DSL, Proxy and Recommendations

Archived from groups: comp.security.firewalls (More info?)

My current configuration looks like this.

Local Active Directory server running DNS, IIS, SQL Server 2000.
Four to five clients, all XP.
Windows 2000 Pro as firewall running Black Ice Defender and Ositis Winproxy.
This machine has two NIC's, one for the local LAN, and the other for the
Internet connection which is protected by black ice, and shared by winproxy.

I have a Westell 2200 for my DSL. I have a LinkSys 10/100 Switch and LinkSys
WAP for internal networking.

I'd like to dump the firewall machine and use the modem's firewall
abilities.

My question is...Can I do this? And is this modem powerful enough to provide
protection so that I don't need protection on my individual PC's?

BV.
20 answers Last reply
More about proxy recommendations
  1. Archived from groups: comp.security.firewalls (More info?)

    In article <2jb2hhFvsknsU1@uni-berlin.de>,
    BVremove@tibetanbeefgarden.com says...
    > My current configuration looks like this.
    >
    > Local Active Directory server running DNS, IIS, SQL Server 2000.
    > Four to five clients, all XP.
    > Windows 2000 Pro as firewall running Black Ice Defender and Ositis Winproxy.
    > This machine has two NIC's, one for the local LAN, and the other for the
    > Internet connection which is protected by black ice, and shared by winproxy.
    >
    > I have a Westell 2200 for my DSL. I have a LinkSys 10/100 Switch and LinkSys
    > WAP for internal networking.
    >
    > I'd like to dump the firewall machine and use the modem's firewall
    > abilities.
    >
    > My question is...Can I do this? And is this modem powerful enough to provide
    > protection so that I don't need protection on my individual PC's?

    Are you providing inbound connections to the server or workstations from
    the internet?

    If you are not providing any inbound connections, then a simple NAT
    router is a start, but I would consider a real appliance in place of a
    NAT device for a office/business network.

    Several things come to mind here:

    1) Wireless, hope that you've disabled the SSID broadcast, enabled WEP,
    changed the default SSID, changed the default channel, are not using the
    default subnet of 192.168.1 or 192.168.0 on your network. Use the 128Bit
    key, setup filtering based on MAC address too.

    2) Antivirus software - never run a server (Windows) without it, always
    have it on the clients systems too. Symantec Small business Edition 8.1
    is cheap and works great on your platforms.

    3) Your modem does not have a firewall, it's a NAT device. Never rely on
    the ISP's hardware unless you and only you have control of it (not the
    ISP). You can have them provide a public IP and then you take it from
    there - do your own NAT or firewall, don't trust them to maintain it
    form you.

    4) Network subnet - change it from the default to something like
    192.168.10.0/24. This keeps you out of the default networks space that
    most routers/nat provide and makes it easier in case you ever implement
    VPN tunnels from home/office to this location.

    5) If you purchase a linksys router, make sure that it has logging still
    built into it and download a utility called WallWatcher - this will let
    you monitor ALL inbound and outbound traffic by IP/Port so that you can
    see if anything has/is happening on your network - great place to see if
    you've got a worm/backdoor that people are using - or to track employees
    that are screwing off on company time.

    If you go with a firewall appliance, there are many choices, but they
    are not cheap, but you get what you pay for in most cases.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  2. Archived from groups: comp.security.firewalls (More info?)

    "Leythos" <void@nowhere.com> wrote in message
    news:MPG.1b3a220d57de0f8898a648@news-server.columbus.rr.com...
    > In article <2jb2hhFvsknsU1@uni-berlin.de>,
    > BVremove@tibetanbeefgarden.com says...
    > > My current configuration looks like this.
    > >
    > > Local Active Directory server running DNS, IIS, SQL Server 2000.
    > > Four to five clients, all XP.
    > > Windows 2000 Pro as firewall running Black Ice Defender and Ositis
    Winproxy.
    > > This machine has two NIC's, one for the local LAN, and the other for the
    > > Internet connection which is protected by black ice, and shared by
    winproxy.
    > >
    > > I have a Westell 2200 for my DSL. I have a LinkSys 10/100 Switch and
    LinkSys
    > > WAP for internal networking.
    > >
    > > I'd like to dump the firewall machine and use the modem's firewall
    > > abilities.
    > >
    > > My question is...Can I do this? And is this modem powerful enough to
    provide
    > > protection so that I don't need protection on my individual PC's?
    >
    > Are you providing inbound connections to the server or workstations from
    > the internet?

    No. The server is purely for development purposes. We publish to a public
    server for production releases.

    > If you are not providing any inbound connections, then a simple NAT
    > router is a start, but I would consider a real appliance in place of a
    > NAT device for a office/business network.
    >
    > Several things come to mind here:
    >
    > 1) Wireless, hope that you've disabled the SSID broadcast, enabled WEP,
    > changed the default SSID, changed the default channel, are not using the
    > default subnet of 192.168.1 or 192.168.0 on your network. Use the 128Bit
    > key, setup filtering based on MAC address too.

    SSID is disabled if I remember correctly. WEP is not enabled, but we have
    MAC filtering setup.

    > 2) Antivirus software - never run a server (Windows) without it, always
    > have it on the clients systems too. Symantec Small business Edition 8.1
    > is cheap and works great on your platforms.

    On all machines already.

    > 3) Your modem does not have a firewall, it's a NAT device. Never rely on
    > the ISP's hardware unless you and only you have control of it (not the
    > ISP). You can have them provide a public IP and then you take it from
    > there - do your own NAT or firewall, don't trust them to maintain it
    > form you.

    As far as I know Verizon does nothing to configure this, it's all on my end.

    > 4) Network subnet - change it from the default to something like
    > 192.168.10.0/24. This keeps you out of the default networks space that
    > most routers/nat provide and makes it easier in case you ever implement
    > VPN tunnels from home/office to this location.

    Done from day one, we use 172.x.x.x.

    > 5) If you purchase a linksys router, make sure that it has logging still
    > built into it and download a utility called WallWatcher - this will let
    > you monitor ALL inbound and outbound traffic by IP/Port so that you can
    > see if anything has/is happening on your network - great place to see if
    > you've got a worm/backdoor that people are using - or to track employees
    > that are screwing off on company time.

    So if I understand correctly, I could buy a LinkSys Router, plug the modem
    into that and then the WAP and potentionally the switch into that for the
    LAN?

    > If you go with a firewall appliance, there are many choices, but they
    > are not cheap, but you get what you pay for in most cases.

    Understood.

    BV.
  3. Archived from groups: comp.security.firewalls (More info?)

    In article <2jb4u3FuvuneU1@uni-berlin.de>,
    BVremove@tibetanbeefgarden.com says...
    > > 5) If you purchase a linksys router, make sure that it has logging still
    > > built into it and download a utility called WallWatcher - this will let
    > > you monitor ALL inbound and outbound traffic by IP/Port so that you can
    > > see if anything has/is happening on your network - great place to see if
    > > you've got a worm/backdoor that people are using - or to track employees
    > > that are screwing off on company time.
    >
    > So if I understand correctly, I could buy a LinkSys Router, plug the modem
    > into that and then the WAP and potentionally the switch into that for the
    > LAN?

    I'm assuming that your WAP does not also act as a DHCP server, so, if
    you connect as follows:

    DSL MODEM
    |
    ROUTER/NAT
    | | |
    Switch WAP Other
    ||||||
    Systems


    Then you can do as you like.

    You might want to get a Linksys unit that has VPN or Firewall features,
    some of them accept up to 20 IPSEC tunnels and others have the ability
    to block sites, active-x, etc...


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  4. Archived from groups: comp.security.firewalls (More info?)

    "Leythos" <void@nowhere.com> wrote in message
    news:MPG.1b3a3378dde516d098a64a@news-server.columbus.rr.com...
    > In article <2jb4u3FuvuneU1@uni-berlin.de>,
    > BVremove@tibetanbeefgarden.com says...
    > > > 5) If you purchase a linksys router, make sure that it has logging
    still
    > > > built into it and download a utility called WallWatcher - this will
    let
    > > > you monitor ALL inbound and outbound traffic by IP/Port so that you
    can
    > > > see if anything has/is happening on your network - great place to see
    if
    > > > you've got a worm/backdoor that people are using - or to track
    employees
    > > > that are screwing off on company time.
    > >
    > > So if I understand correctly, I could buy a LinkSys Router, plug the
    modem
    > > into that and then the WAP and potentionally the switch into that for
    the
    > > LAN?
    >
    > I'm assuming that your WAP does not also act as a DHCP server, so, if
    > you connect as follows:

    No. I have DHCP on my AD server, but that is only for when laptops are
    brought in from the outside. All of our clients have hard IP's. It's a small
    network, so it's manageable.

    >
    > DSL MODEM
    > |
    > ROUTER/NAT
    > | | |
    > Switch WAP Other
    > ||||||
    > Systems
    >
    >
    > Then you can do as you like.
    <snip>

    This is exactly what I was anticipating doing. I just don't know enough
    about the hardware to know about it's safety. With my current implementation
    I can check the proxy logs for outgoing, and I can check the black ice logs
    for incoming traffic. it would be nice to have all of this in one area.
    Would probably be easier to configure and maintain.

    BV.
  5. Archived from groups: comp.security.firewalls (More info?)

    "Benign Vanilla" <BVremove@tibetanbeefgarden.com> wrote in message
    news:2jb2hhFvsknsU1@uni-berlin.de...
    > My current configuration looks like this.
    >
    > Local Active Directory server running DNS, IIS, SQL Server 2000.
    > Four to five clients, all XP.
    > Windows 2000 Pro as firewall running Black Ice Defender and Ositis
    Winproxy.
    > This machine has two NIC's, one for the local LAN, and the other for the
    > Internet connection which is protected by black ice, and shared by
    winproxy.
    >
    > I have a Westell 2200 for my DSL. I have a LinkSys 10/100 Switch and
    LinkSys
    > WAP for internal networking.
    >
    > I'd like to dump the firewall machine and use the modem's firewall
    > abilities.

    Keep your firewall machine. A computer using a some kind of software
    firewall, such as WInProxy or WebWasher is better than any hardware
    firewall.
  6. Archived from groups: comp.security.firewalls (More info?)

    "Leythos" <void@nowhere.com> wrote in message
    news:MPG.1b3a220d57de0f8898a648@news-server.columbus.rr.com...
    > In article <2jb2hhFvsknsU1@uni-berlin.de>,
    > BVremove@tibetanbeefgarden.com says...
    > > My current configuration looks like this.
    > >
    > > Local Active Directory server running DNS, IIS, SQL Server 2000.
    > > Four to five clients, all XP.
    > > Windows 2000 Pro as firewall running Black Ice Defender and Ositis
    Winproxy.
    > > This machine has two NIC's, one for the local LAN, and the other for the
    > > Internet connection which is protected by black ice, and shared by
    winproxy.
    > >
    > > I have a Westell 2200 for my DSL. I have a LinkSys 10/100 Switch and
    LinkSys
    > > WAP for internal networking.
    > >
    > > I'd like to dump the firewall machine and use the modem's firewall
    > > abilities.
    > >
    > > My question is...Can I do this? And is this modem powerful enough to
    provide
    > > protection so that I don't need protection on my individual PC's?
    >
    > Are you providing inbound connections to the server or workstations from
    > the internet?
    >
    > If you are not providing any inbound connections, then a simple NAT
    > router is a start, but I would consider a real appliance in place of a
    > NAT device for a office/business network.
    >
    > Several things come to mind here:
    >
    > 1) Wireless, hope that you've disabled the SSID broadcast, enabled WEP,
    > changed the default SSID, changed the default channel, are not using the
    > default subnet of 192.168.1 or 192.168.0 on your network. Use the 128Bit
    > key, setup filtering based on MAC address too.
    >
    > 2) Antivirus software - never run a server (Windows) without it, always
    > have it on the clients systems too. Symantec Small business Edition 8.1
    > is cheap and works great on your platforms.

    If you are using a server, such as an ICS box, like I do, you only need
    to install antivirus protection on the ICS box. On my home network,
    I only have it installed on the ICS box, because that is the only machine
    that needs it. None of the client machines sitting behind the ICS box
    need it, becuase I have it on the ICS box. As long as your ICS box
    is protected by antivirus software, that would be enough.

    An ICS box, running Tiny Personal Firewall, can do a lot more than
    a hardware firewall.
  7. Archived from groups: comp.security.firewalls (More info?)

    In article <wuedndom4N3qfUzdRVn2gQ@comcast.com>, charlesnewman1
    @comcast.net.do.not.spam.me says...
    > >
    > > 2) Antivirus software - never run a server (Windows) without it, always
    > > have it on the clients systems too. Symantec Small business Edition 8.1
    > > is cheap and works great on your platforms.
    >
    > If you are using a server, such as an ICS box, like I do, you only need
    > to install antivirus protection on the ICS box. On my home network,
    > I only have it installed on the ICS box, because that is the only machine
    > that needs it. None of the client machines sitting behind the ICS box
    > need it, becuase I have it on the ICS box. As long as your ICS box
    > is protected by antivirus software, that would be enough.

    Wrong, you can still get infected on the local workstation as it passes
    through the ICS box. The files that you download from the net are
    streams that are not processed as files on the ICS box, they are passed
    to the local workstations without being scanned by the ICS box.

    > An ICS box, running Tiny Personal Firewall, can do a lot more than
    > a hardware firewall.

    I love tiny for my laptop, but you've got a lot to learn. Tiny on a
    gateway is not anywhere near as powerful as a real firewall appliance.
    You need to quit associating NAT Routers with a Firewall - they are not
    firewalls, never have been, and never will be, they are strictly NAT
    routers with added features that marketing types then call Firewalls.


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  8. Archived from groups: comp.security.firewalls (More info?)

    "Leythos" <void@nowhere.com> wrote in message
    news:MPG.1b3bbe205d5cdfb298a655@news-server.columbus.rr.com...
    > In article <wuedndom4N3qfUzdRVn2gQ@comcast.com>, charlesnewman1
    > @comcast.net.do.not.spam.me says...
    > > >
    > > > 2) Antivirus software - never run a server (Windows) without it,
    always
    > > > have it on the clients systems too. Symantec Small business Edition
    8.1
    > > > is cheap and works great on your platforms.
    > >
    > > If you are using a server, such as an ICS box, like I do, you only
    need
    > > to install antivirus protection on the ICS box. On my home network,
    > > I only have it installed on the ICS box, because that is the only
    machine
    > > that needs it. None of the client machines sitting behind the ICS box
    > > need it, becuase I have it on the ICS box. As long as your ICS box
    > > is protected by antivirus software, that would be enough.
    >
    > Wrong, you can still get infected on the local workstation as it passes
    > through the ICS box. The files that you download from the net are
    > streams that are not processed as files on the ICS box, they are passed
    > to the local workstations without being scanned by the ICS box.
    >
    > > An ICS box, running Tiny Personal Firewall, can do a lot more than
    > > a hardware firewall.
    >
    > I love tiny for my laptop, but you've got a lot to learn. Tiny on a
    > gateway is not anywhere near as powerful as a real firewall appliance.
    > You need to quit associating NAT Routers with a Firewall - they are not
    > firewalls, never have been, and never will be, they are strictly NAT
    > routers with added features that marketing types then call Firewalls.

    However, Tiny can do one thing that a hardware NAT cannot. Take
    the anonymous Australian chap that was bragging about how his online
    reporter friend was logging onto chat rooms without her employer not
    knowing. If they were running Tiny on the gateway machine to their
    network, the admins would have instantly been notified. Any activity
    not defined in the ruleset instantly generates a message on the screen
    to the network admin. The admins would have instantly known what
    she was up to. A hardware firewall would not be able to do that.
    If they had been using Tiny, or any kind of software firewall, they would
    have immediately been notified would have been able to block it
    right away.
    If I had been the admin of that network, I would know known
    immediately what was going on, becuase I would have been using
    Tiny, or some other software firewall, and would have instantly
    been alerted.
  9. Archived from groups: comp.security.firewalls (More info?)

    Charles Newman wrote:

    > Keep your firewall machine. A computer using a some kind of software
    >firewall, such as WInProxy or WebWasher is better than any hardware
    >firewall.

    Now you're just trolling.
  10. Archived from groups: comp.security.firewalls (More info?)

    In article <3aGdnSWUo5YO10_dRVn2hg@comcast.com>, charlesnewman1
    @comcast.net.do.not.spam.me says...
    >
    > "Leythos" <void@nowhere.com> wrote in message
    > news:MPG.1b3bbe205d5cdfb298a655@news-server.columbus.rr.com...
    > > In article <wuedndom4N3qfUzdRVn2gQ@comcast.com>, charlesnewman1
    > > @comcast.net.do.not.spam.me says...
    > > > >
    > > > > 2) Antivirus software - never run a server (Windows) without it,
    > always
    > > > > have it on the clients systems too. Symantec Small business Edition
    > 8.1
    > > > > is cheap and works great on your platforms.
    > > >
    > > > If you are using a server, such as an ICS box, like I do, you only
    > need
    > > > to install antivirus protection on the ICS box. On my home network,
    > > > I only have it installed on the ICS box, because that is the only
    > machine
    > > > that needs it. None of the client machines sitting behind the ICS box
    > > > need it, becuase I have it on the ICS box. As long as your ICS box
    > > > is protected by antivirus software, that would be enough.
    > >
    > > Wrong, you can still get infected on the local workstation as it passes
    > > through the ICS box. The files that you download from the net are
    > > streams that are not processed as files on the ICS box, they are passed
    > > to the local workstations without being scanned by the ICS box.
    > >
    > > > An ICS box, running Tiny Personal Firewall, can do a lot more than
    > > > a hardware firewall.
    > >
    > > I love tiny for my laptop, but you've got a lot to learn. Tiny on a
    > > gateway is not anywhere near as powerful as a real firewall appliance.
    > > You need to quit associating NAT Routers with a Firewall - they are not
    > > firewalls, never have been, and never will be, they are strictly NAT
    > > routers with added features that marketing types then call Firewalls.
    >
    > However, Tiny can do one thing that a hardware NAT cannot. Take
    > the anonymous Australian chap that was bragging about how his online
    > reporter friend was logging onto chat rooms without her employer not
    > knowing. If they were running Tiny on the gateway machine to their
    > network, the admins would have instantly been notified. Any activity
    > not defined in the ruleset instantly generates a message on the screen
    > to the network admin. The admins would have instantly known what
    > she was up to. A hardware firewall would not be able to do that.

    Every hardware or software firewall I know of can do that - you need to
    understand the difference between a firewall and router with NAT. NAT
    Routers are NOT NOT NOT NOT NOT Firewalls.

    In most cases, the firewall rules (of real firewalls, soft or hard) are
    setup to NOT allow anything out that is not specifically permitted. Most
    hardware firewalls also have real-time monitoring GUI's that can show
    every source/destination connection in real time. Any web connection
    that stays longer than a couple minutes is most likely something other
    than a web connections as web sites basically loose the connection once
    the information has been fetched - a IRC type program would maintain the
    connection, as would some of the tunnel type connections. It's very easy
    to see.

    > If they had been using Tiny, or any kind of software firewall, they would
    > have immediately been notified would have been able to block it
    > right away.

    If they had been running any firewall they would have seen it - again, a
    router is not a firewall.

    Now, as for routers - some of them provide logging, you can monitor the
    logs, import them into a spread sheet, then run a macro on them to
    determine length of time a user was at any location, and if a location
    has X number of hits - then you can easily see what people in your
    network are doing.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  11. Archived from groups: comp.security.firewalls (More info?)

    "Micheal Robert Zium" <mrozium@XSPAMX-yahoo.com> wrote in message
    news:qso4d01cmpffafhp4ur58tvola3h212a39@4ax.com...
    > Charles Newman wrote:
    >
    > > Keep your firewall machine. A computer using a some kind of software
    > >firewall, such as WInProxy or WebWasher is better than any hardware
    > >firewall.
    >
    > Now you're just trolling.

    I am glad the thread is developing this way, because I am concerned that I
    am making a mistake. Am I better off with my winproxy/black ice setup then I
    am by replacing the machine with a router and NAT?

    BV.
  12. Archived from groups: comp.security.firewalls (More info?)

    "Benign Vanilla" <BVremove@tibetanbeefgarden.com> wrote in message
    news:2jg7doF114gkqU1@uni-berlin.de...
    >
    > "Micheal Robert Zium" <mrozium@XSPAMX-yahoo.com> wrote in message
    > news:qso4d01cmpffafhp4ur58tvola3h212a39@4ax.com...
    > > Charles Newman wrote:
    > >
    > > > Keep your firewall machine. A computer using a some kind of
    software
    > > >firewall, such as WInProxy or WebWasher is better than any hardware
    > > >firewall.
    > >
    > > Now you're just trolling.
    >
    > I am glad the thread is developing this way, because I am concerned that I
    > am making a mistake. Am I better off with my winproxy/black ice setup then
    I
    > am by replacing the machine with a router and NAT?

    Yes you are.


    One thing that a hardware router/firewall cannot do is content
    filtering. If you
    want to use filtering from companies such as CyberSitter, SurfControl, Bess,
    or
    Websense, you need to have a computer doing the NAT instead of a hardware
    router. That is why ICS/NAT on every version of Windows made in the past
    several years has it. You cannot do the kind of content filtering with a
    hardware
    firewall that you can on an ICS/NAT box.
  13. Archived from groups: comp.security.firewalls (More info?)

    In article <2jg7doF114gkqU1@uni-berlin.de>,
    BVremove@tibetanbeefgarden.com says...
    > I am glad the thread is developing this way, because I am concerned that I
    > am making a mistake. Am I better off with my winproxy/black ice setup then I
    > am by replacing the machine with a router and NAT?

    What you should do is get a router with NAT and install it as your first
    line of defense - a boarder device. This first line will block the
    unsolicited inbound attacks. A router/NAT is not a firewall, does
    nothing to block outbound and does not filter your email/web browsing.

    Anything you don't run on your local computer is better only because you
    have less chance of screwing it up and exposing your computer. If you
    have a dedicated machine, running a secure OS platform, and run a
    proxy/firewall application on it.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  14. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 17 Jun 2004 11:12:16 -0700, Charles Newman spoketh

    >
    > Keep your firewall machine. A computer using a some kind of software
    >firewall, such as WInProxy or WebWasher is better than any hardware
    >firewall.
    >

    Are you sure you're not related to Tracker in some way?

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
  15. Archived from groups: comp.security.firewalls (More info?)

    In article <feWdnYRAK6af107dRVn2sQ@comcast.com>, charlesnewman1
    @comcast.net.do.not.spam.me says...
    > One thing that a hardware router/firewall cannot do is content
    > filtering. If you want to use filtering from companies such
    > as CyberSitter, SurfControl, Bess, or Websense, you need to have a
    > computer doing the NAT instead of a hardware router. That is why
    > ICS/NAT on every version of Windows made in the past
    > several years has it.
    > You cannot do the kind of content filtering with a
    > hardware firewall that you can on an ICS/NAT box.

    Actually, and you guys need to understand something, NAT Routers are NOT
    firewalls, they are routers with NAT.

    As for your comment about filtering - many firewalls (notice I didn't
    say anything about NAT ROUTERS) come with the ability to easily filter
    content from web and SMTP sources. Many of the firewalls (appliances)
    come with many options as to what content is filtered. The appliance I
    use in my home has 6 million sites sites in it's database and breaks
    those out into 14 categories that my firewall will block for all users,
    individual users, specific machines, by time of day, or not at all
    depending on a couple settings. The SMTP filter in my appliance will
    also remove attachments based on type, size, etc...

    If you would quit posting that "Firewalls" can/can't do this/that and
    say that "Routers with NAT" can/can't do this/that it would be proper,
    you don't seem to have a handle on what is/is not a firewall, and
    definitely don't know what a "firewall" can do.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  16. Archived from groups: comp.security.firewalls (More info?)

    On Fri, 18 Jun 2004 13:01:05 -0700, "Charles Newman"
    <charlesnewman1@comcast.net.do.not.spam.me> wrote:
    >
    > One thing that a hardware router/firewall cannot do is content
    >filtering.
    >

    This is not correct. For example, the ZyWALL series of firewall
    appliances does content filtering. See for yourself at:

    http://www.zywall.com
  17. Archived from groups: comp.security.firewalls (More info?)

    "Charles Newman" <charlesnewman1@comcast.net.do.not.spam.me> wrote in
    message news:3aGdnSWUo5YO10_dRVn2hg@comcast.com...
    >
    > "Leythos" <void@nowhere.com> wrote in message
    > news:MPG.1b3bbe205d5cdfb298a655@news-server.columbus.rr.com...
    > > In article <wuedndom4N3qfUzdRVn2gQ@comcast.com>, charlesnewman1
    > > @comcast.net.do.not.spam.me says...
    > > > >
    > > > > 2) Antivirus software - never run a server (Windows) without it,
    > always
    > > > > have it on the clients systems too. Symantec Small business Edition
    > 8.1
    > > > > is cheap and works great on your platforms.
    > > >
    > > > If you are using a server, such as an ICS box, like I do, you only
    > need
    > > > to install antivirus protection on the ICS box. On my home network,
    > > > I only have it installed on the ICS box, because that is the only
    > machine
    > > > that needs it. None of the client machines sitting behind the ICS box
    > > > need it, becuase I have it on the ICS box. As long as your ICS box
    > > > is protected by antivirus software, that would be enough.
    > >
    > > Wrong, you can still get infected on the local workstation as it passes
    > > through the ICS box. The files that you download from the net are
    > > streams that are not processed as files on the ICS box, they are passed
    > > to the local workstations without being scanned by the ICS box.
    > >
    > > > An ICS box, running Tiny Personal Firewall, can do a lot more than
    > > > a hardware firewall.
    > >
    > > I love tiny for my laptop, but you've got a lot to learn. Tiny on a
    > > gateway is not anywhere near as powerful as a real firewall appliance.
    > > You need to quit associating NAT Routers with a Firewall - they are not
    > > firewalls, never have been, and never will be, they are strictly NAT
    > > routers with added features that marketing types then call Firewalls.
    >
    > However, Tiny can do one thing that a hardware NAT cannot. Take
    > the anonymous Australian chap that was bragging about how his online
    > reporter friend was logging onto chat rooms without her employer not
    > knowing. If they were running Tiny on the gateway machine to their
    > network, the admins would have instantly been notified. Any activity
    > not defined in the ruleset instantly generates a message on the screen
    > to the network admin. The admins would have instantly known what
    > she was up to. A hardware firewall would not be able to do that.
    > If they had been using Tiny, or any kind of software firewall, they would
    > have immediately been notified would have been able to block it
    > right away.
    > If I had been the admin of that network, I would know known
    > immediately what was going on, becuase I would have been using
    > Tiny, or some other software firewall, and would have instantly
    > been alerted.

    If you were the admin of a corporate network of any size, you would not be
    running Tiny on a PC to protect or monitor your network!

    ROFL!
  18. Archived from groups: comp.security.firewalls (More info?)

    "Charles Newman" <charlesnewman1@comcast.net.do.not.spam.me> wrote in
    message news:feWdnYRAK6af107dRVn2sQ@comcast.com...
    >
    > "Benign Vanilla" <BVremove@tibetanbeefgarden.com> wrote in message
    > news:2jg7doF114gkqU1@uni-berlin.de...
    > >
    > > "Micheal Robert Zium" <mrozium@XSPAMX-yahoo.com> wrote in message
    > > news:qso4d01cmpffafhp4ur58tvola3h212a39@4ax.com...
    > > > Charles Newman wrote:
    > > >
    > > > > Keep your firewall machine. A computer using a some kind of
    > software
    > > > >firewall, such as WInProxy or WebWasher is better than any hardware
    > > > >firewall.
    > > >
    > > > Now you're just trolling.
    > >
    > > I am glad the thread is developing this way, because I am concerned that
    I
    > > am making a mistake. Am I better off with my winproxy/black ice setup
    then
    > I
    > > am by replacing the machine with a router and NAT?
    >
    > Yes you are.
    >
    >
    > One thing that a hardware router/firewall cannot do is content
    > filtering. If you

    Dude, go look a www.watchguard.com.

    Get an education on what is a firewall and what is a NAT router and then
    come back here.

    > want to use filtering from companies such as CyberSitter, SurfControl,
    Bess,
    > or
    > Websense, you need to have a computer doing the NAT instead of a hardware
    router.

    I've used Websense in a corporate environment and we had a Cisco router
    doing NAT.

    > That is why ICS/NAT on every version of Windows made in the past
    > several years has it. You cannot do the kind of content filtering with a
    > hardware
    > firewall that you can on an ICS/NAT box.

    ICS is a toy for home users. The OP is trying to protect a corporate
    network.
  19. Archived from groups: comp.security.firewalls (More info?)

    "Lars M. Hansen" <badnews@hansenonline.net> wrote in message
    news:k1v5d0p6j1nmr21ie26nc8m4ppcit2jh7j@4ax.com...
    > On Thu, 17 Jun 2004 11:12:16 -0700, Charles Newman spoketh
    >
    > >
    > > Keep your firewall machine. A computer using a some kind of software
    > >firewall, such as WInProxy or WebWasher is better than any hardware
    > >firewall.
    > >
    >
    > Are you sure you're not related to Tracker in some way?

    Spectacles,testicles,wallet and watch - Sacrifices goat to ward of the evil
    spirit of Tracker.

    She's a bit like Beetlejuice. Say her name three times and she will in here
    :-)
  20. Archived from groups: comp.security.firewalls (More info?)

    In article <cavr7e$s5f$1@thorium.cix.co.uk>, mike@michaelmoyse.co.uk
    says...
    > Spectacles,testicles,wallet and watch - Sacrifices goat to ward of the evil
    > spirit of [name removed to make reply safe].
    >
    > She's a bit like Beetlejuice. Say her name three times and she will in here

    That's dang funny!

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
Ask a new question

Read More

Firewalls Networking