Security Basics mailing list archives
RE: Protecting Multiple Public IP Workstations
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 2 Mar 2004 12:57:48 -0800
The right approach is to block everything, and then unblock the ports you actually need. This is both more reliable and more cost-effective than trying to block only "known bad" ports. The problem, of course, is that this breaks FTP unless you either (a) enable all outbound and use PASV mode, or (b) install a stateful, FTP-aware firewall instead of relying on the router to filter your traffic. And in a world of chatty OSes and services and worms and ad-ware, enabling all outbound is a poor choice.... Dave Gillett
-----Original Message----- From: Preston, Tony [mailto:Tony.Preston () acs-inc com] Sent: Tuesday, March 02, 2004 5:32 AM To: security-basics () securityfocus com Subject: RE: Protecting Multiple Public IP Workstations I have a linksys router and have a question... It has a minimal port filtering capability. I block a couple of ports (135-139, 445), and wondered what would be a suggested list of ports to block traffic based on known virus/trojans. Tony Preston Systems Engineer, AS&T Inc. Division of L3 Corporation (609) 485-0205 x 181 -----Original Message----- From: Paul Kurczaba [mailto:paul () myipis com] Sent: Friday, February 27, 2004 7:52 PM To: MATT GIBSON; security-basics () securityfocus com Subject: Re: Protecting Multiple Public IP Workstations First of all, it's never a good idea to assign public IP's to workstations on a networked environment (this type of environment is a hackers wish come true). If you are not hosting services on all six IP's, you can buy a $100-$150 firewall/router at compusa (I would recommend Linksys or Netgear). Most have 4 or 8 ports. If the firewall/router you buy only has 4 ports, also pick up a 4 port switch (it's about $50-$70). If you need all 6 IP's (for hosting HTTP, FTP, SMTP, etc.), you should probably get a CheckPoint FW-1 or a Cisco PIX. Also, if you havn't already bought the Win2k server, I would suggest Server 2003 instead. It takes less than 10 seconds to boot, the OS is faster, and more secure than 2000. just my $0.02 -Paul Kurczaba -------------------------------------------------------------- ------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_security-basics_040301 -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_security-basics_040301 ----------------------------------------------------------------------------
Current thread:
- Re: Protecting Multiple Public IP Workstations Paul Kurczaba (Mar 01)
- RE: Protecting Multiple Public IP Workstations Lists (Mar 01)
- <Possible follow-ups>
- RE: Protecting Multiple Public IP Workstations Josh Mills (Mar 02)
- RE: Protecting Multiple Public IP Workstations Preston, Tony (Mar 02)
- RE: Protecting Multiple Public IP Workstations David Gillett (Mar 03)
- RE: Protecting Multiple Public IP Workstations Bruyere, Michel (Mar 03)