Sign in with
Sign up | Sign in
Your question

DSL, Proxy and Recommendations

Last response: in Networking
Share
Anonymous
June 16, 2004 2:07:44 PM

Archived from groups: comp.security.firewalls (More info?)

My current configuration looks like this.

Local Active Directory server running DNS, IIS, SQL Server 2000.
Four to five clients, all XP.
Windows 2000 Pro as firewall running Black Ice Defender and Ositis Winproxy.
This machine has two NIC's, one for the local LAN, and the other for the
Internet connection which is protected by black ice, and shared by winproxy.

I have a Westell 2200 for my DSL. I have a LinkSys 10/100 Switch and LinkSys
WAP for internal networking.

I'd like to dump the firewall machine and use the modem's firewall
abilities.

My question is...Can I do this? And is this modem powerful enough to provide
protection so that I don't need protection on my individual PC's?

BV.
Anonymous
June 16, 2004 6:23:30 PM

Archived from groups: comp.security.firewalls (More info?)

In article <2jb2hhFvsknsU1@uni-berlin.de>,
BVremove@tibetanbeefgarden.com says...
> My current configuration looks like this.
>
> Local Active Directory server running DNS, IIS, SQL Server 2000.
> Four to five clients, all XP.
> Windows 2000 Pro as firewall running Black Ice Defender and Ositis Winproxy.
> This machine has two NIC's, one for the local LAN, and the other for the
> Internet connection which is protected by black ice, and shared by winproxy.
>
> I have a Westell 2200 for my DSL. I have a LinkSys 10/100 Switch and LinkSys
> WAP for internal networking.
>
> I'd like to dump the firewall machine and use the modem's firewall
> abilities.
>
> My question is...Can I do this? And is this modem powerful enough to provide
> protection so that I don't need protection on my individual PC's?

Are you providing inbound connections to the server or workstations from
the internet?

If you are not providing any inbound connections, then a simple NAT
router is a start, but I would consider a real appliance in place of a
NAT device for a office/business network.

Several things come to mind here:

1) Wireless, hope that you've disabled the SSID broadcast, enabled WEP,
changed the default SSID, changed the default channel, are not using the
default subnet of 192.168.1 or 192.168.0 on your network. Use the 128Bit
key, setup filtering based on MAC address too.

2) Antivirus software - never run a server (Windows) without it, always
have it on the clients systems too. Symantec Small business Edition 8.1
is cheap and works great on your platforms.

3) Your modem does not have a firewall, it's a NAT device. Never rely on
the ISP's hardware unless you and only you have control of it (not the
ISP). You can have them provide a public IP and then you take it from
there - do your own NAT or firewall, don't trust them to maintain it
form you.

4) Network subnet - change it from the default to something like
192.168.10.0/24. This keeps you out of the default networks space that
most routers/nat provide and makes it easier in case you ever implement
VPN tunnels from home/office to this location.

5) If you purchase a linksys router, make sure that it has logging still
built into it and download a utility called WallWatcher - this will let
you monitor ALL inbound and outbound traffic by IP/Port so that you can
see if anything has/is happening on your network - great place to see if
you've got a worm/backdoor that people are using - or to track employees
that are screwing off on company time.

If you go with a firewall appliance, there are many choices, but they
are not cheap, but you get what you pay for in most cases.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
June 16, 2004 6:23:31 PM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b3a220d57de0f8898a648@news-server.columbus.rr.com...
> In article <2jb2hhFvsknsU1@uni-berlin.de>,
> BVremove@tibetanbeefgarden.com says...
> > My current configuration looks like this.
> >
> > Local Active Directory server running DNS, IIS, SQL Server 2000.
> > Four to five clients, all XP.
> > Windows 2000 Pro as firewall running Black Ice Defender and Ositis
Winproxy.
> > This machine has two NIC's, one for the local LAN, and the other for the
> > Internet connection which is protected by black ice, and shared by
winproxy.
> >
> > I have a Westell 2200 for my DSL. I have a LinkSys 10/100 Switch and
LinkSys
> > WAP for internal networking.
> >
> > I'd like to dump the firewall machine and use the modem's firewall
> > abilities.
> >
> > My question is...Can I do this? And is this modem powerful enough to
provide
> > protection so that I don't need protection on my individual PC's?
>
> Are you providing inbound connections to the server or workstations from
> the internet?

No. The server is purely for development purposes. We publish to a public
server for production releases.

> If you are not providing any inbound connections, then a simple NAT
> router is a start, but I would consider a real appliance in place of a
> NAT device for a office/business network.
>
> Several things come to mind here:
>
> 1) Wireless, hope that you've disabled the SSID broadcast, enabled WEP,
> changed the default SSID, changed the default channel, are not using the
> default subnet of 192.168.1 or 192.168.0 on your network. Use the 128Bit
> key, setup filtering based on MAC address too.

SSID is disabled if I remember correctly. WEP is not enabled, but we have
MAC filtering setup.

> 2) Antivirus software - never run a server (Windows) without it, always
> have it on the clients systems too. Symantec Small business Edition 8.1
> is cheap and works great on your platforms.

On all machines already.

> 3) Your modem does not have a firewall, it's a NAT device. Never rely on
> the ISP's hardware unless you and only you have control of it (not the
> ISP). You can have them provide a public IP and then you take it from
> there - do your own NAT or firewall, don't trust them to maintain it
> form you.

As far as I know Verizon does nothing to configure this, it's all on my end.

> 4) Network subnet - change it from the default to something like
> 192.168.10.0/24. This keeps you out of the default networks space that
> most routers/nat provide and makes it easier in case you ever implement
> VPN tunnels from home/office to this location.

Done from day one, we use 172.x.x.x.

> 5) If you purchase a linksys router, make sure that it has logging still
> built into it and download a utility called WallWatcher - this will let
> you monitor ALL inbound and outbound traffic by IP/Port so that you can
> see if anything has/is happening on your network - great place to see if
> you've got a worm/backdoor that people are using - or to track employees
> that are screwing off on company time.

So if I understand correctly, I could buy a LinkSys Router, plug the modem
into that and then the WAP and potentionally the switch into that for the
LAN?

> If you go with a firewall appliance, there are many choices, but they
> are not cheap, but you get what you pay for in most cases.

Understood.

BV.
Related resources
Anonymous
June 16, 2004 7:37:44 PM

Archived from groups: comp.security.firewalls (More info?)

In article <2jb4u3FuvuneU1@uni-berlin.de>,
BVremove@tibetanbeefgarden.com says...
> > 5) If you purchase a linksys router, make sure that it has logging still
> > built into it and download a utility called WallWatcher - this will let
> > you monitor ALL inbound and outbound traffic by IP/Port so that you can
> > see if anything has/is happening on your network - great place to see if
> > you've got a worm/backdoor that people are using - or to track employees
> > that are screwing off on company time.
>
> So if I understand correctly, I could buy a LinkSys Router, plug the modem
> into that and then the WAP and potentionally the switch into that for the
> LAN?

I'm assuming that your WAP does not also act as a DHCP server, so, if
you connect as follows:

DSL MODEM
|
ROUTER/NAT
| | |
Switch WAP Other
||||||
Systems


Then you can do as you like.

You might want to get a Linksys unit that has VPN or Firewall features,
some of them accept up to 20 IPSEC tunnels and others have the ability
to block sites, active-x, etc...




--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
June 16, 2004 7:37:45 PM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b3a3378dde516d098a64a@news-server.columbus.rr.com...
> In article <2jb4u3FuvuneU1@uni-berlin.de>,
> BVremove@tibetanbeefgarden.com says...
> > > 5) If you purchase a linksys router, make sure that it has logging
still
> > > built into it and download a utility called WallWatcher - this will
let
> > > you monitor ALL inbound and outbound traffic by IP/Port so that you
can
> > > see if anything has/is happening on your network - great place to see
if
> > > you've got a worm/backdoor that people are using - or to track
employees
> > > that are screwing off on company time.
> >
> > So if I understand correctly, I could buy a LinkSys Router, plug the
modem
> > into that and then the WAP and potentionally the switch into that for
the
> > LAN?
>
> I'm assuming that your WAP does not also act as a DHCP server, so, if
> you connect as follows:

No. I have DHCP on my AD server, but that is only for when laptops are
brought in from the outside. All of our clients have hard IP's. It's a small
network, so it's manageable.

>
> DSL MODEM
> |
> ROUTER/NAT
> | | |
> Switch WAP Other
> ||||||
> Systems
>
>
> Then you can do as you like.
<snip>

This is exactly what I was anticipating doing. I just don't know enough
about the hardware to know about it's safety. With my current implementation
I can check the proxy logs for outgoing, and I can check the black ice logs
for incoming traffic. it would be nice to have all of this in one area.
Would probably be easier to configure and maintain.

BV.
Anonymous
June 17, 2004 3:12:16 PM

Archived from groups: comp.security.firewalls (More info?)

"Benign Vanilla" <BVremove@tibetanbeefgarden.com> wrote in message
news:2jb2hhFvsknsU1@uni-berlin.de...
> My current configuration looks like this.
>
> Local Active Directory server running DNS, IIS, SQL Server 2000.
> Four to five clients, all XP.
> Windows 2000 Pro as firewall running Black Ice Defender and Ositis
Winproxy.
> This machine has two NIC's, one for the local LAN, and the other for the
> Internet connection which is protected by black ice, and shared by
winproxy.
>
> I have a Westell 2200 for my DSL. I have a LinkSys 10/100 Switch and
LinkSys
> WAP for internal networking.
>
> I'd like to dump the firewall machine and use the modem's firewall
> abilities.

Keep your firewall machine. A computer using a some kind of software
firewall, such as WInProxy or WebWasher is better than any hardware
firewall.
Anonymous
June 17, 2004 3:18:30 PM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b3a220d57de0f8898a648@news-server.columbus.rr.com...
> In article <2jb2hhFvsknsU1@uni-berlin.de>,
> BVremove@tibetanbeefgarden.com says...
> > My current configuration looks like this.
> >
> > Local Active Directory server running DNS, IIS, SQL Server 2000.
> > Four to five clients, all XP.
> > Windows 2000 Pro as firewall running Black Ice Defender and Ositis
Winproxy.
> > This machine has two NIC's, one for the local LAN, and the other for the
> > Internet connection which is protected by black ice, and shared by
winproxy.
> >
> > I have a Westell 2200 for my DSL. I have a LinkSys 10/100 Switch and
LinkSys
> > WAP for internal networking.
> >
> > I'd like to dump the firewall machine and use the modem's firewall
> > abilities.
> >
> > My question is...Can I do this? And is this modem powerful enough to
provide
> > protection so that I don't need protection on my individual PC's?
>
> Are you providing inbound connections to the server or workstations from
> the internet?
>
> If you are not providing any inbound connections, then a simple NAT
> router is a start, but I would consider a real appliance in place of a
> NAT device for a office/business network.
>
> Several things come to mind here:
>
> 1) Wireless, hope that you've disabled the SSID broadcast, enabled WEP,
> changed the default SSID, changed the default channel, are not using the
> default subnet of 192.168.1 or 192.168.0 on your network. Use the 128Bit
> key, setup filtering based on MAC address too.
>
> 2) Antivirus software - never run a server (Windows) without it, always
> have it on the clients systems too. Symantec Small business Edition 8.1
> is cheap and works great on your platforms.

If you are using a server, such as an ICS box, like I do, you only need
to install antivirus protection on the ICS box. On my home network,
I only have it installed on the ICS box, because that is the only machine
that needs it. None of the client machines sitting behind the ICS box
need it, becuase I have it on the ICS box. As long as your ICS box
is protected by antivirus software, that would be enough.

An ICS box, running Tiny Personal Firewall, can do a lot more than
a hardware firewall.
Anonymous
June 17, 2004 11:35:40 PM

Archived from groups: comp.security.firewalls (More info?)

In article <wuedndom4N3qfUzdRVn2gQ@comcast.com>, charlesnewman1
@comcast.net.do.not.spam.me says...
> >
> > 2) Antivirus software - never run a server (Windows) without it, always
> > have it on the clients systems too. Symantec Small business Edition 8.1
> > is cheap and works great on your platforms.
>
> If you are using a server, such as an ICS box, like I do, you only need
> to install antivirus protection on the ICS box. On my home network,
> I only have it installed on the ICS box, because that is the only machine
> that needs it. None of the client machines sitting behind the ICS box
> need it, becuase I have it on the ICS box. As long as your ICS box
> is protected by antivirus software, that would be enough.

Wrong, you can still get infected on the local workstation as it passes
through the ICS box. The files that you download from the net are
streams that are not processed as files on the ICS box, they are passed
to the local workstations without being scanned by the ICS box.

> An ICS box, running Tiny Personal Firewall, can do a lot more than
> a hardware firewall.

I love tiny for my laptop, but you've got a lot to learn. Tiny on a
gateway is not anywhere near as powerful as a real firewall appliance.
You need to quit associating NAT Routers with a Firewall - they are not
firewalls, never have been, and never will be, they are strictly NAT
routers with added features that marketing types then call Firewalls.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
June 17, 2004 11:35:41 PM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b3bbe205d5cdfb298a655@news-server.columbus.rr.com...
> In article <wuedndom4N3qfUzdRVn2gQ@comcast.com>, charlesnewman1
> @comcast.net.do.not.spam.me says...
> > >
> > > 2) Antivirus software - never run a server (Windows) without it,
always
> > > have it on the clients systems too. Symantec Small business Edition
8.1
> > > is cheap and works great on your platforms.
> >
> > If you are using a server, such as an ICS box, like I do, you only
need
> > to install antivirus protection on the ICS box. On my home network,
> > I only have it installed on the ICS box, because that is the only
machine
> > that needs it. None of the client machines sitting behind the ICS box
> > need it, becuase I have it on the ICS box. As long as your ICS box
> > is protected by antivirus software, that would be enough.
>
> Wrong, you can still get infected on the local workstation as it passes
> through the ICS box. The files that you download from the net are
> streams that are not processed as files on the ICS box, they are passed
> to the local workstations without being scanned by the ICS box.
>
> > An ICS box, running Tiny Personal Firewall, can do a lot more than
> > a hardware firewall.
>
> I love tiny for my laptop, but you've got a lot to learn. Tiny on a
> gateway is not anywhere near as powerful as a real firewall appliance.
> You need to quit associating NAT Routers with a Firewall - they are not
> firewalls, never have been, and never will be, they are strictly NAT
> routers with added features that marketing types then call Firewalls.

However, Tiny can do one thing that a hardware NAT cannot. Take
the anonymous Australian chap that was bragging about how his online
reporter friend was logging onto chat rooms without her employer not
knowing. If they were running Tiny on the gateway machine to their
network, the admins would have instantly been notified. Any activity
not defined in the ruleset instantly generates a message on the screen
to the network admin. The admins would have instantly known what
she was up to. A hardware firewall would not be able to do that.
If they had been using Tiny, or any kind of software firewall, they would
have immediately been notified would have been able to block it
right away.
If I had been the admin of that network, I would know known
immediately what was going on, becuase I would have been using
Tiny, or some other software firewall, and would have instantly
been alerted.
Anonymous
June 18, 2004 2:43:36 AM

Archived from groups: comp.security.firewalls (More info?)

Charles Newman wrote:

> Keep your firewall machine. A computer using a some kind of software
>firewall, such as WInProxy or WebWasher is better than any hardware
>firewall.

Now you're just trolling.
Anonymous
June 18, 2004 6:51:56 AM

Archived from groups: comp.security.firewalls (More info?)

In article <3aGdnSWUo5YO10_dRVn2hg@comcast.com>, charlesnewman1
@comcast.net.do.not.spam.me says...
>
> "Leythos" <void@nowhere.com> wrote in message
> news:MPG.1b3bbe205d5cdfb298a655@news-server.columbus.rr.com...
> > In article <wuedndom4N3qfUzdRVn2gQ@comcast.com>, charlesnewman1
> > @comcast.net.do.not.spam.me says...
> > > >
> > > > 2) Antivirus software - never run a server (Windows) without it,
> always
> > > > have it on the clients systems too. Symantec Small business Edition
> 8.1
> > > > is cheap and works great on your platforms.
> > >
> > > If you are using a server, such as an ICS box, like I do, you only
> need
> > > to install antivirus protection on the ICS box. On my home network,
> > > I only have it installed on the ICS box, because that is the only
> machine
> > > that needs it. None of the client machines sitting behind the ICS box
> > > need it, becuase I have it on the ICS box. As long as your ICS box
> > > is protected by antivirus software, that would be enough.
> >
> > Wrong, you can still get infected on the local workstation as it passes
> > through the ICS box. The files that you download from the net are
> > streams that are not processed as files on the ICS box, they are passed
> > to the local workstations without being scanned by the ICS box.
> >
> > > An ICS box, running Tiny Personal Firewall, can do a lot more than
> > > a hardware firewall.
> >
> > I love tiny for my laptop, but you've got a lot to learn. Tiny on a
> > gateway is not anywhere near as powerful as a real firewall appliance.
> > You need to quit associating NAT Routers with a Firewall - they are not
> > firewalls, never have been, and never will be, they are strictly NAT
> > routers with added features that marketing types then call Firewalls.
>
> However, Tiny can do one thing that a hardware NAT cannot. Take
> the anonymous Australian chap that was bragging about how his online
> reporter friend was logging onto chat rooms without her employer not
> knowing. If they were running Tiny on the gateway machine to their
> network, the admins would have instantly been notified. Any activity
> not defined in the ruleset instantly generates a message on the screen
> to the network admin. The admins would have instantly known what
> she was up to. A hardware firewall would not be able to do that.

Every hardware or software firewall I know of can do that - you need to
understand the difference between a firewall and router with NAT. NAT
Routers are NOT NOT NOT NOT NOT Firewalls.

In most cases, the firewall rules (of real firewalls, soft or hard) are
setup to NOT allow anything out that is not specifically permitted. Most
hardware firewalls also have real-time monitoring GUI's that can show
every source/destination connection in real time. Any web connection
that stays longer than a couple minutes is most likely something other
than a web connections as web sites basically loose the connection once
the information has been fetched - a IRC type program would maintain the
connection, as would some of the tunnel type connections. It's very easy
to see.

> If they had been using Tiny, or any kind of software firewall, they would
> have immediately been notified would have been able to block it
> right away.

If they had been running any firewall they would have seen it - again, a
router is not a firewall.

Now, as for routers - some of them provide logging, you can monitor the
logs, import them into a spread sheet, then run a macro on them to
determine length of time a user was at any location, and if a location
has X number of hits - then you can easily see what people in your
network are doing.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
June 18, 2004 1:01:43 PM

Archived from groups: comp.security.firewalls (More info?)

"Micheal Robert Zium" <mrozium@XSPAMX-yahoo.com> wrote in message
news:qso4d01cmpffafhp4ur58tvola3h212a39@4ax.com...
> Charles Newman wrote:
>
> > Keep your firewall machine. A computer using a some kind of software
> >firewall, such as WInProxy or WebWasher is better than any hardware
> >firewall.
>
> Now you're just trolling.

I am glad the thread is developing this way, because I am concerned that I
am making a mistake. Am I better off with my winproxy/black ice setup then I
am by replacing the machine with a router and NAT?

BV.
Anonymous
June 18, 2004 5:01:05 PM

Archived from groups: comp.security.firewalls (More info?)

"Benign Vanilla" <BVremove@tibetanbeefgarden.com> wrote in message
news:2jg7doF114gkqU1@uni-berlin.de...
>
> "Micheal Robert Zium" <mrozium@XSPAMX-yahoo.com> wrote in message
> news:qso4d01cmpffafhp4ur58tvola3h212a39@4ax.com...
> > Charles Newman wrote:
> >
> > > Keep your firewall machine. A computer using a some kind of
software
> > >firewall, such as WInProxy or WebWasher is better than any hardware
> > >firewall.
> >
> > Now you're just trolling.
>
> I am glad the thread is developing this way, because I am concerned that I
> am making a mistake. Am I better off with my winproxy/black ice setup then
I
> am by replacing the machine with a router and NAT?

Yes you are.


One thing that a hardware router/firewall cannot do is content
filtering. If you
want to use filtering from companies such as CyberSitter, SurfControl, Bess,
or
Websense, you need to have a computer doing the NAT instead of a hardware
router. That is why ICS/NAT on every version of Windows made in the past
several years has it. You cannot do the kind of content filtering with a
hardware
firewall that you can on an ICS/NAT box.
Anonymous
June 18, 2004 5:08:11 PM

Archived from groups: comp.security.firewalls (More info?)

In article <2jg7doF114gkqU1@uni-berlin.de>,
BVremove@tibetanbeefgarden.com says...
> I am glad the thread is developing this way, because I am concerned that I
> am making a mistake. Am I better off with my winproxy/black ice setup then I
> am by replacing the machine with a router and NAT?

What you should do is get a router with NAT and install it as your first
line of defense - a boarder device. This first line will block the
unsolicited inbound attacks. A router/NAT is not a firewall, does
nothing to block outbound and does not filter your email/web browsing.

Anything you don't run on your local computer is better only because you
have less chance of screwing it up and exposing your computer. If you
have a dedicated machine, running a secure OS platform, and run a
proxy/firewall application on it.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
June 18, 2004 6:29:55 PM

Archived from groups: comp.security.firewalls (More info?)

On Thu, 17 Jun 2004 11:12:16 -0700, Charles Newman spoketh

>
> Keep your firewall machine. A computer using a some kind of software
>firewall, such as WInProxy or WebWasher is better than any hardware
>firewall.
>

Are you sure you're not related to Tracker in some way?

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
June 19, 2004 12:12:25 AM

Archived from groups: comp.security.firewalls (More info?)

In article <feWdnYRAK6af107dRVn2sQ@comcast.com>, charlesnewman1
@comcast.net.do.not.spam.me says...
> One thing that a hardware router/firewall cannot do is content
> filtering. If you want to use filtering from companies such
> as CyberSitter, SurfControl, Bess, or Websense, you need to have a
> computer doing the NAT instead of a hardware router. That is why
> ICS/NAT on every version of Windows made in the past
> several years has it.
> You cannot do the kind of content filtering with a
> hardware firewall that you can on an ICS/NAT box.

Actually, and you guys need to understand something, NAT Routers are NOT
firewalls, they are routers with NAT.

As for your comment about filtering - many firewalls (notice I didn't
say anything about NAT ROUTERS) come with the ability to easily filter
content from web and SMTP sources. Many of the firewalls (appliances)
come with many options as to what content is filtered. The appliance I
use in my home has 6 million sites sites in it's database and breaks
those out into 14 categories that my firewall will block for all users,
individual users, specific machines, by time of day, or not at all
depending on a couple settings. The SMTP filter in my appliance will
also remove attachments based on type, size, etc...

If you would quit posting that "Firewalls" can/can't do this/that and
say that "Routers with NAT" can/can't do this/that it would be proper,
you don't seem to have a handle on what is/is not a firewall, and
definitely don't know what a "firewall" can do.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
June 19, 2004 12:59:11 AM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 18 Jun 2004 13:01:05 -0700, "Charles Newman"
<charlesnewman1@comcast.net.do.not.spam.me> wrote:
>
> One thing that a hardware router/firewall cannot do is content
>filtering.
>

This is not correct. For example, the ZyWALL series of firewall
appliances does content filtering. See for yourself at:

http://www.zywall.com
June 19, 2004 3:35:23 AM

Archived from groups: comp.security.firewalls (More info?)

"Charles Newman" <charlesnewman1@comcast.net.do.not.spam.me> wrote in
message news:3aGdnSWUo5YO10_dRVn2hg@comcast.com...
>
> "Leythos" <void@nowhere.com> wrote in message
> news:MPG.1b3bbe205d5cdfb298a655@news-server.columbus.rr.com...
> > In article <wuedndom4N3qfUzdRVn2gQ@comcast.com>, charlesnewman1
> > @comcast.net.do.not.spam.me says...
> > > >
> > > > 2) Antivirus software - never run a server (Windows) without it,
> always
> > > > have it on the clients systems too. Symantec Small business Edition
> 8.1
> > > > is cheap and works great on your platforms.
> > >
> > > If you are using a server, such as an ICS box, like I do, you only
> need
> > > to install antivirus protection on the ICS box. On my home network,
> > > I only have it installed on the ICS box, because that is the only
> machine
> > > that needs it. None of the client machines sitting behind the ICS box
> > > need it, becuase I have it on the ICS box. As long as your ICS box
> > > is protected by antivirus software, that would be enough.
> >
> > Wrong, you can still get infected on the local workstation as it passes
> > through the ICS box. The files that you download from the net are
> > streams that are not processed as files on the ICS box, they are passed
> > to the local workstations without being scanned by the ICS box.
> >
> > > An ICS box, running Tiny Personal Firewall, can do a lot more than
> > > a hardware firewall.
> >
> > I love tiny for my laptop, but you've got a lot to learn. Tiny on a
> > gateway is not anywhere near as powerful as a real firewall appliance.
> > You need to quit associating NAT Routers with a Firewall - they are not
> > firewalls, never have been, and never will be, they are strictly NAT
> > routers with added features that marketing types then call Firewalls.
>
> However, Tiny can do one thing that a hardware NAT cannot. Take
> the anonymous Australian chap that was bragging about how his online
> reporter friend was logging onto chat rooms without her employer not
> knowing. If they were running Tiny on the gateway machine to their
> network, the admins would have instantly been notified. Any activity
> not defined in the ruleset instantly generates a message on the screen
> to the network admin. The admins would have instantly known what
> she was up to. A hardware firewall would not be able to do that.
> If they had been using Tiny, or any kind of software firewall, they would
> have immediately been notified would have been able to block it
> right away.
> If I had been the admin of that network, I would know known
> immediately what was going on, becuase I would have been using
> Tiny, or some other software firewall, and would have instantly
> been alerted.

If you were the admin of a corporate network of any size, you would not be
running Tiny on a PC to protect or monitor your network!

ROFL!
June 19, 2004 3:40:35 AM

Archived from groups: comp.security.firewalls (More info?)

"Charles Newman" <charlesnewman1@comcast.net.do.not.spam.me> wrote in
message news:feWdnYRAK6af107dRVn2sQ@comcast.com...
>
> "Benign Vanilla" <BVremove@tibetanbeefgarden.com> wrote in message
> news:2jg7doF114gkqU1@uni-berlin.de...
> >
> > "Micheal Robert Zium" <mrozium@XSPAMX-yahoo.com> wrote in message
> > news:qso4d01cmpffafhp4ur58tvola3h212a39@4ax.com...
> > > Charles Newman wrote:
> > >
> > > > Keep your firewall machine. A computer using a some kind of
> software
> > > >firewall, such as WInProxy or WebWasher is better than any hardware
> > > >firewall.
> > >
> > > Now you're just trolling.
> >
> > I am glad the thread is developing this way, because I am concerned that
I
> > am making a mistake. Am I better off with my winproxy/black ice setup
then
> I
> > am by replacing the machine with a router and NAT?
>
> Yes you are.
>
>
> One thing that a hardware router/firewall cannot do is content
> filtering. If you

Dude, go look a www.watchguard.com.

Get an education on what is a firewall and what is a NAT router and then
come back here.

> want to use filtering from companies such as CyberSitter, SurfControl,
Bess,
> or
> Websense, you need to have a computer doing the NAT instead of a hardware
router.

I've used Websense in a corporate environment and we had a Cisco router
doing NAT.

> That is why ICS/NAT on every version of Windows made in the past
> several years has it. You cannot do the kind of content filtering with a
> hardware
> firewall that you can on an ICS/NAT box.

ICS is a toy for home users. The OP is trying to protect a corporate
network.
June 19, 2004 3:42:18 AM

Archived from groups: comp.security.firewalls (More info?)

"Lars M. Hansen" <badnews@hansenonline.net> wrote in message
news:k1v5d0p6j1nmr21ie26nc8m4ppcit2jh7j@4ax.com...
> On Thu, 17 Jun 2004 11:12:16 -0700, Charles Newman spoketh
>
> >
> > Keep your firewall machine. A computer using a some kind of software
> >firewall, such as WInProxy or WebWasher is better than any hardware
> >firewall.
> >
>
> Are you sure you're not related to Tracker in some way?

Spectacles,testicles,wallet and watch - Sacrifices goat to ward of the evil
spirit of Tracker.

She's a bit like Beetlejuice. Say her name three times and she will in here
:-)
Anonymous
June 19, 2004 3:42:19 AM

Archived from groups: comp.security.firewalls (More info?)

In article <cavr7e$s5f$1@thorium.cix.co.uk>, mike@michaelmoyse.co.uk
says...
> Spectacles,testicles,wallet and watch - Sacrifices goat to ward of the evil
> spirit of [name removed to make reply safe].
>
> She's a bit like Beetlejuice. Say her name three times and she will in here

That's dang funny!

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
!