Re: Basic Protection

["Kevin T. Shivers" <kts () clark net>]

On Wed, 21 Jul 1999, Frank R. Boecherer wrote:

> I have some clients with NT server (typical vanilla setup) and they want to hook up DSL
> for Internet access.  If NAT or Proxy Server is used, is there enough protection or is a
> full firewall needed.  To phrase the question another way: How do I allow a client to have
> fast Internet access for all the workstations without haveing to spend a lot for firewall
> protection?

Proxy Server will protect you some, but if I had the money I would get
something better to protect myself with.  You can probably get by with
something that really doesn't cost that much.  I am assuming that since
they are using DSL, that they probably are a home office/small office
setup.  You can get a cheap PC and run FWTK, or Linux with ipchains and
your only cost there will be the box and your time in setting it up.  You
could also get a firewall appliance type thing like a SonicWall or a
Firebox and set it up.  They are pretty cheap, and they work pretty well.
Fred Avolio and myself tested a SonicWall recently and it was pretty good.
You can see the review at: http://strom.com/awards/160.html .  Any of
these will probably cost less than a server running NT Server and Proxy
Server.

A little rant on Proxy Server:

Proxy Server runs on NT, therefore it will be inherently insecure.  I
quick look into the NTBugTraq archives found a bunch of problems with
Proxy Server.  One of the more interesting problems if better described
online at: http://www.infowar.co.uk/mnemonix/proxy.htm .  Personally I
wouldn't use it since it is far too easy to get Administrative rights on
an NT machine and they use that machine to gain access into the whole
network.  If you also want some more infomation on Proxy Server check out:
http://xbill.org/~kts/nt/ms2-proxyserver.txt .

> With all I've been reading, it seems like the only secure way to go is with a firewall.
> But if NAT is used and the IP address of a workstation on the internal network isn't known
> or available to the outside, is it safe?  Does and ISP provide security so that I don't
> have to worry about it?

I would strongly recommend a firewall in addition to using NAT.  Just
using NAT and not telling anybody what the internal addresses are is
basically just "security through obscurity", and that is a bad thing [tm]
by itself.  Ever watched "Wargames"?  :)  When you do setup NAT, a thing
that would be good to do is pick a different set of internal addresses
than most people use.  For instance, use something like 10.26.x.x instead
of 10.0.x.x like many people do.

I would doubt that the ISP is going to suppply much, if any, security.
Most ISPs are just going to give you the connection.  If they do firewall
it will probably be from their uplink to their network, leaving you still
vulnerable to the rest of the users of your ISP.  And besides, would you
trust something that you, or someone you knew and trusted, set up?  Me,
being the paranoid person I am, probably wouldn't.  :)

kts

--
Kevin T. Shivers             NT & UNIX Security Administrator
Shivers Consulting               http://www.clark.net/pub/kts
kts () clark net