On Sunday 14 December 2003 11:49 pm, Lyvim Xaphir wrote: > Well this stuff was mostly stuff on the way to be trashed; whereupon it > was intercepted by yours truly. So I've got maybe, well....NOTHING, > actually, in this box. If you look around, old stuff is not hard to > find. Schools, corporations, government installations, even Ebay; lots > of peeps getting rid of old stuff all the time. Not real hard to find > these days, especially with this newfangled internet thing. ;)
If you consider yourself to be the standard user, then I stand corrected and obviously, I must have exceedingly poor luck picking my own friends. However, since Carren himself suggested that he was looking for something that would duplicate the functionality of Kerio on a Linux box, I do feel somewhat vindicated. > > > > All this depends on the intentions of the > > > newbie; which is whether they are going for a functional installation > > > to "do stuff" on the internet with or whether they are in this for the > > > learning process. Most newbies are here to learn, and attack a > > > learning curve, not run from it. > > > > Fact is, there is nothing that says that you can not operate a router at > > the same time that you operate a firewall. I run both a firewall and a > > router device. I still prefer the hardware device that disables > > portscans on my system, again, you may prefer to see those types of > > attacks, I just want to block them. > > > > However, I do not know of any non-techie computer people that just happen > > to have a spare box lying around, YMMV. Absent a box, there is not > > really any way to build a standalone firewall box that is going to cost > > less than the $50 that a hardware router will run you. Installing the > > firewall on your primary system is not as good as a hardware router > > device. > > I have already proven your statement about a firewall box being less > than 50 bucks false, since I have a resurrected box right here; and I > never have stated that the firewall should be on your primary system. Just because you have managed to do something does not mean that everyone would be able to. I don't know of any way that I could put together a standalone box, including two NIC cards for less than $50 currently were I not to have the hardware lying around from past purchases. It is possible that Joe Average could manage it, but not the ones that I know. At any rate, there is no reason that both of us can't make recommendations and the person in question can choose his own path. I made mine and you made yours. > That depends on whether you are instructing newbies at a LUG or at Wal > Mart. True, but a person currently using Windows with Kerio is unlikely to be at the LUG. Even if he was, if he didn't have competent assistance, I would be reluctant to advice him to take a shot at it knowing that he would be depending on the results right out of the gate. Were it something simpler than firewalls, I might have a different opinion. > > There > > is time for learning after your computer is running and doing the things > > that you want it to do. I definitely would not suggest to someone coming > > from the Windows world whose current idea of a good firewall is Kerio > > with a system tray icon on their primary machine, that they should jump > > full bore into the world of shorewall and iptables while their current > > machine is open to attack from the Internet. > > That I agree with; that's why I made this statement: > > "Hardware routers are generally for Mac users or non-tech types. That's > fine, but if you are looking for knowledge, a router appliance is not > going to get you there; in fact I recommend against it." > > > That being said, running a firewall on the same box that you use as your > > primary computer is simply not a good idea. It needs to be a standalone > > box that sits between you and the Internet. In fact, in most corporate > > setups the chain goes, Router - Firewall - Router - Internal lan. There > > is a reason for setting up routers between those boxes. > > Where in the heck are you getting the idea that I said anything about > running the firewall on the primary box? This is what I said -- Thus the modifier, "that being said" The assumption is that they only have a primary machine (WIndows with firewall software running on that machine) and they want to duplicate that setup with Linux instead. If they had a spare machine lying around with dual NIC cards, they could be running kerio or someother software on a dedicated firewall currently. If they are not, possibly it is because they can not. Since running the firewall software on that primary machine is inferior to running a standalone router appliance, I suggested the router. I did not ever mean to say that a dedicated firewall box, correctly configured was inferior to a router, simply that the router was the quickest, cheapest way to provide security until one learned how to properly configure a standalone firewall. I still stand by my statement. > WHAT benefits? I despise the Cisco interface compared to running a bona > fide bash shell. And like I said, there is better security in an MDK > firewall box than a hardware appliance as long as the MDK box is > correct. I know about Cisco vulns; they've been a major concern in the > past. They've been a major problem with DoS's, also, besides the fact > that their updates will never be on a par with the frequency of MDK > updates. The benefit of an additional layer of security. One more layer that must be penetrated. Interlocking lines of defense. That benefit. You may not see the value of multiple layers of defense but I do. > > > Granted, you will receive less information as some > > portscans and obvious probes against your machine are blocked so that you > > never see them unless you check your router log. I don't have a problem > > with that since they are, in fact, blocked. > > Well, I don't know what router appliance you've got but obviously it's > different than the model I have. There were ports on my router that > were open by default. It was also open to ICMP. Mine was not and most models sold currently are closed to incoming packets unless they are initiated internally. With broadband, a lot of modems themselves can function as a router, which means that you could have two additional layers of defense. Even better in my view. > Glad you are getting absolute minimal information. However since I > myself are running an MDK firewall I have the option of running Snort on > *all* incoming packets (since my appliance is in bridge mode and not > router mode) and therefore with the latest Snort intrusion analysis I > can record all incoming packets, their IP, the time and date they came > in, plus get a good analysis of what the packet was doing at my IP > address. I can also log all this to an MySQL database for future > reference and examination. The following is a very small fraction of > all the intrusions I have detected over the last two weeks. You assume too much. I am also running iptables as a firewall, as well as Snort, portsentry, hostsentry, and I periodically use Nessus to scan my system. You only saw info from the first layer of my network, not its entirety. The benefit to my setup is that I don't have to worry or monitor the attacks that don't get past the router. Thus, the traffic that I posted, I don't see. Thus, someone who breached the router and then initiated a port scan would be flagged by port sentry, Snort, etc. I still regard multiple lines of defense to be better and nothing I have seen has convinced me that it is not. We are not talking about either or, we are talking about what choice to make as the first choice. I think that the router device is the cheapest for a newbie that has not setup firewalls under Linux before. Again, you are welcome to differ on that opinion. -- Bryan Phinney Software Test Engineer
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
