Re: Firewall question
ZyWALLs here as well. I have a ZyWALL 2 on my home network and keep a VPN nailed up into our office LAN where we have a ZyWALL 10II for about a dozen users. Then we have a ZyWALL 35 in front of our web and email servers in colocation. - Original Message - From: "Duane Boudreau" <[EMAIL PROTECTED]> To: "CF-Talk" Sent: Wednesday, February 09, 2005 5:16 PM Subject: RE: Firewall question > Depends on your budget > > I've used both SonicWall and ZyWall. I have a zywall running on my home > network > > http://www.zywall.com/products/model.php?indexcate=1037588623&indexcate1=&in > dexFlagvalue=1021873683 > > I think this box runs between $250 & $300 USD > > HTH, > Duane > > > -Original Message- > From: Andy Ousterhout [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 09, 2005 12:03 PM > To: CF-Talk > Subject: RE: Firewall question > > what firewalls to folks recommend? > > -Original Message- > From: Jacob [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 09, 2005 11:00 AM > To: CF-Talk > Subject: RE: Firewall question > > > Have a firewall between your router and server. > > Router -- Firewall -- Windows 2003 Server > > Use access list on your router, along with a good rule set on firewall, > and > a hardened web server. > > -Original Message- > From: Andy Ousterhout [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 09, 2005 8:42 AM > To: CF-Talk > Subject: OT: Firewall question > > Which is more secure: Running your firewall on the NT 2003 Server or > running > it on a router? > > Andy ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:194008 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
Depends on your budget I've used both SonicWall and ZyWall. I have a zywall running on my home network http://www.zywall.com/products/model.php?indexcate=1037588623&indexcate1=&in dexFlagvalue=1021873683 I think this box runs between $250 & $300 USD HTH, Duane -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 12:03 PM To: CF-Talk Subject: RE: Firewall question what firewalls to folks recommend? -Original Message- From: Jacob [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 11:00 AM To: CF-Talk Subject: RE: Firewall question Have a firewall between your router and server. Router -- Firewall -- Windows 2003 Server Use access list on your router, along with a good rule set on firewall, and a hardened web server. -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 8:42 AM To: CF-Talk Subject: OT: Firewall question Which is more secure: Running your firewall on the NT 2003 Server or running it on a router? Andy ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:194003 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
No, not theory. Real-life small business with 5 users accessing Internet and receiving Email via Exchange Server running on same box. Web site is hosted elsewhere. -Original Message- From: Jim McAtee [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 6:01 PM To: CF-Talk Subject: Re: Firewall question No, I wouldn't route through the Windows server. The only times I'd consider using Windows as a router would be on a network where for some reason it's your only routing option, or if you wanted to run Microsoft's ISA Server as your firewall. I've never used it, but ISA can do some things that most firewalls cannot by integrating security with your NT domain. But this would be in the context of an office network with users behind the firewall, not a web hosting network. http://www.microsoft.com/ISAServer/ You still haven't mentioned the nature of the network - perhaps it's just a theoretical question, but if the NT server is a web or email server and the network also has users and/or private servers, then you'll want to isolate the NT server in a DMZ. --> DMZ: Web & email servers / Internet --> router/firewall -- \ --> PRIVATE: LAN users and servers - Original Message - From: "Andy Ousterhout" <[EMAIL PROTECTED]> To: "CF-Talk" Sent: Wednesday, February 09, 2005 4:19 PM Subject: RE: Firewall question > Jim, > What I am try to figure out is what exactly is the safest configuration. > What seems to be the last remaining question is whether I want to route > all > internet traffic through my single server or whether I should not. > > Config 1 Firewall --->NT Server --> Hub > Config 2 Firewall --->Hub -->NT Server > > What do folks out there think? > > -Original Message- > From: Jim McAteeon > > >>I think the most secure arrangement is to: >> >> 1. Replace router with hardware Firewall Solution (adding VPN at same >> time >> ::-)) > > You might not necessarily be able to replace your router. Depends a bit > on the actual connection. For instance if you currently had a T1 and a > Cisco router with a T1 CSU/DSU module then you'll still need the router > to > make T1 connection. Similarly, with DSL, you need a router capable of > making the DSL connection. That said, there _are_ combo boxes that can > terminate the connection, and act as router, firewall and VPN endpoint. > >> 2. Go from Firewall solution to NTServer running Firewall software > > If your server is truly "behind" the firewall on an internal network, > you > can dispense with running firewall software on the server itself. There > probably aren't many shops running firewall software on things like file > and print servers on their LAN. > > Only if the server is Internet-facing might you need to worry about > this. > But while defense in depth is a good philosophy, it can sometimes be a > PITA to manage. For instance if you add a new service on some odd IP > port > then you need to open a hole through both your outer firewall and any > software firewall on the server itself. Personally, if I thought I had > a > reliable hardware firewall between my Internet-facing servers _and_ I > trusted my ability to administer the firewall then I wouldn't run a > software firewall on any of those servers. > >> 3. Go from NTServer to rest of internal network. > > I'm not sure why you'd need to do this unless you need to use the server > as a router. > > You probably should explain the nature of your connection and network a > little better. Is it purely a web hosting network? Or a company LAN - > with or without Internet-facing servers such as web and email servers? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:194001 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Firewall question
No, I wouldn't route through the Windows server. The only times I'd consider using Windows as a router would be on a network where for some reason it's your only routing option, or if you wanted to run Microsoft's ISA Server as your firewall. I've never used it, but ISA can do some things that most firewalls cannot by integrating security with your NT domain. But this would be in the context of an office network with users behind the firewall, not a web hosting network. http://www.microsoft.com/ISAServer/ You still haven't mentioned the nature of the network - perhaps it's just a theoretical question, but if the NT server is a web or email server and the network also has users and/or private servers, then you'll want to isolate the NT server in a DMZ. --> DMZ: Web & email servers / Internet --> router/firewall -- \ --> PRIVATE: LAN users and servers - Original Message - From: "Andy Ousterhout" <[EMAIL PROTECTED]> To: "CF-Talk" Sent: Wednesday, February 09, 2005 4:19 PM Subject: RE: Firewall question > Jim, > What I am try to figure out is what exactly is the safest configuration. > What seems to be the last remaining question is whether I want to route > all > internet traffic through my single server or whether I should not. > > Config 1 Firewall --->NT Server --> Hub > Config 2 Firewall --->Hub -->NT Server > > What do folks out there think? > > -Original Message- > From: Jim McAteeon > > >>I think the most secure arrangement is to: >> >> 1. Replace router with hardware Firewall Solution (adding VPN at same >> time >> ::-)) > > You might not necessarily be able to replace your router. Depends a bit > on the actual connection. For instance if you currently had a T1 and a > Cisco router with a T1 CSU/DSU module then you'll still need the router > to > make T1 connection. Similarly, with DSL, you need a router capable of > making the DSL connection. That said, there _are_ combo boxes that can > terminate the connection, and act as router, firewall and VPN endpoint. > >> 2. Go from Firewall solution to NTServer running Firewall software > > If your server is truly "behind" the firewall on an internal network, > you > can dispense with running firewall software on the server itself. There > probably aren't many shops running firewall software on things like file > and print servers on their LAN. > > Only if the server is Internet-facing might you need to worry about > this. > But while defense in depth is a good philosophy, it can sometimes be a > PITA to manage. For instance if you add a new service on some odd IP > port > then you need to open a hole through both your outer firewall and any > software firewall on the server itself. Personally, if I thought I had > a > reliable hardware firewall between my Internet-facing servers _and_ I > trusted my ability to administer the firewall then I wouldn't run a > software firewall on any of those servers. > >> 3. Go from NTServer to rest of internal network. > > I'm not sure why you'd need to do this unless you need to use the server > as a router. > > You probably should explain the nature of your connection and network a > little better. Is it purely a web hosting network? Or a company LAN - > with or without Internet-facing servers such as web and email servers? ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193997 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
> What I am try to figure out is what exactly is > the safest configuration. > What seems to be the last remaining question is > whether I want to route all internet traffic > through my single server or whether I should not. If you have a hardware firewall, routing all traffic through a dedicated software firewall isn't going to help you much and may introduce problems because you will need to remember to make configuration changes twice. It also adds another component that can be a single point of failure. If you have a hardware firewall in the budget, here's what I'd likely do... INET --> Router --> Firewall --> Switch/HUB --> Servers The "Firewall" here can be either a dedicated hardware firewall (Sonicwall, PIX, etc.), or a dedicated server with a software firewall on it. I've used OpenBSD with a software firewall (pf or ipf I forget which) and interface bridging before and it works well if you have a relatively small group of servers to protect and have the time to dedicate to learning the software. If you have the money I'd go with a hardware appliance though for a variety of reasons. --- Justin D. Scott Vice President Sceiron Interactive, Inc. www.sceiron.com [EMAIL PROTECTED] 941.378.5341 - office 941.320.2402 - mobile 877.678.6011 - facsimile ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193994 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
Jim, What I am try to figure out is what exactly is the safest configuration. What seems to be the last remaining question is whether I want to route all internet traffic through my single server or whether I should not. Config 1 Firewall --->NT Server --> Hub Config 2 Firewall --->Hub -->NT Server What do folks out there think? -Original Message- From: Jim McAteeon >I think the most secure arrangement is to: > > 1. Replace router with hardware Firewall Solution (adding VPN at same > time > ::-)) You might not necessarily be able to replace your router. Depends a bit on the actual connection. For instance if you currently had a T1 and a Cisco router with a T1 CSU/DSU module then you'll still need the router to make T1 connection. Similarly, with DSL, you need a router capable of making the DSL connection. That said, there _are_ combo boxes that can terminate the connection, and act as router, firewall and VPN endpoint. > 2. Go from Firewall solution to NTServer running Firewall software If your server is truly "behind" the firewall on an internal network, you can dispense with running firewall software on the server itself. There probably aren't many shops running firewall software on things like file and print servers on their LAN. Only if the server is Internet-facing might you need to worry about this. But while defense in depth is a good philosophy, it can sometimes be a PITA to manage. For instance if you add a new service on some odd IP port then you need to open a hole through both your outer firewall and any software firewall on the server itself. Personally, if I thought I had a reliable hardware firewall between my Internet-facing servers _and_ I trusted my ability to administer the firewall then I wouldn't run a software firewall on any of those servers. > 3. Go from NTServer to rest of internal network. I'm not sure why you'd need to do this unless you need to use the server as a router. You probably should explain the nature of your connection and network a little better. Is it purely a web hosting network? Or a company LAN - with or without Internet-facing servers such as web and email servers? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193990 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Firewall question
- Original Message - From: "Andy Ousterhout" <[EMAIL PROTECTED]> To: "CF-Talk" Sent: Wednesday, February 09, 2005 12:52 PM Subject: RE: Firewall question >I think the most secure arrangement is to: > > 1. Replace router with hardware Firewall Solution (adding VPN at same > time > ::-)) You might not necessarily be able to replace your router. Depends a bit on the actual connection. For instance if you currently had a T1 and a Cisco router with a T1 CSU/DSU module then you'll still need the router to make T1 connection. Similarly, with DSL, you need a router capable of making the DSL connection. That said, there _are_ combo boxes that can terminate the connection, and act as router, firewall and VPN endpoint. > 2. Go from Firewall solution to NTServer running Firewall software If your server is truly "behind" the firewall on an internal network, you can dispense with running firewall software on the server itself. There probably aren't many shops running firewall software on things like file and print servers on their LAN. Only if the server is Internet-facing might you need to worry about this. But while defense in depth is a good philosophy, it can sometimes be a PITA to manage. For instance if you add a new service on some odd IP port then you need to open a hole through both your outer firewall and any software firewall on the server itself. Personally, if I thought I had a reliable hardware firewall between my Internet-facing servers _and_ I trusted my ability to administer the firewall then I wouldn't run a software firewall on any of those servers. > 3. Go from NTServer to rest of internal network. I'm not sure why you'd need to do this unless you need to use the server as a router. You probably should explain the nature of your connection and network a little better. Is it purely a web hosting network? Or a company LAN - with or without Internet-facing servers such as web and email servers? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193985 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Firewall question
Dave Watts wrote: > > It's basically "URLScan Lite", I guess: > http://www.windowsitpro.com/Windows/Article/ArticleID/39979/39979.html I like those features much better. They are generally finer grained and more integrated. > But actually, I'm curious why you think URLScan is evil. We're using it in > some situations without any serious problems. Because I strongly believe that filtering URLs (request headers) the way URLScan does is the wrong approach. Don't filter for what is not allowed, that is a rats race you are not going to win. Allow what you want to allow. In IIS 6 that is integrated with the everything off defaults for MIME types, extensions etc. I specifically have to allow things before they wil work. Jochem ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193972 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
> Second that. Even the content filtering of URLScan is evil. The > only thing I use on the webservers themselves is IPSec policies. Though I think IPSec policies are fine, I find that URLScan is an invaluable utility on Windows Server 2000 boxes. At this point, I wouldn't run a Windows Server 2000 web server without it installed. That said, URLScan can be a pain to troubleshoot. I've gotten into the habit of checking the URLScan log files whenever I encounter bizarre behavior or non-descript errors. Ben Rogers http://www.c4.net v.508.240.0051 f.508.240.0057 ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193971 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
> Which feature are you refering to exactly? It's basically "URLScan Lite", I guess: http://www.windowsitpro.com/Windows/Article/ArticleID/39979/39979.html But actually, I'm curious why you think URLScan is evil. We're using it in some situations without any serious problems. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193964 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
> Correct, the router, if configured correctly, will make your > internal network appear nonexistant to the outsider. It > generally does not reply to requests made to the most-hackable > ports and protocols. It does act as sort of a firewall. I'll admit to being a bit nit-picky here, but while it may be true that most available routers provide network address translation and firewall functionality, that's not what a router does, strictly speaking. A router just routs traffic from one network to another. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193962 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Firewall question
Dave Watts wrote: >> Second that. Even the content filtering of URLScan is evil. >> The only thing I use on the webservers themselves is IPSec >> policies. > > Jochem, what do you think of the built-in content filtering that IIS 6 > provides? Which feature are you refering to exactly? Jochem ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193958 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
> Second that. Even the content filtering of URLScan is evil. > The only thing I use on the webservers themselves is IPSec > policies. Jochem, what do you think of the built-in content filtering that IIS 6 provides? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193950 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Firewall question
Jacob wrote: > From my experience, running a software firewall on a web server, i.e. IIS > running CF, has been nothing but a PITA for me. Second that. Even the content filtering of URLScan is evil. The only thing I use on the webservers themselves is IPSec policies. Jochem ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193943 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Firewall question
Andy Ousterhout wrote: > But I am getting the impression that router does not equal firewall. > Routers do some things that a try firewall does, but not all. Is this > correct? Correct. The basic purpose of a router is to route traffic between different IP subnets. For that, it looks at just one thing: the destination IP address. Based on that IP address the packet is forwarded on the right interface. This is strictly an OSI layer 3 issue, and usually big routers communicate with eachother using a whole slew of protocols to know which IP address needs to go to which interface. The purpose of a firewall is to examine all traffic that tries to pass and block traffic that does not meet certain criteria. For this, firewalls look at many more parameters then just the IP addresses. For instance: - source / destination IP (3) - SYN flags (3) - transport protocol (4) - source / destination port number (5) - protocol (6) - content (7) Numbers refer to the layer in the OSI model: http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci523729,00.html Nowadays, many routers have some or more of the features of firewalls, going up in the OSI laters, and sometimes firewalls have some of the features of routers. Most routers can also filter traffic based on the transport protocol or the port numbers. Most can also filter traffic based on the SYN flags (but to do this statefull can cost quite a bit performance). So routers are getting more firewall capabilities, and if you look at high end routers (i.e. Cisco 6500) you can even get dedicated firewall modules for them. The high end firewalls can often do some tricks to direct traffic as well. For instance, they function as load balancers and route traffic to different servers. The typical home appliance (Linksys etc.) can do stratic routing (a group of fixed IP adresses on one side, everything else on the other side), NAT, stateful filtering (it can distinguish between links originating from the inside and from the outside) and sometimes a little bit of static filtering (blocking specific ranges of ports / IP addresses). The ones that are a bit higher end can also do address filtering so you can filter out msn.com for your children if you like (although I doubt it stops serious attempts). IMHO, for the home user that is enough. The security conscious home user would probably configure an extra layer behind such a device, but that layer can be very simple, i.e. some IPSec rules. For professional use, the question is really what you need and what you want to spend. If you get a Cisco 6500 you can add firewall modules that can supposedly handle 5 Gbps each. It will nicely filter on OSI layer 3-5 for you. If you don't need that much throughput, a simple system running Linux/BSD can do pretty much the same. (The aforementioned Linksys probably runs Linux of some sorts.) If you want to filter on protocol and content add a reverse proxy. If you choose the Linux/BSD option you can run that on the same machine. It is really up to your needs. Jochem ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193941 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
>From my experience, running a software firewall on a web server, i.e. IIS running CF, has been nothing but a PITA for me. I know others have software firewalls running just fine. Hardening the webserver, using IPsec, turning off unneeded services, and strong passwords as worked well. BTW... Windows 2003 SP1 RC2 is out. Guess what is featured? Windows Firewall, just like XP. I can see it coming now... -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 11:53 AM To: CF-Talk Subject: RE: Firewall question I think the most secure arrangement is to: 1. Replace router with hardware Firewall Solution (adding VPN at same time ::-)) 2. Go from Firewall solution to NTServer running Firewall software 3. Go from NTServer to rest of internal network. Easy enough. Already shopping for firewall/VPN hardware. Thanks everyone for the education. Andy -Original Message- From: Dawson, Michael ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193934 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
I think the most secure arrangement is to: 1. Replace router with hardware Firewall Solution (adding VPN at same time ::-)) 2. Go from Firewall solution to NTServer running Firewall software 3. Go from NTServer to rest of internal network. Easy enough. Already shopping for firewall/VPN hardware. Thanks everyone for the education. Andy -Original Message- From: Dawson, Michael ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193928 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
Correct, the router, if configured correctly, will make your internal network appear nonexistant to the outsider. It generally does not reply to requests made to the most-hackable ports and protocols. It does act as sort of a firewall. However, the firewall is an additional defense for traffic that is allowed through the router. -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 11:11 AM To: CF-Talk Subject: RE: Firewall question But I am getting the impression that router does not equal firewall. Routers do some things that a try firewall does, but not all. Is this correct? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193923 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
We are using both PIX and a Netscreen. I like the Netscreen better. Not sure about your network setup, but a Netscreen 50 would be a start. http://www.juniper.net/products/glance Jacob -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 9:03 AM To: CF-Talk Subject: RE: Firewall question what firewalls to folks recommend? -Original Message- From: Jacob [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 11:00 AM To: CF-Talk Subject: RE: Firewall question Have a firewall between your router and server. Router -- Firewall -- Windows 2003 Server Use access list on your router, along with a good rule set on firewall, and a hardened web server. -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 8:42 AM To: CF-Talk Subject: OT: Firewall question Which is more secure: Running your firewall on the NT 2003 Server or running it on a router? Andy ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193898 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
Sonicwall (www.sonicwall.com) makes good ones. Look at the TZ-170's. They can manage all sorts of security. Sonicwall has a lot of services that can be purchased extra. But, the basic units are good. Robert Nurse STG Contractor - Applications Development Enterprise Management Center Computational & Information Sciences Directorate -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 12:03 PM To: CF-Talk Subject: RE: Firewall question what firewalls to folks recommend? -Original Message- From: Jacob [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 11:00 AM To: CF-Talk Subject: RE: Firewall question Have a firewall between your router and server. Router -- Firewall -- Windows 2003 Server Use access list on your router, along with a good rule set on firewall, and a hardened web server. -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 8:42 AM To: CF-Talk Subject: OT: Firewall question Which is more secure: Running your firewall on the NT 2003 Server or running it on a router? Andy ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193896 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
This is really splitting hairs here, but I thought I would point this out anyway. A hardware firewall is a computer type thing, running software. Regardless if it is a Cisco PIX or a linksys wireless router. But given the choice I would go with hardware. It may also be good to point out that both have pros and cons. If the hardware firewall is running then it is working for the most part. It is possible that a software firewall could crash and your server still keep running unprotected. Software firewalls can be updated to block newer attacks and packet filter rules in a similar way as a antivirus program is updated. I personally run both a hardware firewall (Cisco PIX) provided by the Co-loc provider we use and a Software firewall. I have been using black ice for the software firewall but, now we are switching over to Tiny firewall 6 server. Or so that is the current plan. Mark W. Breneman -Cold Fusion Developer -Network Administrator Vivid Media [EMAIL PROTECTED] www.vividmedia.com 608.270.9770 -Original Message- From: Dawson, Michael [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 11:03 AM To: CF-Talk Subject: RE: Firewall question IMO, hardware is always more secure than software. -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 10:42 AM To: CF-Talk Subject: OT: Firewall question Which is more secure: Running your firewall on the NT 2003 Server or running it on a router? Andy ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193894 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
> IMO, hardware is always more secure than software. It's worth pointing out that any firewall solution will involve hardware and software - even if you purchase a "hardware" solution, it will be running something to make it work. There have been plenty of problems with, say, Cisco's embedded OS for their routers. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193893 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
They can be equally secure, but it has been my experience that, over time, server based firewalls can get partially disabled. Configuration often changes when troubleshooting issues and doesn't get changed back. Obviously, that can be avoided, but it's something to watch out for. As Jochem noted, the most secure option is using both. Ben Rogers http://www.c4.net v.508.240.0051 f.508.240.0057 > -Original Message- > From: Andy Ousterhout [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 09, 2005 11:42 AM > To: CF-Talk > Subject: OT: Firewall question > > Which is more secure: Running your firewall on the NT 2003 Server or > running > it on a router? > > Andy > > > > ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193892 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
> But I am getting the impression that router does not equal firewall. > Routers do some things that a try firewall does, but not all. > Is this correct? No, a router is not a firewall, technically speaking. Routers are used to, well, route traffic from one network to another. Firewalls are used to examine and block that traffic if it isn't allowed. However, you may purchase hardware or software solutions that provide routing and firewall functionality within a single machine. For example, if you purchase a router at Best Buy for use at home, it will typically include some firewall and NAT functionality. Likewise, if you get a Cisco router for your work network, it may provide firewall functionality as well. There is, of course, quite a bit of variation between firewalls and their capabilities. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193891 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
Cisco Pix or Watchguard. -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: 09 February 2005 17:03 To: CF-Talk Subject: RE: Firewall question what firewalls to folks recommend? -Original Message- From: Jacob [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 11:00 AM To: CF-Talk Subject: RE: Firewall question Have a firewall between your router and server. Router -- Firewall -- Windows 2003 Server Use access list on your router, along with a good rule set on firewall, and a hardened web server. -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 8:42 AM To: CF-Talk Subject: OT: Firewall question Which is more secure: Running your firewall on the NT 2003 Server or running it on a router? Andy ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193887 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
But I am getting the impression that router does not equal firewall. Routers do some things that a try firewall does, but not all. Is this correct? -Original Message- From: Dawson, Michael I use a Linksys (now Cisco) wireless router at home. When we got broadband (cable) several years ago, my PC was hacked in just a few days. That was all it took for me to convince my wife that we needed a router. After installing it, I have had no problems. Of course, I'm not running a business or anything. M!ke -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 10:53 AM To: CF-Talk Subject: RE: Firewall question Does a regular "router" like you get at Best Buy work the same or does an appliance have much stronger protection? ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193886 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
I use a Linksys (now Cisco) wireless router at home. When we got broadband (cable) several years ago, my PC was hacked in just a few days. That was all it took for me to convince my wife that we needed a router. After installing it, I have had no problems. Of course, I'm not running a business or anything. M!ke -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 10:53 AM To: CF-Talk Subject: RE: Firewall question Does a regular "router" like you get at Best Buy work the same or does an appliance have much stronger protection? ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193884 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
IMO, hardware is always more secure than software. -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 10:42 AM To: CF-Talk Subject: OT: Firewall question Which is more secure: Running your firewall on the NT 2003 Server or running it on a router? Andy ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193880 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
what firewalls to folks recommend? -Original Message- From: Jacob [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 11:00 AM To: CF-Talk Subject: RE: Firewall question Have a firewall between your router and server. Router -- Firewall -- Windows 2003 Server Use access list on your router, along with a good rule set on firewall, and a hardened web server. -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 8:42 AM To: CF-Talk Subject: OT: Firewall question Which is more secure: Running your firewall on the NT 2003 Server or running it on a router? Andy ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193879 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
Some routers have firewall functionality built in. But if it doesn't say it's got it, you'll need an extra firewall box. Robert Nurse STG Contractor - Applications Development Enterprise Management Center Computational & Information Sciences Directorate -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 11:53 AM To: CF-Talk Subject: RE: Firewall question Does a regular "router" like you get at Best Buy work the same or does an appliance have much stronger protection? -Original Message- From: Nurse, Robert If the router isn't a PC/Workstation, I'd say running it on a router. I use a firewall appliance (Sonicwall). Traffic is handled before it reaches hosts behind it. Robert Nurse STG Contractor - Applications Development Enterprise Management Center Computational & Information Sciences Directorate -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 11:42 AM To: CF-Talk Subject: OT: Firewall question Which is more secure: Running your firewall on the NT 2003 Server or running it on a router? Andy ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193876 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
Have a firewall between your router and server. Router -- Firewall -- Windows 2003 Server Use access list on your router, along with a good rule set on firewall, and a hardened web server. -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 8:42 AM To: CF-Talk Subject: OT: Firewall question Which is more secure: Running your firewall on the NT 2003 Server or running it on a router? Andy ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193875 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
Does a regular "router" like you get at Best Buy work the same or does an appliance have much stronger protection? -Original Message- From: Nurse, Robert If the router isn't a PC/Workstation, I'd say running it on a router. I use a firewall appliance (Sonicwall). Traffic is handled before it reaches hosts behind it. Robert Nurse STG Contractor - Applications Development Enterprise Management Center Computational & Information Sciences Directorate -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 11:42 AM To: CF-Talk Subject: OT: Firewall question Which is more secure: Running your firewall on the NT 2003 Server or running it on a router? Andy ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193870 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
Well, ideally you would be running a hardware firewall. -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: 09 February 2005 16:42 To: CF-Talk Subject: OT: Firewall question Which is more secure: Running your firewall on the NT 2003 Server or running it on a router? Andy ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193866 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall question
If the router isn't a PC/Workstation, I'd say running it on a router. I use a firewall appliance (Sonicwall). Traffic is handled before it reaches hosts behind it. Robert Nurse STG Contractor - Applications Development Enterprise Management Center Computational & Information Sciences Directorate -Original Message- From: Andy Ousterhout [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 09, 2005 11:42 AM To: CF-Talk Subject: OT: Firewall question Which is more secure: Running your firewall on the NT 2003 Server or running it on a router? Andy ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:193866 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Firewall Question
> I've seen this situation before, all too many times: system > administrators who do all they can to limit what people can do > on the system. Instead of viewing their jobs as serving the > primary purpose of enabling users to do useful things with > the system, they are far more concerned that their own > workloads don't grow. The larger the organization, the more > resistant the system administrator is. To 'convince him > otherwise' it is almost always necessary to go to his > supervisor or the head honcho, explain what you want to do, > and ask him/her to remove the obstacle to progress with a > direct order to the system administrator to make it so. You > don't win a lot of friends that way, but at least you can > get things accomplished. Why do you think it's this way? Here are some possibilities: 1. System administrators tend to be jerks. There's just something about the job that attracts jerks. 2. System administrators tend to already have full workloads, and thus are concerned about increasing those workloads. 3. System administrators often are assigned goals which are contradictory: security and convenience, for example. There's a very good reason why, "the larger the organization, the more resistant the system administrator is". Rather than simply viewing the sysadmin as an obstacle, or as a servant, you might consider that the administrator is responsible for what users do, and has a very good reason for limiting that in many cases. You might think your reasons for overriding the sysadmin are better; in some cases, they certainly are. My point, though, is that until an organization takes system administration, security and maintenance seriously, the poor sap who gets stuck dealing with those issues will, for his own sake, generally be pretty wary about anything he can't control. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Firewall Question
I've seen this situation before, all too many times: system administrators who do all they can to limit what people can do on the system. Instead of viewing their jobs as serving the primary purpose of enabling users to do useful things with the system, they are far more concerned that their own workloads don't grow. The larger the organization, the more resistant the system administrator is. To 'convince him otherwise' it is almost always necessary to go to his supervisor or the head honcho, explain what you want to do, and ask him/her to remove the obstacle to progress with a direct order to the system administrator to make it so. You don't win a lot of friends that way, but at least you can get things accomplished. Regards, Karl Simanonok > With all due respect, I suspect you're not a network admin! > > Any time you open a port, it's a risk - it's another thing that has to be > watched. There are typically limited resources for what a network > administrator can deal with, and no matter what products you buy to help > monitor security issues, they still require human guidance and > intervention. > I've seen enough misconfigured firewalls to know that you can't simply buy > hardware and software to solve security issues. > > The question here is, do the risks outweigh the rewards? From the network > admin's point of view, probably not - until someone convinces him > otherwise. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Firewall Question
we use checkpoint very happy with it they have a great VPN add on as well > -Original Message- > From: Philip Arnold - ASP [SMTP:[EMAIL PROTECTED]] > Sent: Thursday, November 30, 2000 8:16 AM > To: CF-Talk > Subject: RE: Firewall Question > > > companies like checkpoint (they might have been acquired - not sure) > > make/made great products for securing internet/network traffic. > > Just a FYI, Check Point are still running happily; > Check Point Software Technologies > Suite 5B > Enterprise House, Vision Park > Histon, > Cambridge > Cambridgeshire > CB4 5BW > United Kingdom > > T: 01223236861 > T: 01223236847 > W: www.checkpoint.com > > I'm not pushing their products, they just happen to exhibit at an > exhibition > we run the website for... > > Philip Arnold > Director > Certified ColdFusion Developer > ASP Multimedia Limited > T: +44 (0)20 8680 1133 > > "Websites for the real world" > > ** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > ** > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Firewall Question
Thanks Dave... I couldn't have said it any better... Marcus A net admin > With all due respect, I suspect you're not a network admin! > > Any time you open a port, it's a risk - it's another thing that has to be > watched. There are typically limited resources for what a network > administrator can deal with, and no matter what products you buy to help > monitor security issues, they still require human guidance and > intervention. > I've seen enough misconfigured firewalls to know that you can't simply buy > hardware and software to solve security issues. > > The question here is, do the risks outweigh the rewards? From the network > admin's point of view, probably not - until someone convinces him > otherwise. > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Firewall Question
> companies like checkpoint (they might have been acquired - not sure) > make/made great products for securing internet/network traffic. Just a FYI, Check Point are still running happily; Check Point Software Technologies Suite 5B Enterprise House, Vision Park Histon, Cambridge Cambridgeshire CB4 5BW United Kingdom T: 01223236861 T: 01223236847 W: www.checkpoint.com I'm not pushing their products, they just happen to exhibit at an exhibition we run the website for... Philip Arnold Director Certified ColdFusion Developer ASP Multimedia Limited T: +44 (0)20 8680 1133 "Websites for the real world" ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. ** ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Firewall Question
> personally, i don't agree with network admins claiming > opening security ports is a risk. ports 80 and 25 are > almost always open and they offer plenty of risk. the > question really is, is the admin knowledgeable enough to > control traffic security. companies like checkpoint (they > might have been acquired - not sure) make/made great > products for securing internet/network traffic. With all due respect, I suspect you're not a network admin! Any time you open a port, it's a risk - it's another thing that has to be watched. There are typically limited resources for what a network administrator can deal with, and no matter what products you buy to help monitor security issues, they still require human guidance and intervention. I've seen enough misconfigured firewalls to know that you can't simply buy hardware and software to solve security issues. The question here is, do the risks outweigh the rewards? From the network admin's point of view, probably not - until someone convinces him otherwise. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Firewall Question
personally, i don't agree with network admins claiming opening security ports is a risk. ports 80 and 25 are almost always open and they offer plenty of risk. the question really is, is the admin knowledgeable enough to control traffic security. companies like checkpoint (they might have been acquired - not sure) make/made great products for securing internet/network traffic. whatever server or software you're using may also allow you to control the port the traffic is sent through. that's how some of the popular IM-type clients get around companies blocking them through the firewall - they send/receive on port 80 :). -Original Message- From: Jim Watkins [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 29, 2000 7:23 PM To: CF-Talk Subject: OT: Firewall Question This is a multi-part message in MIME format. --=_NextPart_000_0016_01C05A52.F1CFA7F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable My network administrator insists that opening ports 2047 and 2048 = through the Firewall is a security hazard. Can anyone advise me on this = please? I need to do send and receive video transmission. Jim Watkins http://www.ngtcollege.org --=_NextPart_000_0016_01C05A52.F1CFA7F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable My network administrator insists that = opening ports=20 2047 and 2048 through the Firewall is a security hazard. Can = anyone advise=20 me on this please? I need to do send and receive video=20 transmission. Jim Watkinshttp://www.ngtcollege.org">http://www.ngtcollege.org --=_NextPart_000_0016_01C05A52.F1CFA7F0-- ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
