>1. I am aware of the firewalling/pinhole features of the m10, but I have
>heard the security/firewall features of the m10 described as "rudimentary"
>or "basic". Is there anything wrong with the firewalling, it seems that if
>it won't let anything in (other than what I allow through a pinhole) it
>must be safe, but i seek more enlightened opinions!

It depends what you're doing.

If you're running the M10 (or any other NAT box) with forwarding into
the internal network (pinholing), the box doesn't do anything for the
security of connections coming into the network. So if there's a bug
in your (for eg) HTTP server and you have a pinole into it, the NAT
box won't stop anyone getting into that box, and from there having the
run of the internal network. On the other hand, if there's no pinhole
to (eg) the FTP port, and the HTTP server is secure, then there's no
attack possible via FTP. So a NAT box still gives you a measure of
security in this situation, but you have to be really sure about the
servers that are pinholed.

On the other hand, if you don't offer services to external users, a NAT
box is actually very secure -- it simply doesn't do anything with
incoming connecxtions; if a packet is not part of a connection initiated
from the inside, it drops it. The main thing a "firewall" buys you in
that situation is extra logging -- and in real life hardly anyone looks
at their firewall logs. Someone once said "the price of vigilance is
eternal boredom"...

On the other hand, if you do want to offer external services, you should
have separation between hosts that offer these services and the internal
network. It gets tricky when the external services require access to
internal resources, but a sensible arrangement with ADSL and a static IP
is to put the M10/NAT box on a separate network along with your
web/mail servers (with pinoles) and another NAT box between that and
your internal network. Then if your external servers are compromised,
your internal machines are still safe.

There's more stuff firewalls can do such as online content checking
(for viruses and so-forth), but to do that properly you're starting to
talk real money. One of the biggest problems these days is not direct
attacks but attacks by stuff that is deliberately downloaded; email
bombs (thanks a bunch to Microsoft for making these so easy), malicious
applets and so-forth. Without spending a lot of money, the best way of
dealling with these is:

        - turn off ActiveX on your browsers
        - Optionally turn off Java & Javascript -- there have been
          bugs in these, although the fundamental design is reasonably
          safe and the bugs do get fixed.
        - Periodically ensure all your network applications (especially
          mail and web clients) are up to date
        - Ensure your mail clients at least ask you before running
          any scripts or programs
        - Run virus protection software.

-- don

To unsubscribe: send mail to majordomo@freebsddiary.cx
with "unsubscribe adsl" in the body of the message
Received on Mon Feb 14 12:18:37 2000