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
If you have a Netgear Router, then that is a firewall itself. And to
answer your question, no, there is no point to have a software firewall,
unless to provide extra functionality such as content filtering, active
e-mail scanning, etc. But if your software firewall is just blocking
access from other machines, then that is pointless.
If you have a private IP address (like 10. or 192.186.) which is
probably the case with that netgear device, then by definition no
machines from the outside can talk to your machines--the outside world
can only see the Netgear box, and it won't relay communications to any
of the machines on your LAN unless you specifically configure it to do
so. The only way the outside world can talk to your PCs (for example
when accessing websites) is when you initiate that communication by
accessing a website, a newsgroup server, etc. The Netgear box will relay
that session for you and pass responses back to your PC. This is done
with connection tracking utilizing NAT.
Clive wrote:
| Quote: | I have 3xPC's connected to 2mb Broadband via Netgear Router. All the PC's
have Zonealarm installed. I never see any intrusions on any of the PC's.
Is this normal and is this all because of the Router? If so what is the
point of a Software firewall?
Thanks
Clive
|
|
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Wed Jan 12, 2005 3:06 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
In article <3RXEd.7582$7k5.3072@fe37.usenetserver.com>,
info@intellitree.com says...
| Quote: | If you have a Netgear Router, then that is a firewall itself. And to
answer your question, no, there is no point to have a software firewall,
unless to provide extra functionality such as content filtering, active
e-mail scanning, etc. But if your software firewall is just blocking
access from other machines, then that is pointless.
|
Only partially correct, it's not a Firewall at all, it's a NAT device.
NAT works by allowing outbound connections and blocking inbound traffic
that is not requested by a computer INSIDE the network. That's not even
close to being a firewall, but it is a very good first line of defense
for home users.
Having a personal firewall allows you to see if your NAT device is
working and if you're machines have been compromised by some hostile
application (virus type).
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me) |
|
| Back to top |
|
|
henry
Guest
|
| Posted:
Wed Jan 12, 2005 3:35 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
Our only a conflict I think is in definitions. Technically I guess you
are right that NAT is an advanced routing feature and not a firewall...
I forget that I am posting on c.s.firewall where the definition of
"firewall" will be strictly enforced, so my apologies :).
With regards to utilizing a personal firewall to detect malicious
applications, I believe I did identify that type of functionality as one
of value, but I would call that content filter or transparent proxy (in
that it scans packets for strings rather than apply rules based on
protocol, port, source and destination addresses). Would you call Snort
a firewall? As for the pure firewalling function that a personal
firewall witha default config utilizes, it is probably going to block
inbound access to all ports except for connections with state of
CONNECTED,ESTABLISHED--which as I am sure you will agree, the NAT
application provides exactly that.
Leythos wrote:
| Quote: | In article <3RXEd.7582$7k5.3072@fe37.usenetserver.com>,
info@intellitree.com says...
If you have a Netgear Router, then that is a firewall itself. And to
answer your question, no, there is no point to have a software firewall,
unless to provide extra functionality such as content filtering, active
e-mail scanning, etc. But if your software firewall is just blocking
access from other machines, then that is pointless.
Only partially correct, it's not a Firewall at all, it's a NAT device.
NAT works by allowing outbound connections and blocking inbound traffic
that is not requested by a computer INSIDE the network. That's not even
close to being a firewall, but it is a very good first line of defense
for home users.
Having a personal firewall allows you to see if your NAT device is
working and if you're machines have been compromised by some hostile
application (virus type).
|
|
|
| Back to top |
|
|
tivo-guy
Guest
|
| Posted:
Wed Jan 12, 2005 4:31 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
"Clive" <someone@nospam.com> wrote in message
news:rhXEd.8608$GG1.4057@text.news.blueyonder.co.uk...
| Quote: | I have 3xPC's connected to 2mb Broadband via Netgear Router. All the PC's
have Zonealarm installed. I never see any intrusions on any of the PC's.
Is this normal and is this all because of the Router?
|
Yes it's normal for a network with a NAT router.
| Quote: | If so what is the point of a Software firewall?
|
No point at all IMHO.
|
|
| Back to top |
|
|
Wolfgang Kueter
Guest
|
| Posted:
Wed Jan 12, 2005 5:11 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
Clive wrote:
| Quote: | I have 3xPC's connected to 2mb Broadband via Netgear Router. All the PC's
have Zonealarm installed. I never see any intrusions on any of the PC's.
|
Pretty normal setup.
| Quote: | Is this normal and is this all because of the Router?
|
Yes.
| Quote: | If so what is the point of a Software firewall?
|
The point is that the mentioned tools are completely useless crap.
Wolfgang |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Wed Jan 12, 2005 5:53 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
In article <tvYEd.7586$7k5.5205@fe37.usenetserver.com>,
info@intellitree.com says...
| Quote: | Would you call Snort a firewall?
|
I was under the impression that snort was an IDS solution?
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me) |
|
| Back to top |
|
|
henry
Guest
|
| Posted:
Wed Jan 12, 2005 6:44 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
Of course. Its not a firewall; thats my point. But it can be used as a
security tool to cause the network to block hosts or networks that
exhibit malicious behavior.
My point is the benifits of a "Software Firewall" you described are no
more "firewall" functions than snort is. You called me to task that NAT
is not a firewall, well, neither is content filtering.
In Clive's situation, he has no need for a software firewall because his
*router* provides the same features that a software firewall would
provide. The only possible reason to have a firewall on his internal
host would be if he were running some kind of server and thus opened a
port to his internal machine. If he did this, he might want to apply
rules to the traffic that flows to that port.
You mentioned that a software firewall is useful to make sure his nat is
working??? How can nat *not* work? If its not working, then the internal
hosts wouldn't have access to the outside world, not that the inetrnal
LAN would somehow become vulnerable.
And how is a software firewall going to allow you to see if your
machines have been comprimised? That is a whole different issue from
firewalls. The only thing I can assume you are talking about there, is
again, content filtering--watching the wire and checking for patterns.
Thats NIDS, thats Snort, not a firewalling.
Leythos wrote:
| Quote: | In article <tvYEd.7586$7k5.5205@fe37.usenetserver.com>,
info@intellitree.com says...
Would you call Snort a firewall?
I was under the impression that snort was an IDS solution?
|
|
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Wed Jan 12, 2005 7:19 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
In article <Lf%Ed.8100$7k5.6228@fe37.usenetserver.com>,
info@intellitree.com says...
| Quote: | In Clive's situation, he has no need for a software firewall because his
*router* provides the same features that a software firewall would
provide.
|
If you look at NIS or ZoneAlarm they provide more than "Content"
filtering, they can block ports, block subnets, block inbound from
specific IP, block outbound by port (unconditional), block outbound by
application, block outbound to a IP.... That's a lot more than what you
just described.
| Quote: | You mentioned that a software firewall is useful to make sure his nat is
working??? How can nat *not* work? If its not working, then the internal
hosts wouldn't have access to the outside world, not that the inetrnal
LAN would somehow become vulnerable.
|
If your router were to be compromised, which has happened on the Linksys
units with default settings, the router can have ports forwarded that
you were unaware of. The only way to know about it is if your PFW
detects inbound traffic - which you would not notice without.
There is also the idea that the implementation of NAT on the router may
not include SPI, and there could be any number of exploits that were not
fixed/closed (ever read the firmware update texts from D-Link, Linksys,
Netgear?). You can't detect something getting in unless you run a PFW or
IDS system.
| Quote: | And how is a software firewall going to allow you to see if your
machines have been comprimised? That is a whole different issue from
firewalls. The only thing I can assume you are talking about there, is
again, content filtering--watching the wire and checking for patterns.
Thats NIDS, thats Snort, not a firewalling.
|
Unless the compromised system gains control of the PFW, there is a good
chance that the user will be alerted to outbound traffic unless they've
misconfigured the PFW or opened to many holes in it prior to the
compromise.
Since products like ZoneAlarm and NIS call their products Firewalls, and
they do indeed act as firewalls (on the personal level), I have no
problem calling them firewalls - they contain extra features that are
also documented, but the product is a firewall. The blocking features
based on ports alone is enough to alert people to their systems being
compromised - image you watching the real-time logs showing outbound
port 25 sessions, seeing 100 per minute, and then determining that port
25 is SMTP, then determining that your computer is SENDING EMAIL, but
knowing that you're not actually sending email via Outlook, that would
be enough to alert most people that they have a virus with it's own SMTP
engine - and we all know that you can't block outbound SMTP for people
that use POP/SMTP services of their ISP. Without the firewall running
the router would never give them an indication of the problem, and the
AV software might not catch it for several days.
When I run a typical NAT device I always enable the logs and have a
system that saves them (typically I use WallWatcher for these cheap
systems) and it's ever easy to see when a virus has infected a machine
with something that spams/attacks the internet. The same would be true
for a firewall app, even if it didn't block the traffic, as long as the
user could monitor the traffic - which is part of every firewall
appliance and app on the market.
As for taking you to task, not so, I was being nice, I just get tired of
people being sucked into the marketing hype of home routers (with NAT)
being firewalls.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me) |
|
| Back to top |
|
|
henry
Guest
|
| Posted:
Wed Jan 12, 2005 8:39 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
Before I start this reply, I just want to say that i consider this
completely friendly and I hope you do as well....
Leythos wrote:
| Quote: | In article <Lf%Ed.8100$7k5.6228@fe37.usenetserver.com>,
info@intellitree.com says...
In Clive's situation, he has no need for a software firewall because his
*router* provides the same features that a software firewall would
provide.
If you look at NIS or ZoneAlarm they provide more than "Content"
filtering, they can block ports, block subnets, block inbound from
specific IP, block outbound by port (unconditional), block outbound by
application, block outbound to a IP.... That's a lot more than what you
just described.
|
Again, blocking incoming traffic is irrelevant because there will be no
incoming traffic with a NAT, other than packets whose state is
established or connected, and those would be allowed regardless.
As far as outbound traffic, OK. If you want to restrict your own
machines outbound traffic that would be a valid application and would be
a firewall operation. I don't think that type of thing is a feature that
Clive is concerned about, or most users.
| Quote: |
You mentioned that a software firewall is useful to make sure his nat is
working??? How can nat *not* work? If its not working, then the internal
hosts wouldn't have access to the outside world, not that the inetrnal
LAN would somehow become vulnerable.
If your router were to be compromised, which has happened on the Linksys
units with default settings, the router can have ports forwarded that
you were unaware of. The only way to know about it is if your PFW
detects inbound traffic - which you would not notice without.
|
I think this argument is a reach. Getting hacked is a separate issue,
and "noticing" it isn't a firewall operation anyway, its a monitoring
issue...see my comments later regarding traffic monitoring...
| Quote: |
There is also the idea that the implementation of NAT on the router may
not include SPI, and there could be any number of exploits that were not
fixed/closed (ever read the firmware update texts from D-Link, Linksys,
Netgear?). You can't detect something getting in unless you run a PFW or
IDS system.
|
Even without SPI, incoming traffic still won't reach internal hosts. If
someone syn floods you, or whatnot, the victim of the attack, as with
any attack on your LAN, will be the router--which is the point behind
having one in the first place.
| Quote: |
And how is a software firewall going to allow you to see if your
machines have been comprimised? That is a whole different issue from
firewalls. The only thing I can assume you are talking about there, is
again, content filtering--watching the wire and checking for patterns.
Thats NIDS, thats Snort, not a firewalling.
Unless the compromised system gains control of the PFW, there is a good
chance that the user will be alerted to outbound traffic unless they've
misconfigured the PFW or opened to many holes in it prior to the
compromise.
Since products like ZoneAlarm and NIS call their products Firewalls, and
they do indeed act as firewalls (on the personal level), I have no
problem calling them firewalls
|
I have no problem calling them firewalls either... but all the valuable
features of them you have identified in network address translated lan
environment are their non-firewall features! My original point was, as a
pure *firewall* they are pointless with NAT.
| Quote: | - they contain extra features that are
also documented, but the product is a firewall. The blocking features
based on ports alone is enough to alert people to their systems being
compromised - image you watching the real-time logs showing outbound
port 25 sessions, seeing 100 per minute, and then determining that port
25 is SMTP, then determining that your computer is SENDING EMAIL, but
knowing that you're not actually sending email via Outlook, that would
be enough to alert most people that they have a virus with it's own SMTP
engine - and we all know that you can't block outbound SMTP for people
that use POP/SMTP services of their ISP. Without the firewall running
the router would never give them an indication of the problem, and the
AV software might not catch it for several days.
When I run a typical NAT device I always enable the logs and have a
system that saves them (typically I use WallWatcher for these cheap
systems) and it's ever easy to see when a virus has infected a machine
with something that spams/attacks the internet. The same would be true
for a firewall app, even if it didn't block the traffic, as long as the
user could monitor the traffic - which is part of every firewall
appliance and app on the market.
|
All this that you just described is traffic monitoring not firewalling.
Again, a great use and application of packages like Snort.
Take your example of watching outgoing SMTP traffic and knowing you are
not sending mail. It is funny because I have been in this exact
situation when a customer got a virus that turned one of their PCs into
a spam server. It isn't firewall software that lets you see outgoing
smtp connections at all, its packet sniffing. In that situation I
plugged into their LAN with my laptop and ran packalyzer to quickly see
which machine on the LAN was the offending host. Would a personal
firewall have prevented that machine from getting infected? Of course
not! Thats not what firewalls do, thats what anti-virus software does.
I never use personal firewalls, but I am assuming you are talking about
little apps like Norton Internet Security that shows a little alert box
come up when an outgoing message is sent. That may very well be a handy
app for some people, but its not a firewall, its traffic monitoring.
A firewall is a box with rules that it applies to packets as they
traverse its networking stack. Based on these rules, it decides if it
will allow the packet yes or no--thats it. And with that definition, we
must realize that a NATted private LAN with no servers has no such need
for an application like this on its internal machines (unless we want
block outgoing packets, as I conceded earlier).
And, with Clives original question and his original need.... No he
doesn't need a personal firewall because he already has a, as you were
so good to correct me, a router that prevents his machines from being
accessed from the outside world.
If he is concerned that the NAT architecture alone might not be enough
to keep him secure, he might benefit from installing tools that provide
any number of the services we have been discussing: content filtering,
traffic monitoring, transparent proxy, etc., none of which are firewalls.
| Quote: | As for taking you to task, not so, I was being nice, I just get tired of
people being sucked into the marketing hype of home routers (with NAT)
being firewalls.
|
No harm no foul; I won't make the mistake again when talking about NAT
routers and firewalls....
Henry |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Wed Jan 12, 2005 8:58 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
In article <WX0Fd.8115$7k5.2886@fe37.usenetserver.com>,
info@intellitree.com says...
| Quote: | Before I start this reply, I just want to say that i consider this
completely friendly and I hope you do as well....
|
I'm always a nice person when I post, I assumed we were here to talk
with each other too. Never even though of this as confrontational.
| Quote: | Leythos wrote:
In article <Lf%Ed.8100$7k5.6228@fe37.usenetserver.com>,
info@intellitree.com says...
In Clive's situation, he has no need for a software firewall because his
*router* provides the same features that a software firewall would
provide.
If you look at NIS or ZoneAlarm they provide more than "Content"
filtering, they can block ports, block subnets, block inbound from
specific IP, block outbound by port (unconditional), block outbound by
application, block outbound to a IP.... That's a lot more than what you
just described.
Again, blocking incoming traffic is irrelevant because there will be no
incoming traffic with a NAT, other than packets whose state is
established or connected, and those would be allowed regardless.
|
And I described a problem with those NAT devices that allowed remote web
sites to reconfigure the routers to provide inbound access and even
change the password. With the PFW the inbound traffic would be detected,
even if the user ignored it.
| Quote: | As far as outbound traffic, OK. If you want to restrict your own
machines outbound traffic that would be a valid application and would be
a firewall operation. I don't think that type of thing is a feature that
Clive is concerned about, or most users.
|
I don't think he cares either, unless he starts learning more about
firewalls and security. One thing people could do, when running a PFW,
is to block outbound ports 135~139 and 445, and to block outbound SMTP
except to their email server. Those two things would help a lot, and a
NAT box won't help them with that (unless they have added features
beyond just NAT).
| Quote: | You mentioned that a software firewall is useful to make sure his nat is
working??? How can nat *not* work? If its not working, then the internal
hosts wouldn't have access to the outside world, not that the inetrnal
LAN would somehow become vulnerable.
If your router were to be compromised, which has happened on the Linksys
units with default settings, the router can have ports forwarded that
you were unaware of. The only way to know about it is if your PFW
detects inbound traffic - which you would not notice without.
I think this argument is a reach. Getting hacked is a separate issue,
and "noticing" it isn't a firewall operation anyway, its a monitoring
issue...see my comments later regarding traffic monitoring...
|
I see getting hacked as the only issue - with or without a router, the
personal firewall lets users know if something has "reached" their
system, even if they ignore it. Monitoring is something that all
firewalls do and something that all firewall owners should be doing.
| Quote: | There is also the idea that the implementation of NAT on the router may
not include SPI, and there could be any number of exploits that were not
fixed/closed (ever read the firmware update texts from D-Link, Linksys,
Netgear?). You can't detect something getting in unless you run a PFW or
IDS system.
Even without SPI, incoming traffic still won't reach internal hosts. If
someone syn floods you, or whatnot, the victim of the attack, as with
any attack on your LAN, will be the router--which is the point behind
having one in the first place.
|
Again, if the router has an exploit or flaw, or is compromised, then the
intruder WILL be able to reach the internal network - and without a PFW
application (or IDS) the user will have no clue until it's too late.
| Quote: | And how is a software firewall going to allow you to see if your
machines have been comprimised? That is a whole different issue from
firewalls. The only thing I can assume you are talking about there, is
again, content filtering--watching the wire and checking for patterns.
Thats NIDS, thats Snort, not a firewalling.
Unless the compromised system gains control of the PFW, there is a good
chance that the user will be alerted to outbound traffic unless they've
misconfigured the PFW or opened to many holes in it prior to the
compromise.
Since products like ZoneAlarm and NIS call their products Firewalls, and
they do indeed act as firewalls (on the personal level), I have no
problem calling them firewalls
I have no problem calling them firewalls either... but all the valuable
features of them you have identified in network address translated lan
environment are their non-firewall features! My original point was, as a
pure *firewall* they are pointless with NAT.
|
I'll give it this - I have a number of small clients running strictly
behind SOHO units (like Linksys, D-Link, Netgear) and they don't run any
PFW software at all. I do have the logs shipped to me every evening and
run them through a script which identifies ANYTHING that made it through
to the LAN, and anything that went out more than X times from each
outbound destination port. Without the logs and monitoring I would have
installed a PFW like Tiny or Kerio and locked down the settings.
| Quote: | - they contain extra features that are
also documented, but the product is a firewall. The blocking features
based on ports alone is enough to alert people to their systems being
compromised - image you watching the real-time logs showing outbound
port 25 sessions, seeing 100 per minute, and then determining that port
25 is SMTP, then determining that your computer is SENDING EMAIL, but
knowing that you're not actually sending email via Outlook, that would
be enough to alert most people that they have a virus with it's own SMTP
engine - and we all know that you can't block outbound SMTP for people
that use POP/SMTP services of their ISP. Without the firewall running
the router would never give them an indication of the problem, and the
AV software might not catch it for several days.
When I run a typical NAT device I always enable the logs and have a
system that saves them (typically I use WallWatcher for these cheap
systems) and it's ever easy to see when a virus has infected a machine
with something that spams/attacks the internet. The same would be true
for a firewall app, even if it didn't block the traffic, as long as the
user could monitor the traffic - which is part of every firewall
appliance and app on the market.
All this that you just described is traffic monitoring not firewalling.
Again, a great use and application of packages like Snort.
|
But every firewall I've installed or owned, not the NAT systems or the
PFW's, includes the ability to SEE the traffic in real time. I've never
installed / used a firewall system that didn't offer it. That's not IDS,
it's watching the firewall do its work.
| Quote: | Take your example of watching outgoing SMTP traffic and knowing you are
not sending mail. It is funny because I have been in this exact
situation when a customer got a virus that turned one of their PCs into
a spam server.
|
Me too - sorority called me before the ISP kicked them off the net. I
installed a Linksys router with NAT between their network and the ISP's
DSL line - logs to my laptop (with a firewall running on it) and found
the spamming internal IP in a could seconds, then did a name resolution
on the PC and asked which girl was running a computer named "xxxx" -
took 5 minutes to shut it down. This year they gave us the contract for
the entire sorority....
| Quote: | It isn't firewall software that lets you see outgoing
smtp connections at all, its packet sniffing.
|
This is where we're not going to agree on the exact definition - my
firewalls (and I'm talking about WatchGuard, PIX, etc...) let me see the
inbound and outbound traffic while performing their firewalling job -
you can't firewall without inspecting the traffic.
| Quote: | In that situation I
plugged into their LAN with my laptop and ran packalyzer to quickly see
which machine on the LAN was the offending host. Would a personal
firewall have prevented that machine from getting infected? Of course
not! Thats not what firewalls do, thats what anti-virus software does.
|
Possibly. If the only SMTP program is suppose to be OE or Outlook, then
any other program using SMTP might generate an alert - while I would not
call it a firewall feature, it's included as a feature in most of the
firewall products for personal use. So, the firewall product would most
likely detect it, although the user might have allowed it, so the
detection might be meaningless.
| Quote: | I never use personal firewalls, but I am assuming you are talking about
little apps like Norton Internet Security that shows a little alert box
come up when an outgoing message is sent. That may very well be a handy
app for some people, but its not a firewall, its traffic monitoring.
|
Actually, it's NAV not NIS that scans the email, and it does all
outbound and inbound SMTP / POP traffic - the corporate edition of
Symantec AV 9 does SMTP, POP, Notes, and even Exchange sessions too. I
do not consider a single service protection application (like email) to
be a firewall product. The fact that NIS has other tools does not limit
it's use as a personal firewall (or ZoneAlarm, or others).
When I take one of our laptops onsite I always enable the personal
firewall, and have it fully block everything, even the local subnet,
then I open ports based on need and only after understanding what I'm
allowing. I been on more than one compromised government and corporate
network where they didn't know until the PFW detected the rogue traffic.
| Quote: | A firewall is a box with rules that it applies to packets as they
traverse its networking stack. Based on these rules, it decides if it
will allow the packet yes or no--thats it. And with that definition, we
must realize that a NATted private LAN with no servers has no such need
for an application like this on its internal machines (unless we want
block outgoing packets, as I conceded earlier).
|
But I don't see it that way. If I want to know what's happening on my
network, and I have two devices - the NAT router and the Laptop, then
the only way I can be sure what's happening is to run that PFW on the
laptop and also monitor the logs (in real time) from the router.
| Quote: | And, with Clives original question and his original need.... No he
doesn't need a personal firewall because he already has a, as you were
so good to correct me, a router that prevents his machines from being
accessed from the outside world.
|
Yes, I agree, he's very unlikely to need the PFW with the router in
place, but, if he wanted to have that second layer of security, the PFW
is a good choice. As he found, running a PFW on a NAT network means that
the PFW doesn't do a lot, but it's there in case something goes wrong.
An example would be one of the kids opening a port and mapping it to
their machine, then after a couple DHCP lease changes the port is now
mapped to Clive's machine - which would detect it via the PFW - so now
he can go slap his kid around :)
| Quote: | If he is concerned that the NAT architecture alone might not be enough
to keep him secure, he might benefit from installing tools that provide
any number of the services we have been discussing: content filtering,
traffic monitoring, transparent proxy, etc., none of which are firewalls.
|
I agree and understand, but, those features are found in most of the
firewall appliances and personal firewall applications on the market,
so, it's hard to separate them from the firewall packages.
| Quote: | As for taking you to task, not so, I was being nice, I just get tired of
people being sucked into the marketing hype of home routers (with NAT)
being firewalls.
No harm no foul; I won't make the mistake again when talking about NAT
routers and firewalls....
|
I'm too old to get angry on Usenet, been here since the early 80's and
use it more than the web.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me) |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Wed Jan 12, 2005 9:41 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
In article <wS1Fd.8118$7k5.256@fe37.usenetserver.com>,
info@intellitree.com says...
| Quote: | Other than our definitions for a few types of applications, I don't
think that we really disagree. You are coming from the perspective of
application suites while I am coming from the perspective of individual
services and their functions. I am a Linux guy, and when I think
firewall, i think Iptables. While Iptbales does have LOG and ULOG
targets to track packets that match criteria, other applications are far
better suited to get a picture of the traffic that is occurring on a
network. Iptables does firewall rules, Snort does NIDS and packing
sniffing, ntop tells me the current traffic that is happening recently, etc.
In any case, it was fun chat with you on this. I just came to this
newsgroup hoping to get some feedback regarding maximum allowable number
of iptables rules, and thought I'd answer some other peoples questions I
saw while I was here. Clive, I hope you got the answer you wanted out of
all this!
|
it's nice that you mention the above. I'm in the process of learning FC3
so that I can start providing lower cost servers and/or workstations to
clients. We're mostly a MS based shop/solutions provider, and while we
don't have any issues with viruses or hacks or malware on any of our
clients networks, it would be nice to install a Linux Server for
file/printer sharing (with user level file security) in place of a 2003
server.
While I'm a BIG WatchGuard fan, I'm starting to setup FC3 RH linux boxes
and IPTables was one of the next areas I was going to look into - but I
want to run IPTables on a much smaller distribution than FC3 - something
that is very stripped down. Any ideas for that?
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me) |
|
| Back to top |
|
|
henry
Guest
|
| Posted:
Wed Jan 12, 2005 9:41 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
Other than our definitions for a few types of applications, I don't
think that we really disagree. You are coming from the perspective of
application suites while I am coming from the perspective of individual
services and their functions. I am a Linux guy, and when I think
firewall, i think Iptables. While Iptbales does have LOG and ULOG
targets to track packets that match criteria, other applications are far
better suited to get a picture of the traffic that is occurring on a
network. Iptables does firewall rules, Snort does NIDS and packing
sniffing, ntop tells me the current traffic that is happening recently, etc.
In any case, it was fun chat with you on this. I just came to this
newsgroup hoping to get some feedback regarding maximum allowable number
of iptables rules, and thought I'd answer some other peoples questions I
saw while I was here. Clive, I hope you got the answer you wanted out of
all this!
Best regards,
Henry |
|
| Back to top |
|
|
henry
Guest
|
| Posted:
Wed Jan 12, 2005 10:16 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
Leythos wrote:
| Quote: | In article <wS1Fd.8118$7k5.256@fe37.usenetserver.com>,
info@intellitree.com says...
Other than our definitions for a few types of applications, I don't
think that we really disagree. You are coming from the perspective of
application suites while I am coming from the perspective of individual
services and their functions. I am a Linux guy, and when I think
firewall, i think Iptables. While Iptbales does have LOG and ULOG
targets to track packets that match criteria, other applications are far
better suited to get a picture of the traffic that is occurring on a
network. Iptables does firewall rules, Snort does NIDS and packing
sniffing, ntop tells me the current traffic that is happening recently, etc.
In any case, it was fun chat with you on this. I just came to this
newsgroup hoping to get some feedback regarding maximum allowable number
of iptables rules, and thought I'd answer some other peoples questions I
saw while I was here. Clive, I hope you got the answer you wanted out of
all this!
it's nice that you mention the above. I'm in the process of learning FC3
so that I can start providing lower cost servers and/or workstations to
clients. We're mostly a MS based shop/solutions provider, and while we
don't have any issues with viruses or hacks or malware on any of our
clients networks, it would be nice to install a Linux Server for
file/printer sharing (with user level file security) in place of a 2003
server.
While I'm a BIG WatchGuard fan, I'm starting to setup FC3 RH linux boxes
and IPTables was one of the next areas I was going to look into - but I
want to run IPTables on a much smaller distribution than FC3 - something
that is very stripped down. Any ideas for that?
|
This is a subject that I have lots of opinions on :) I was originally a
big Red Hat fan, and then FC fan, but my distro of choice now is Gentoo.
It is far better, once you learn portage and realize that you can
install a complete application suite with one command, you'll be a
believer. Thats a discussion for another newsgroup though...
In your quest for a stripped down distro to be a firewall, this is a
very good idea and there are many distros whose purpose is just that.
One of the best ideas is live CD firewall distros. These are Linux based
firewalls whos entire OS is loaded from a CD and are setup to be a
firewall. This is a list of almost all of the Linux Live CD distros:
http://www.frozentech.com/content/livecd.php
If you search by primary function you can scroll down to see those
distros whose purpose is to be a firewall.
I actually do use Gentoo as most of my firewalls even though it is way
overkill. One of my projects is to make my own Live CD distro that is
designed to be firewall, DHCP, DNS, network/traffic monitoring, and
remote access vpn solution, whose config is 100% generated from a MySQL
database that can be loaded via a usb pen drive, flash card, or even
securely over the web.
I do highly recommend learning iptables. Iptables is just the userland
application that controls the firewall rules of Linux 2.4, and now 2.6
kernels. The networking ability of the 2.6 kernel is just amazing.
Firewall applications that run on windows are limited by the core of
windows, which is not even in the same universe, imho, as where the
Linux kernel is at right now. |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in