Help a no nat configuration with firewalls?

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Help,

I have a customer who requires a 'NO NAT' configuration of the router and
that every PC has a public IP address.... (I don't make the rules just work
to them!!!)

What firewall protection would you guys recommend and why to protect the
desktops from hackers/vulnerabilities?


Many thanks



John

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <40c42506$0$4588$db0fefd9@news.zen.co.uk>, "Manchester IT"
<info@(remove)manchesterit.com> says...
> Help,
>
> I have a customer who requires a 'NO NAT' configuration of the router and
> that every PC has a public IP address.... (I don't make the rules just work
> to them!!!)
>
> What firewall protection would you guys recommend and why to protect the
> desktops from hackers/vulnerabilities?

Install a real firewall appliance, not a generic router, that permits
"drop-in" mode and easy to configure rules.

1) Do not allow ALL outbound, configure outbound services specific to
each computers needs.

2) Do not allow ALL inbound, only inbound for what is specifically
needed - in most cases you won't allow any inbound.

You are going to have to watch the firewall monitor in real time to see
what they are doing - most rules are easy to determine, DNS, HTTP,
HTTPS, DNS, POP, SMTP, FTP, NTP, NNTP, PINIG, TRACEROUTE, WHOIS.... All
of these are things you want to let OUTBOUND in most cases (SMTP only of
they actually have an external server for mail - if internal server then
only allow SMTP from the server)...

I've yet to see a company that actually needs a public IP, what are they
doing that requires it?

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

remove wrote:

> Help,
>
> I have a customer who requires a 'NO NAT' configuration of the router and
> that every PC has a public IP address.... (I don't make the rules just
> work to them!!!)

Sometimes one finds such a setup.

> What firewall protection would you guys recommend and why to protect the
> desktops from hackers/vulnerabilities?

Don not allow any incoming connections attemps. Allow all those outgoing
connections that are requiered. Syntax depends on the router model.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980

 

[Mike]

Archived from groups: comp.security.firewalls (More info?)

"Manchester IT" <info@(remove)manchesterit.com> wrote in message
news:40c42506$0$4588$db0fefd9@news.zen.co.uk...
> Help,
>
> I have a customer who requires a 'NO NAT' configuration of the router and
> that every PC has a public IP address.... (I don't make the rules just
work
> to them!!!)
>
> What firewall protection would you guys recommend and why to protect the
> desktops from hackers/vulnerabilities?

I concur with what Wolfgang and Leythos are saying. I would add:-

Ask them to explain their reasoning why they need public IP on each PC. If
their explanation seems flawed, then either:-
1. Put them right
2. Get them to sign away any recourse to you should the whole thing fall
over
3. (My preferred solution) Walk away. Some customers you are just better off
without.

Regards


Mike

 

[jp]

Archived from groups: comp.security.firewalls (More info?)

Thanks Guys,

I have a bit of client confidentiality that i need to maintain..... but they
use a piece of software/service supplied by a booking agency, and it's the
booking agency that is forcing for the no nat configuration. -(Stupid
buggers)

We are currently using a nat'ed configuration fine.... but for the 'no nat'
we will be looking as one of the earlier posts at a watchguard firebox in
'drop in' mode.

Staying on board means i don't leave them blindfolded in a minefield playing
hopscotch; so we can only educate, and move forward as the clients arm is
forced behind their back....as a good friend of mine said "we can only work
with what they send us"



cheers for the advice


John



"Mike" <nospam@notherematey.com> wrote in message
news:ca28jd$o8a$1@thorium.cix.co.uk...
>
> "Manchester IT" <info@(remove)manchesterit.com> wrote in message
> news:40c42506$0$4588$db0fefd9@news.zen.co.uk...
> > Help,
> >
> > I have a customer who requires a 'NO NAT' configuration of the router
and
> > that every PC has a public IP address.... (I don't make the rules just
> work
> > to them!!!)
> >
> > What firewall protection would you guys recommend and why to protect the
> > desktops from hackers/vulnerabilities?
>
> I concur with what Wolfgang and Leythos are saying. I would add:-
>
> Ask them to explain their reasoning why they need public IP on each PC. If
> their explanation seems flawed, then either:-
> 1. Put them right
> 2. Get them to sign away any recourse to you should the whole thing fall
> over
> 3. (My preferred solution) Walk away. Some customers you are just better
off
> without.
>
> Regards
>
>
> Mike
>
>

 

[Mike]

Archived from groups: comp.security.firewalls (More info?)

"jp" <johnpdwilliams@hotmail.com> wrote in message
news:40c4daf1$0$4580$db0fefd9@news.zen.co.uk...
> Thanks Guys,
>
> I have a bit of client confidentiality that i need to maintain..... but
they
> use a piece of software/service supplied by a booking agency, and it's the
> booking agency that is forcing for the no nat configuration. -(Stupid
> buggers)
>
> We are currently using a nat'ed configuration fine.... but for the 'no
nat'
> we will be looking as one of the earlier posts at a watchguard firebox in
> 'drop in' mode.
>
> Staying on board means i don't leave them blindfolded in a minefield
playing
> hopscotch; so we can only educate, and move forward as the clients arm is
> forced behind their back....as a good friend of mine said "we can only
work
> with what they send us"

Thats fair enough and makes sense to me. The Watchguard is a good solid
decision you won't regret