Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Firewalls

Reply
Thread Tools

Firewalls

 
 
KC2KSZ
Guest
Posts: n/a
 
      08-02-2003
I use a BEFSR41 as a firewall. Do I need a software firewall as well?

Thanks

Bob


 
Reply With Quote
 
 
 
 
NetEng
Guest
Posts: n/a
 
      08-02-2003
This is not a firewall, it's a device that performs NAT which is a feature
of a firewall. I would suggest using a real firewall (PIX, WatchGuard, etc)
or using a software based firewall for additional protection.

"KC2KSZ" <(E-Mail Removed)> wrote in message
news:FbRWa.42676$(E-Mail Removed) et...
> I use a BEFSR41 as a firewall. Do I need a software firewall as well?
>
> Thanks
>
> Bob
>
>



 
Reply With Quote
 
 
 
 
Don Kelloway
Guest
Posts: n/a
 
      08-02-2003
"NetEng" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> This is not a firewall, it's a device that performs NAT which is a

feature
> of a firewall. I would suggest using a real firewall (PIX, WatchGuard,

etc)
> or using a software based firewall for additional protection.
>
> "KC2KSZ" <(E-Mail Removed)> wrote in message
> news:FbRWa.42676$(E-Mail Removed) et...
> > I use a BEFSR41 as a firewall. Do I need a software firewall as

well?
> >
> > Thanks
> >
> > Bob
> >
> >


Despite the fact that within the technology of firewalls there are many
that offer a myriad of features and functionality (NAT, DMZ, VPN, CFI,
IDS, AV, etc). The most basic definition of a firewall remains the same
and that definition would be that "a firewall is a way to restrict
access between the Internet and your internal network" (see 'Building
Internet Firewalls', written by Zwicky, Cooper and Chapman).

In respect to the BEFSR41 providing NAT and the implementation of NAT
preventing/restricting access between the Internet and the internal
PC/network. Then I think one must concede that the BEFSR41 *is* a
firewall in the sense that it meets the above definition.

If however you are trying to suggest that a PIX or WatchGuard is a
better choice of firewall because either provides a greater set of
features and/or functionality. Then I would not hesitate to agree with
you, but you must admit this is like comparing a tangerine to a navel
orange.

To provide an answer to the expected question of whether I would I rely
upon a BEFRS41 to protect my own LAN? Probably not, but of course I
have needs that the use of a BEFSR41 cannot meet. However if my needs
were minimal and my expectations could be met, I would consider its use.

--
Best regards,
Don Kelloway
Commodon Communications

Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".


 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      08-03-2003
In article <CSXWa.4723$(E-Mail Removed). net>,
http://www.velocityreviews.com/forums/(E-Mail Removed) says...
[snip]
> In respect to the BEFSR41 providing NAT and the implementation of NAT
> preventing/restricting access between the Internet and the internal
> PC/network. Then I think one must concede that the BEFSR41 *is* a
> firewall in the sense that it meets the above definition.


I completely disagree. If being a router was being a firewall then why
didn't they call routers firewalls before the days of the cheap
Linksys/DLink boxes (hint, it's because they are not firewall devices).

Having a single feature of a firewall does NOT make it a firewall. The
device does NOT inspect the packets and does not have rules for
OUTBOUND.

> To provide an answer to the expected question of whether I would I rely
> upon a BEFRS41 to protect my own LAN? Probably not, but of course I
> have needs that the use of a BEFSR41 cannot meet. However if my needs
> were minimal and my expectations could be met, I would consider its use.


For minimal protection, the bare minimum that a home user would need, a
NAT Router is a great device and would stop most of the hacks and such.
Security through obscurity doesn't work, but it does help a lot.

The NAT Routers were called firewall devices by moronic sales
departments trying to find a way to sell more of them to customers.
While I fully believe that every home user should sit behind a NAT
device (even on dial-up) I will never be convenienced that NAT makes any
device a firewall.

The firewall must inspect traffic in BOTH directions, and should, by
default, not allow traffic in EITHER direction without explicit rules.
The NAT only boxes fail both of these tests.


--
--
(E-Mail Removed)
(Remove 999 to reply to me)
 
Reply With Quote
 
Don Kelloway
Guest
Posts: n/a
 
      08-05-2003
"Leythos" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In article <CSXWa.4723$(E-Mail Removed). net>,
> (E-Mail Removed) says...
> [snip]
> > In respect to the BEFSR41 providing NAT and the implementation of

NAT
> > preventing/restricting access between the Internet and the internal
> > PC/network. Then I think one must concede that the BEFSR41 *is* a
> > firewall in the sense that it meets the above definition.

>
> I completely disagree. If being a router was being a firewall then why
> didn't they call routers firewalls before the days of the cheap
> Linksys/DLink boxes (hint, it's because they are not firewall

devices).
>
> Having a single feature of a firewall does NOT make it a firewall. The
> device does NOT inspect the packets and does not have rules for
> OUTBOUND.
>
> > To provide an answer to the expected question of whether I would I

rely
> > upon a BEFRS41 to protect my own LAN? Probably not, but of course I
> > have needs that the use of a BEFSR41 cannot meet. However if my

needs
> > were minimal and my expectations could be met, I would consider its

use.
>
> For minimal protection, the bare minimum that a home user would need,

a
> NAT Router is a great device and would stop most of the hacks and

such.
> Security through obscurity doesn't work, but it does help a lot.
>
> The NAT Routers were called firewall devices by moronic sales
> departments trying to find a way to sell more of them to customers.
> While I fully believe that every home user should sit behind a NAT
> device (even on dial-up) I will never be convenienced that NAT makes

any
> device a firewall.
>
> The firewall must inspect traffic in BOTH directions, and should, by
> default, not allow traffic in EITHER direction without explicit rules.
> The NAT only boxes fail both of these tests.
> --
> --
> (E-Mail Removed)
> (Remove 999 to reply to me)


Leythos,

Based upon the definition previously provided, a 'firewall' can be
anything. And while you may not agree, this would mean that a router
can be considered a 'firewall' in the sense that it can be configured to
provide restriction. Granted the level of restriction is simplistic if
it's compared to the profileration of firewall technology available
today, but this doesn't mean that a router cannot be considered a
'firewall'. In fact there are many organizations that still use a
router as their only 'firewall' or as a compliment to an existing
firewall device.

In closing, please understand that I respect your opinion and wouldn't
expect you to readily agree. However it would be nice if you consider
reading 'Building Internet Firewalls', published by O'Reilly. While
strongly oriented towards Unix, it is platform-independent and often
considered one of the best books available to discuss this subject of
firewalls. Chapter one is entitled 'What is an Internet Firewall' and
provides the basis for which my above comments and opinion are based
upon.

--
Best regards,
Don Kelloway
Commodon Communications

Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".


 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      08-05-2003
In article <NFTXa.7094$(E-Mail Removed). net>,
(E-Mail Removed) says...
[snip]
> Leythos,
>
> Based upon the definition previously provided, a 'firewall' can be
> anything. And while you may not agree, this would mean that a router
> can be considered a 'firewall' in the sense that it can be configured to
> provide restriction. Granted the level of restriction is simplistic if
> it's compared to the profileration of firewall technology available
> today, but this doesn't mean that a router cannot be considered a
> 'firewall'. In fact there are many organizations that still use a
> router as their only 'firewall' or as a compliment to an existing
> firewall device.


I've run across many organizations that use a simple router with NAT as
what they seem to think is their firewall. I'll give this part to you -
a NAT router is a firewall in one direction, but not in the outbound
direction (strictly using a very loose definition of a firewall).

> In closing, please understand that I respect your opinion and wouldn't
> expect you to readily agree. However it would be nice if you consider
> reading 'Building Internet Firewalls', published by O'Reilly. While
> strongly oriented towards Unix, it is platform-independent and often
> considered one of the best books available to discuss this subject of
> firewalls. Chapter one is entitled 'What is an Internet Firewall' and
> provides the basis for which my above comments and opinion are based
> upon.


Many people are writing papers on security, the above publisher is no
exception. In the past I've found their books to be directed towards
many levels of readers. I would expect that a book titled "Building
Internet Firewalls" to be for the mid level network engineers.

My personal choice for a firewall is the Watch Guard line of appliances
- running on a modified version of Linux, I've installed hundreds of
them. I've also installed PIX, Sonic, and Checkpoint (not to mention ZA,
Tiny, Kerio, BID, etc...).

I think that it's going to be very hard for me to change my definition
of "Firewall" to allow devices/applications that only protect the
network in one direction. I've lived by the idea that a firewall
protects in BOTH directions.

I'll look for the book you mention next time at Borders....


--
--
(E-Mail Removed)
(Remove 999 to reply to me)
 
Reply With Quote
 
Don Kelloway
Guest
Posts: n/a
 
      08-06-2003
"Leythos" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In article <NFTXa.7094$(E-Mail Removed). net>,
> (E-Mail Removed) says...
> [snip]
> > Leythos,
> >
> > Based upon the definition previously provided, a 'firewall' can be
> > anything. And while you may not agree, this would mean that a

router
> > can be considered a 'firewall' in the sense that it can be

configured to
> > provide restriction. Granted the level of restriction is simplistic

if
> > it's compared to the profileration of firewall technology available
> > today, but this doesn't mean that a router cannot be considered a
> > 'firewall'. In fact there are many organizations that still use a
> > router as their only 'firewall' or as a compliment to an existing
> > firewall device.

>
> I've run across many organizations that use a simple router with NAT

as
> what they seem to think is their firewall. I'll give this part to

you -
> a NAT router is a firewall in one direction, but not in the outbound
> direction (strictly using a very loose definition of a firewall).
>
> > In closing, please understand that I respect your opinion and

wouldn't
> > expect you to readily agree. However it would be nice if you

consider
> > reading 'Building Internet Firewalls', published by O'Reilly. While
> > strongly oriented towards Unix, it is platform-independent and often
> > considered one of the best books available to discuss this subject

of
> > firewalls. Chapter one is entitled 'What is an Internet Firewall'

and
> > provides the basis for which my above comments and opinion are based
> > upon.

>
> Many people are writing papers on security, the above publisher is no
> exception. In the past I've found their books to be directed towards
> many levels of readers. I would expect that a book titled "Building
> Internet Firewalls" to be for the mid level network engineers.
>
> My personal choice for a firewall is the Watch Guard line of

appliances
> - running on a modified version of Linux, I've installed hundreds of
> them. I've also installed PIX, Sonic, and Checkpoint (not to mention

ZA,
> Tiny, Kerio, BID, etc...).
>
> I think that it's going to be very hard for me to change my definition
> of "Firewall" to allow devices/applications that only protect the
> network in one direction. I've lived by the idea that a firewall
> protects in BOTH directions.
>
> I'll look for the book you mention next time at Borders....
>


Thanks for your reply.

I appreciate the reversal of your previous statement. IOW that a router
can be configured to act as a firewall. Granted it may not represent
the level of security you or I would want to provide, but it can and
does work for many organizations.

However I am surprised to read that you're not familiar with 'Building
Internet Firewalls'. If it means anything I've been involved with the
firewall industry since 1997 and have no qualms with offering this book
as one of the best when compared to all of the others I've read. In
fact, I have several 1st editions in 'brand new' condition. If you're
interested send me an email and other than the cost of S&H, it's yours
for free.

If you're additionally interested. You may want to consider the
following books as well. I will concede that some are better than
others, but each offers insight another may lack.

'Firewalls and Internet Security, Repelling the Wiley Hacker', written
by Cheswick and Bellovin, published by Addison Welsey
'Firewalls Complete', written by Goncalves, published by McGraw Hill
'Practical Firewalls', written by Ogletree, published by QUE
'Firewalls 24/7', written by Strebe and Perkins, published by Sybex
'The NCSA Guide to PC and LAN Security', written by Cobb, published by
McGraw Hill
'Windows Internet Security', written by Fogie and Peikari, published by
Prentice Hall
'TCP/IP, 2nd Edition', written by Feit, published by McGraw Hill
'Network Security in a Mixed Environment', written by Blacharski,
published by IDG Books

In closing, I think the BEFSR41 does provide the ability to filter
outbound traffic. Though I could be wrong as it's been awhile since I
played around with one.

--
Best regards,
Don Kelloway
Commodon Communications

Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".


 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      08-06-2003
In article <I4YXa.7178$(E-Mail Removed). net>,
(E-Mail Removed) says...
[snip]
> Thanks for your reply.
>
> I appreciate the reversal of your previous statement. IOW that a router
> can be configured to act as a firewall. Granted it may not represent
> the level of security you or I would want to provide, but it can and
> does work for many organizations.


I believe that I wrote the following:

> > I've run across many organizations that use a simple router with NAT as
> > what they seem to think is their firewall. I'll give this part to you -
> > a NAT router is a firewall in one direction, but not in the outbound
> > direction (strictly using a very loose definition of a firewall).


As you can clearly see, I didn't not apply a blanket acceptance of NAT
being a firewall. I said it can be a firewall in one direction based on
a loose definition of what a firewall is.

NAT does not make a firewall. A firewall can HAVE NAT, and NAT can
provide firewall like features, but only does so in ONE DIRECTION.

> However I am surprised to read that you're not familiar with 'Building
> Internet Firewalls'. If it means anything I've been involved with the
> firewall industry since 1997 and have no qualms with offering this book
> as one of the best when compared to all of the others I've read. In
> fact, I have several 1st editions in 'brand new' condition. If you're
> interested send me an email and other than the cost of S&H, it's yours
> for free.


Thanks for the offer, but I've been doing this for many corporations for
many years (since the early 90's). I read about all the new technology,
play with it in my lab, and test it in settings that mimic real world
conditions before I install it in clients locations.

[snip]

> In closing, I think the BEFSR41 does provide the ability to filter
> outbound traffic. Though I could be wrong as it's been awhile since I
> played around with one.


None of these devices provide true outbound security - sure, they can
block a IP from reaching the internet, they can stop a PORT from going
outbound for ALL users, but they don't have a set of rules that you can
apply/build like standard firewall devices, and for the most part don't
firewall outbound connections.

Don't take my position that the NAT routers not being firewalls as
meaning that I don't like them - I do like the NAT routers. Heck, I even
own several of them (I segment my development centers on my lan this
way). I used a Linksys BEFSR41 for 3 years until I could afford my first
Watch Guard Firebox II for my home office (before those I use Sygate). I
currently have the BEFSR41, the wireless router, the VPN router, and the
first firewall router they came out with .... All have their places, but
none of them are really firewalls.

Every ISP should include a Linksys with their service, but I would never
install a Linksys at a clients office where they did anything with
finances, medical, engineering, software design, and many other things.

Sincerely,
Mark



--
--
(E-Mail Removed)
(Remove 999 to reply to me)
 
Reply With Quote
 
Don Kelloway
Guest
Posts: n/a
 
      08-06-2003
"Leythos" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In article <I4YXa.7178$(E-Mail Removed). net>,
> (E-Mail Removed) says...
>
> I believe that I wrote the following:
>
> As you can clearly see, I didn't not apply a blanket acceptance of NAT
> being a firewall. I said it can be a firewall in one direction based

on
> a loose definition of what a firewall is.
>
> NAT does not make a firewall. A firewall can HAVE NAT, and NAT can
> provide firewall like features, but only does so in ONE DIRECTION.
>


Though I was never making this comparison, I believe we agree that a
router is *not* a firewall when using the definition that a firewall
should be a device designed to filter both inbound and outbound traffic
as well as for many other items and concerns.

With that said I believe we also agree that a router can provide basic
firewall functionality, albeit filtering in one direction (inbound) and
based upon what you refer to as a 'loose' definition of what a firewall
is.

Note: What you refer to as loose, I would like to refer to as
traditional. Of course this is where I think we went astray. IOW you
were applying my comments to the current definition of what firewalls
have morphed into providing (i.e. they do everything) and I was stating
my comments in respect to what firewalls began as.

Lastly I know we agree that NAT does *not* make a firewall. To think
otherwise is foolishness.

With respect to the above, I honestly think we are on the same page.


--
Best regards,
Don Kelloway
Commodon Communications

Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".


 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      08-06-2003
Don,

This was a good discussion. I'm glad that we came to understand both
perspectives on this and even found areas of common agreement.

I look forward to seeing your posts in the group.

Sincerely,
Mark

--
--
(E-Mail Removed)
(Remove 999 to reply to me)
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sharing files and printers and firewalls =?Utf-8?B?QmVuIC4gUg==?= Wireless Networking 1 03-07-2005 06:42 PM
firewalls and wireless =?Utf-8?B?a2luZw==?= Wireless Networking 1 08-03-2004 09:38 PM
H.323 Proxy/Gatekeepers and Firewalls Matthew Melbourne Cisco 0 01-21-2004 11:37 PM
firewall placement and choice of firewalls Joe Dewberry Cisco 0 12-09-2003 05:39 PM
Can HSRP on Cisco Routers successfully interface with VRRP on Nokia Firewalls? james Cisco 1 10-29-2003 10:01 PM



Advertisments