Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
Member Login
Posted: 10/5/2004 6:53:28 AM EST
So you have a boradband connection. Do you:

1. Pay extra for routable addresses for all of your hosts
2. Use an appliance or internet connection sharing to NAT your "home network" to the internet

If you're using NAT, do you leave hosts wide open or run firewall software?
Link Posted: 10/5/2004 7:18:29 AM EST
[Last Edit: 10/5/2004 7:18:56 AM EST by Dave_A]
Personal firewalls are snake-oil... Since they run on a vulnerable operating system & IP stack, they can be penetrated much easier than even the cheapest hardware firewall...

A hardware firewall (NAT router) is all you need...

Only pay for a routable IP if you are going to set up a webserver and don't want to deal with www.dhs.org or www.dyndns.org.

NEVER give clients a routable IP. Routable IPs are for servers!

If you set up a webserver, DO NOT USE WINDOWS, YOU WILL GET HACKED (firewall or no firewall). UNIX & Apache, or pay someone to host your site...
Link Posted: 10/5/2004 9:08:20 AM EST

Originally Posted By Dave_A:

If you set up a webserver, DO NOT USE WINDOWS, YOU WILL GET HACKED (firewall or no firewall). UNIX & Apache, or pay someone to host your site...



Well spoken Dave_A.
Link Posted: 10/11/2004 6:30:03 AM EST
As long as you're not using public IP addresses on internal hosts or forwarding ports, NAT can protect you (in most cases) from outside access, port scanning, etc. Although software firewalls have they're flaws, some of them are beneficial when it comes to preventing spyware and malware from accessing your internal network and the Internet. Many tend to consider outside threats and overlook the need to protect themselves from within - spyware, malicious client side browser code, client software exploits, etc. Software firewalls also complicate home networking.

Regardless of OS (none of them are 100% secure), all hosting (www, ftp, smtp, etc.) should reside on host machines in a perimeter network (DMZ) to protect your internal network in the event that the hosts are compromised. This isn't always economical in a home environment. Nevertheless, security is a never ending battle. Security = time + knowledge + expense. No solution works for every environment.

Just food for thought.
Link Posted: 10/11/2004 7:14:21 PM EST
People here like to be prepared, therefore I humbly recommend Smoothwall Express as not only a top-notch router/firewall solution, but also as a great way to get extra miles from an older PC.

There are a bunch of great of Mods for it, and you don't have to be a Linux/Unix god to understand it. As a matter of fact, it is a GREAT way to learn the basics of Linux/Unix because it is such a simple distribution. Best of all, it's free.

My Network:

Cable Modem <--> Bifrost (Firewall/Router <w/3 Subnets>/DHCP/Proxy Server) <---> Asgard Domain

Read About My Smoothwall, read my Older Version 1.0GPL Tutorial (A New one is in the works), and see for yourself if this is something you might be able to make use of.
Link Posted: 10/11/2004 9:06:17 PM EST
like others have stated, always use a router and software firewall. if you want your own website, pay a hosting company to do it for you. for a small site ~$50/year is hard to beat
Link Posted: 10/20/2004 10:33:54 AM EST
I have an OpenBSD system acting as a firewall with NAT + Packet filter + SMTP proxy + HTTP/HTTPS proxy + packet shaper between my internal network and the outside world. Among other things, it gives my system priority access to the internet over other systems in the house, restricts the kids to a known set of web sites, and runs a local mail server.

It's OpenBSD instead of Linux as OpenBSD has a far better security record.

See the OpenBSD site for more information.
Link Posted: 10/23/2004 1:41:24 PM EST
I've been happy just running NAT. I've these options at various times: a Linux Router Project box, a linksys Broadband router + wireless AP, a small cisco router, and way back in the day a Netopia ISDN router. The only time I've evern been compromised was when I got one of the Outlook mail worms that came in on my wife's account. I run Snort to keep an eye on my LAN, and rarely see anything suspicious. Something like the Cisco Security Agent looks cool to keep crap out of individual PC's looks cool, but it could really incur a lot of work to keep it current.
Top Top