Hmm.
Can I expand on that? I agree with the sentiment but I think it's a touch
broad.
You can get pretty good basic packet filtering with IOS. If you start with
"permit tcp any any established" (allow only packets with the Ack bit set,
which will usually only be the case if someone on the inside has requested
the connection) and then throw in Network Address Translation (I'm not going
to start listing commands, try CCO), all you need to do is add a static
mapping for a mailserver, allow DNS so WWW works and you've got yourself a
fairly secure small office setup that will withstand casual probing.
Yes, there are limitations with the kinds of services you'll get - I know
I'm offering myself for crucifiction. If you're feeling like "correcting" me
now do so at a level that will benefit the original poster.
Now, if you're trying to support a hundred or so users that want a full
gamut of services (NNTP, Gopher, non-passive FTP, WAIS, Real *&(&^%& Audio,
Lions and Tigers and Bears, or even ICQ (lord help us!)) then you'll quickly
start hating life and your job. Also remember than unless you're planning to
use a free firewall you'll get a Cisco box that will do the job for about a
tenth of the price of a "real" firewall box, and you'll probably still need
an access router to boot.
(like a shadow, Argument Man slips back into the night!)
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-----Original Message-----
From: Carric Dooley [SMTP:[EMAIL PROTECTED]]
Sent: Thursday, April 22, 1999 3:16 AM
To: Jim Fletcher
Cc: '[EMAIL PROTECTED]'
Subject: Re: Cisco IOS
Using a router as your primary means of protection is a bad idea.
[prune]
A certain amount of "screening" on your router for additional
security is
a good idea, but buy a firewall.
Carric Dooley
[truncate]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
