Firewalls

Discussion in 'Computer Security' started by KC2KSZ, Aug 2, 2003.

  1. KC2KSZ

    KC2KSZ Guest

    I use a BEFSR41 as a firewall. Do I need a software firewall as well?

    Thanks

    Bob
     
    KC2KSZ, Aug 2, 2003
    #1
    1. Advertising

  2. KC2KSZ

    NetEng Guest

    This is not a firewall, it's a device that performs NAT which is a feature
    of a firewall. I would suggest using a real firewall (PIX, WatchGuard, etc)
    or using a software based firewall for additional protection.

    "KC2KSZ" <> wrote in message
    news:FbRWa.42676$...
    > I use a BEFSR41 as a firewall. Do I need a software firewall as well?
    >
    > Thanks
    >
    > Bob
    >
    >
     
    NetEng, Aug 2, 2003
    #2
    1. Advertising

  3. KC2KSZ

    Don Kelloway Guest

    "NetEng" <> wrote in message
    news:...
    > This is not a firewall, it's a device that performs NAT which is a

    feature
    > of a firewall. I would suggest using a real firewall (PIX, WatchGuard,

    etc)
    > or using a software based firewall for additional protection.
    >
    > "KC2KSZ" <> wrote in message
    > news:FbRWa.42676$...
    > > I use a BEFSR41 as a firewall. Do I need a software firewall as

    well?
    > >
    > > Thanks
    > >
    > > Bob
    > >
    > >


    Despite the fact that within the technology of firewalls there are many
    that offer a myriad of features and functionality (NAT, DMZ, VPN, CFI,
    IDS, AV, etc). The most basic definition of a firewall remains the same
    and that definition would be that "a firewall is a way to restrict
    access between the Internet and your internal network" (see 'Building
    Internet Firewalls', written by Zwicky, Cooper and Chapman).

    In respect to the BEFSR41 providing NAT and the implementation of NAT
    preventing/restricting access between the Internet and the internal
    PC/network. Then I think one must concede that the BEFSR41 *is* a
    firewall in the sense that it meets the above definition.

    If however you are trying to suggest that a PIX or WatchGuard is a
    better choice of firewall because either provides a greater set of
    features and/or functionality. Then I would not hesitate to agree with
    you, but you must admit this is like comparing a tangerine to a navel
    orange.

    To provide an answer to the expected question of whether I would I rely
    upon a BEFRS41 to protect my own LAN? Probably not, but of course I
    have needs that the use of a BEFSR41 cannot meet. However if my needs
    were minimal and my expectations could be met, I would consider its use.

    --
    Best regards,
    Don Kelloway
    Commodon Communications

    Visit http://www.commodon.com to learn about the "Threats to Your
    Security on the Internet".
     
    Don Kelloway, Aug 3, 2003
    #3
  4. KC2KSZ

    Leythos Guest

    In article <CSXWa.4723$>,
    says...
    [snip]
    > In respect to the BEFSR41 providing NAT and the implementation of NAT
    > preventing/restricting access between the Internet and the internal
    > PC/network. Then I think one must concede that the BEFSR41 *is* a
    > firewall in the sense that it meets the above definition.


    I completely disagree. If being a router was being a firewall then why
    didn't they call routers firewalls before the days of the cheap
    Linksys/DLink boxes (hint, it's because they are not firewall devices).

    Having a single feature of a firewall does NOT make it a firewall. The
    device does NOT inspect the packets and does not have rules for
    OUTBOUND.

    > To provide an answer to the expected question of whether I would I rely
    > upon a BEFRS41 to protect my own LAN? Probably not, but of course I
    > have needs that the use of a BEFSR41 cannot meet. However if my needs
    > were minimal and my expectations could be met, I would consider its use.


    For minimal protection, the bare minimum that a home user would need, a
    NAT Router is a great device and would stop most of the hacks and such.
    Security through obscurity doesn't work, but it does help a lot.

    The NAT Routers were called firewall devices by moronic sales
    departments trying to find a way to sell more of them to customers.
    While I fully believe that every home user should sit behind a NAT
    device (even on dial-up) I will never be convenienced that NAT makes any
    device a firewall.

    The firewall must inspect traffic in BOTH directions, and should, by
    default, not allow traffic in EITHER direction without explicit rules.
    The NAT only boxes fail both of these tests.


    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Aug 3, 2003
    #4
  5. KC2KSZ

    Don Kelloway Guest

    "Leythos" <> wrote in message
    news:...
    > In article <CSXWa.4723$>,
    > says...
    > [snip]
    > > In respect to the BEFSR41 providing NAT and the implementation of

    NAT
    > > preventing/restricting access between the Internet and the internal
    > > PC/network. Then I think one must concede that the BEFSR41 *is* a
    > > firewall in the sense that it meets the above definition.

    >
    > I completely disagree. If being a router was being a firewall then why
    > didn't they call routers firewalls before the days of the cheap
    > Linksys/DLink boxes (hint, it's because they are not firewall

    devices).
    >
    > Having a single feature of a firewall does NOT make it a firewall. The
    > device does NOT inspect the packets and does not have rules for
    > OUTBOUND.
    >
    > > To provide an answer to the expected question of whether I would I

    rely
    > > upon a BEFRS41 to protect my own LAN? Probably not, but of course I
    > > have needs that the use of a BEFSR41 cannot meet. However if my

    needs
    > > were minimal and my expectations could be met, I would consider its

    use.
    >
    > For minimal protection, the bare minimum that a home user would need,

    a
    > NAT Router is a great device and would stop most of the hacks and

    such.
    > Security through obscurity doesn't work, but it does help a lot.
    >
    > The NAT Routers were called firewall devices by moronic sales
    > departments trying to find a way to sell more of them to customers.
    > While I fully believe that every home user should sit behind a NAT
    > device (even on dial-up) I will never be convenienced that NAT makes

    any
    > device a firewall.
    >
    > The firewall must inspect traffic in BOTH directions, and should, by
    > default, not allow traffic in EITHER direction without explicit rules.
    > The NAT only boxes fail both of these tests.
    > --
    > --
    >
    > (Remove 999 to reply to me)


    Leythos,

    Based upon the definition previously provided, a 'firewall' can be
    anything. And while you may not agree, this would mean that a router
    can be considered a 'firewall' in the sense that it can be configured to
    provide restriction. Granted the level of restriction is simplistic if
    it's compared to the profileration of firewall technology available
    today, but this doesn't mean that a router cannot be considered a
    'firewall'. In fact there are many organizations that still use a
    router as their only 'firewall' or as a compliment to an existing
    firewall device.

    In closing, please understand that I respect your opinion and wouldn't
    expect you to readily agree. However it would be nice if you consider
    reading 'Building Internet Firewalls', published by O'Reilly. While
    strongly oriented towards Unix, it is platform-independent and often
    considered one of the best books available to discuss this subject of
    firewalls. Chapter one is entitled 'What is an Internet Firewall' and
    provides the basis for which my above comments and opinion are based
    upon.

    --
    Best regards,
    Don Kelloway
    Commodon Communications

    Visit http://www.commodon.com to learn about the "Threats to Your
    Security on the Internet".
     
    Don Kelloway, Aug 5, 2003
    #5
  6. KC2KSZ

    Leythos Guest

    In article <NFTXa.7094$>,
    says...
    [snip]
    > Leythos,
    >
    > Based upon the definition previously provided, a 'firewall' can be
    > anything. And while you may not agree, this would mean that a router
    > can be considered a 'firewall' in the sense that it can be configured to
    > provide restriction. Granted the level of restriction is simplistic if
    > it's compared to the profileration of firewall technology available
    > today, but this doesn't mean that a router cannot be considered a
    > 'firewall'. In fact there are many organizations that still use a
    > router as their only 'firewall' or as a compliment to an existing
    > firewall device.


    I've run across many organizations that use a simple router with NAT as
    what they seem to think is their firewall. I'll give this part to you -
    a NAT router is a firewall in one direction, but not in the outbound
    direction (strictly using a very loose definition of a firewall).

    > In closing, please understand that I respect your opinion and wouldn't
    > expect you to readily agree. However it would be nice if you consider
    > reading 'Building Internet Firewalls', published by O'Reilly. While
    > strongly oriented towards Unix, it is platform-independent and often
    > considered one of the best books available to discuss this subject of
    > firewalls. Chapter one is entitled 'What is an Internet Firewall' and
    > provides the basis for which my above comments and opinion are based
    > upon.


    Many people are writing papers on security, the above publisher is no
    exception. In the past I've found their books to be directed towards
    many levels of readers. I would expect that a book titled "Building
    Internet Firewalls" to be for the mid level network engineers.

    My personal choice for a firewall is the Watch Guard line of appliances
    - running on a modified version of Linux, I've installed hundreds of
    them. I've also installed PIX, Sonic, and Checkpoint (not to mention ZA,
    Tiny, Kerio, BID, etc...).

    I think that it's going to be very hard for me to change my definition
    of "Firewall" to allow devices/applications that only protect the
    network in one direction. I've lived by the idea that a firewall
    protects in BOTH directions.

    I'll look for the book you mention next time at Borders....


    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Aug 5, 2003
    #6
  7. KC2KSZ

    Don Kelloway Guest

    "Leythos" <> wrote in message
    news:...
    > In article <NFTXa.7094$>,
    > says...
    > [snip]
    > > Leythos,
    > >
    > > Based upon the definition previously provided, a 'firewall' can be
    > > anything. And while you may not agree, this would mean that a

    router
    > > can be considered a 'firewall' in the sense that it can be

    configured to
    > > provide restriction. Granted the level of restriction is simplistic

    if
    > > it's compared to the profileration of firewall technology available
    > > today, but this doesn't mean that a router cannot be considered a
    > > 'firewall'. In fact there are many organizations that still use a
    > > router as their only 'firewall' or as a compliment to an existing
    > > firewall device.

    >
    > I've run across many organizations that use a simple router with NAT

    as
    > what they seem to think is their firewall. I'll give this part to

    you -
    > a NAT router is a firewall in one direction, but not in the outbound
    > direction (strictly using a very loose definition of a firewall).
    >
    > > In closing, please understand that I respect your opinion and

    wouldn't
    > > expect you to readily agree. However it would be nice if you

    consider
    > > reading 'Building Internet Firewalls', published by O'Reilly. While
    > > strongly oriented towards Unix, it is platform-independent and often
    > > considered one of the best books available to discuss this subject

    of
    > > firewalls. Chapter one is entitled 'What is an Internet Firewall'

    and
    > > provides the basis for which my above comments and opinion are based
    > > upon.

    >
    > Many people are writing papers on security, the above publisher is no
    > exception. In the past I've found their books to be directed towards
    > many levels of readers. I would expect that a book titled "Building
    > Internet Firewalls" to be for the mid level network engineers.
    >
    > My personal choice for a firewall is the Watch Guard line of

    appliances
    > - running on a modified version of Linux, I've installed hundreds of
    > them. I've also installed PIX, Sonic, and Checkpoint (not to mention

    ZA,
    > Tiny, Kerio, BID, etc...).
    >
    > I think that it's going to be very hard for me to change my definition
    > of "Firewall" to allow devices/applications that only protect the
    > network in one direction. I've lived by the idea that a firewall
    > protects in BOTH directions.
    >
    > I'll look for the book you mention next time at Borders....
    >


    Thanks for your reply.

    I appreciate the reversal of your previous statement. IOW that a router
    can be configured to act as a firewall. Granted it may not represent
    the level of security you or I would want to provide, but it can and
    does work for many organizations.

    However I am surprised to read that you're not familiar with 'Building
    Internet Firewalls'. If it means anything I've been involved with the
    firewall industry since 1997 and have no qualms with offering this book
    as one of the best when compared to all of the others I've read. In
    fact, I have several 1st editions in 'brand new' condition. If you're
    interested send me an email and other than the cost of S&H, it's yours
    for free.

    If you're additionally interested. You may want to consider the
    following books as well. I will concede that some are better than
    others, but each offers insight another may lack.

    'Firewalls and Internet Security, Repelling the Wiley Hacker', written
    by Cheswick and Bellovin, published by Addison Welsey
    'Firewalls Complete', written by Goncalves, published by McGraw Hill
    'Practical Firewalls', written by Ogletree, published by QUE
    'Firewalls 24/7', written by Strebe and Perkins, published by Sybex
    'The NCSA Guide to PC and LAN Security', written by Cobb, published by
    McGraw Hill
    'Windows Internet Security', written by Fogie and Peikari, published by
    Prentice Hall
    'TCP/IP, 2nd Edition', written by Feit, published by McGraw Hill
    'Network Security in a Mixed Environment', written by Blacharski,
    published by IDG Books

    In closing, I think the BEFSR41 does provide the ability to filter
    outbound traffic. Though I could be wrong as it's been awhile since I
    played around with one.

    --
    Best regards,
    Don Kelloway
    Commodon Communications

    Visit http://www.commodon.com to learn about the "Threats to Your
    Security on the Internet".
     
    Don Kelloway, Aug 6, 2003
    #7
  8. KC2KSZ

    Leythos Guest

    In article <I4YXa.7178$>,
    says...
    [snip]
    > Thanks for your reply.
    >
    > I appreciate the reversal of your previous statement. IOW that a router
    > can be configured to act as a firewall. Granted it may not represent
    > the level of security you or I would want to provide, but it can and
    > does work for many organizations.


    I believe that I wrote the following:

    > > I've run across many organizations that use a simple router with NAT as
    > > what they seem to think is their firewall. I'll give this part to you -
    > > a NAT router is a firewall in one direction, but not in the outbound
    > > direction (strictly using a very loose definition of a firewall).


    As you can clearly see, I didn't not apply a blanket acceptance of NAT
    being a firewall. I said it can be a firewall in one direction based on
    a loose definition of what a firewall is.

    NAT does not make a firewall. A firewall can HAVE NAT, and NAT can
    provide firewall like features, but only does so in ONE DIRECTION.

    > However I am surprised to read that you're not familiar with 'Building
    > Internet Firewalls'. If it means anything I've been involved with the
    > firewall industry since 1997 and have no qualms with offering this book
    > as one of the best when compared to all of the others I've read. In
    > fact, I have several 1st editions in 'brand new' condition. If you're
    > interested send me an email and other than the cost of S&H, it's yours
    > for free.


    Thanks for the offer, but I've been doing this for many corporations for
    many years (since the early 90's). I read about all the new technology,
    play with it in my lab, and test it in settings that mimic real world
    conditions before I install it in clients locations.

    [snip]

    > In closing, I think the BEFSR41 does provide the ability to filter
    > outbound traffic. Though I could be wrong as it's been awhile since I
    > played around with one.


    None of these devices provide true outbound security - sure, they can
    block a IP from reaching the internet, they can stop a PORT from going
    outbound for ALL users, but they don't have a set of rules that you can
    apply/build like standard firewall devices, and for the most part don't
    firewall outbound connections.

    Don't take my position that the NAT routers not being firewalls as
    meaning that I don't like them - I do like the NAT routers. Heck, I even
    own several of them (I segment my development centers on my lan this
    way). I used a Linksys BEFSR41 for 3 years until I could afford my first
    Watch Guard Firebox II for my home office (before those I use Sygate). I
    currently have the BEFSR41, the wireless router, the VPN router, and the
    first firewall router they came out with .... All have their places, but
    none of them are really firewalls.

    Every ISP should include a Linksys with their service, but I would never
    install a Linksys at a clients office where they did anything with
    finances, medical, engineering, software design, and many other things.

    Sincerely,
    Mark



    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Aug 6, 2003
    #8
  9. KC2KSZ

    Don Kelloway Guest

    "Leythos" <> wrote in message
    news:...
    > In article <I4YXa.7178$>,
    > says...
    >
    > I believe that I wrote the following:
    >
    > As you can clearly see, I didn't not apply a blanket acceptance of NAT
    > being a firewall. I said it can be a firewall in one direction based

    on
    > a loose definition of what a firewall is.
    >
    > NAT does not make a firewall. A firewall can HAVE NAT, and NAT can
    > provide firewall like features, but only does so in ONE DIRECTION.
    >


    Though I was never making this comparison, I believe we agree that a
    router is *not* a firewall when using the definition that a firewall
    should be a device designed to filter both inbound and outbound traffic
    as well as for many other items and concerns.

    With that said I believe we also agree that a router can provide basic
    firewall functionality, albeit filtering in one direction (inbound) and
    based upon what you refer to as a 'loose' definition of what a firewall
    is.

    Note: What you refer to as loose, I would like to refer to as
    traditional. Of course this is where I think we went astray. IOW you
    were applying my comments to the current definition of what firewalls
    have morphed into providing (i.e. they do everything) and I was stating
    my comments in respect to what firewalls began as.

    Lastly I know we agree that NAT does *not* make a firewall. To think
    otherwise is foolishness.

    With respect to the above, I honestly think we are on the same page.


    --
    Best regards,
    Don Kelloway
    Commodon Communications

    Visit http://www.commodon.com to learn about the "Threats to Your
    Security on the Internet".
     
    Don Kelloway, Aug 6, 2003
    #9
  10. KC2KSZ

    Leythos Guest

    Don,

    This was a good discussion. I'm glad that we came to understand both
    perspectives on this and even found areas of common agreement.

    I look forward to seeing your posts in the group.

    Sincerely,
    Mark

    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Aug 6, 2003
    #10
  11. KC2KSZ

    Mike Dann Guest

    "Leythos" <> wrote in message
    news:...
    > Don,
    >
    > This was a good discussion. I'm glad that we came to understand both
    > perspectives on this and even found areas of common agreement.
    >
    > I look forward to seeing your posts in the group.
    >
    > Sincerely,
    > Mark
    >
    > --
    > --
    >
    > (Remove 999 to reply to me)


    Hi Guys,

    Interesting conversation!

    At the beginning of this thread, it seemed to me that Leythos had a very
    narrow interpretation of what a firewall was. On the other hand, Don was
    being pedantic (and, ultimately correct!).

    It is good that you were both able to agree that there are different levels
    of protection provided by various applications, and different levels of
    expectancy by various users. It is a case of marrying them to find the most
    appropriate solution. Generally, it is assumed that the more an application
    'does', the better it is. This is correct only if it has been configured
    correctly and the local security policy is adhered to.

    Even though it is generally more desirable to have the most protection
    possible when considering firewalling solutions, I think it is wise to look
    at this subject from the pedantic point of view. I.E. if an application
    fits the definition of a firewall (as in Building Internet Firewalls) then
    it should be called as such. Just because the popular interpretation of
    what a firewall is has changed in the time since this book was written, it
    does not detract from the fact that the application can still be considered
    a firewall. Perhaps a 'weak' firewall, but a firewall none the less.

    Anyway, have fun guys!

    Mike.
     
    Mike Dann, Aug 6, 2003
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?a2luZw==?=

    firewalls and wireless

    =?Utf-8?B?a2luZw==?=, Aug 3, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    983
  2. =?Utf-8?B?QmVuIC4gUg==?=

    Sharing files and printers and firewalls

    =?Utf-8?B?QmVuIC4gUg==?=, Mar 7, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    542
    Chuck
    Mar 7, 2005
  3. james
    Replies:
    1
    Views:
    1,027
    shope
    Oct 29, 2003
  4. Joe Dewberry
    Replies:
    0
    Views:
    593
    Joe Dewberry
    Dec 9, 2003
  5. Matthew Melbourne

    H.323 Proxy/Gatekeepers and Firewalls

    Matthew Melbourne, Jan 21, 2004, in forum: Cisco
    Replies:
    0
    Views:
    2,659
    Matthew Melbourne
    Jan 21, 2004
Loading...

Share This Page