Date: Thu, 15 Mar 2001 06:15:53 -0800 From: richard childers <fscked@pacbell.net> To: bcohen@bpecreative.com Cc: freebsd-questions <freebsd-questions@FreeBSD.ORG> Subject: Re: FreeBSD Firewall vs. Black Ice Message-ID: <3AB0CE99.FA945074@pacbell.net> References: <NNEMIHKLBKHCIJHJJFGPGEDGDNAA.bcohen@bpecreative.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I wanted to take a moment to point interested parties in the direction of NetGear and other, similar companies producing trivial firewalls for trivial amounts. I acquired a NetGear RT314 recently, and after a few days of experimenting, had it operating without problems. The unit cost about $140, at CompUSA. A slightly cheaper RT311 is also available; the RT311 does not have four ports, only one port, on the 'in' side. Basically, what this device does is replace your DSL-connected single PC with a router that provides equivalent functionality, for either DSL or cable modems (RoadRunner only). Once it is configured, it allows all of your computers to share the DSL connection, insulating them with NAT. It is, as others have noted, also a trivial firewall. Configurable options include the subnet in use, the number of DHCP clients you want to serve addresses to from this device, which internal address to redirect port 80 or port 23 connection attempts to, syslog functionality, and the ability to create up to eight special rules for additional functionality - for instance, ssh would need to be explicitly permitted before you could use it to access systems inside your perimeter. I'm not saying that this should replace the idea of a UNIX-based firewall but it is an excellent and cost-effective choke point, behind which a firewall can be placed, while - at least with the RT314 - you still have the ability to sample traffic more directly, if you care to, via one of the additional ports. I've heard others describe this as 'defense in depth' but I proposed this sort of scheme back in, um, 1992 or 1993, on the firewalls-digest mailing list ... and was largely ignored, because at that time everyone thought that firewalls were the ultimate defense ... the idea of buggy firmware seemed inconceivable, at the time, to most administrators. There are definite tradeoffs between additional security hardware and software; the more things there are to administer, the more details there are to overlook. The problem is analogous to that of having your house secured by a series of doors with a series of locks, all by different manufacturers; the more locks, the greater the probability of a lost key, stuck lock, etc ... but, the more security, also. I have not even bothered to look at Black Ice. Anything that has to rely on marketing to get my attention ... just lost my attention. I'm an engineer ... not a teenager with a rack of cyberpunk paperbacks above my bed. (That was last decade. :-) (Note that NetGear doesn't advertise their box as a firewall or anything snazzy; it's a piece of networking equipment with more functionality than you can shake a SIMM at.) -- richard Bob Cohen wrote: > Gentlemen, > > Thanks for the interesting and informative discussion about > firewalls and site cracking. Though much of it went over my > head, as I am a web designer type, you have convinced me > that the best course of action will be to set up a > router/gateway w/FreeBSD. Mine is a cable connection, will > the cheat sheets provide me a good start? How can I learn > enough to build a solid firewall without spending all my > waking time, and therefore my billing time? > > Thanks. > > Bob Cohen > b.p.e.Creative > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Richard A. Childers Senor UNIX Administrator fscked@pacbell.net (email) 415.664.6291 (voice/msgs) # Providing administrative expertise (not 'damage control') since 1986. # PGP fingerprint: 7EFF 164A E878 7B04 8E9F 32B6 72C2 D8A2 582C 4AFA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AB0CE99.FA945074>