Clarity, please

Stephen Hope shope at energis-eis.co.uk
Fri Jun 22 16:58:35 EDT 2001 

Jon,

a couple of comments.

this is a "horses for courses" discussion, and there are lots of opinions
about "best".

However, the answer i prefer is "it depends".

Linux and free firewall s/w may be the best hardened combination, but if you
want to compare this with a commercial system, then there may be other
issues which affect the choice.

The ones that often come up are:

Cost of the hardware platform
skills set needed for install, integration, fault finding and ongoing
support
physical constraints - space, need for monitors etc.
"guarantees" about interoperability and interworking with other types of
kit, such as existing installed PCs, hosts, networking kit.
support issues, such as support by an external company, or complete
outsourcing.

I am not suggesting any particular choice, just suggesting that kit choice
should come after some of these issues are addressed, not before.

regards

Stephen

Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk,
Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk
Carrington Business Park, Carrington, Manchester , UK. M31 4ZU
Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776
4189


> -----Original Message-----
> From: Jon Carnes [mailto:jonc at nc.rr.com]
> Sent: 21 June 2001 22:42
> To: Stephen Chowning; VPN at SECURITYFOCUS.COM
> Subject: Re: Clarity, please
> 
> 
> A router or a firewall are simply specialized computers, 
> sometimes with 
> built-in hubs.  A hardware router/firewall has an operating 
> system and runs 
> various programs/daemons.  The OS is sometimes specialized, but that 
> matters little.  A lot of modern firewalls run a version of 
> BSD (which is a 
> free version of Unix), and a few firewalls run Linux.
> 
> The pay-for firewalls are not as strong or as versitile 
> (until you get into 
> big money!) as the free ones available via the internet.  The 
> free ones 
> require a spare intel-based PC and a little reading on your part to 
> configure.  The configuration is getting is getting much 
> simplier everyday 
> and the amount of reading is probably down to about an hour.
> 
> I just tested the Mandrake one last week, and it is fantastic 
> for a small 
> business or a home user.  It mainly uses Bastille and a 
> really sharp web 
> interface to help you configure it.
> 
> A interesting site that has several disk images for various 
> firewalls is:
> http://lrp.steinkuehler.net/
> 
> This site uses the Linux Router Project to make single disk 
> firewalls.  You 
> can also check out Fireplug - a great one disk distrobution 
> that also uses 
> the LRP.
> 
> You can download the image, write the image to a disk, and 
> then boot your 
> computer off the disk.  your computer will then be a 
> firewall/router.  
> Complete instructions are on the sites.
> 
> ===
> You can run a firewall with just one network card.  It is not 
> recommended.  
> 
> For this configuration to work, your firewalls network card will give 
> itself two ip addresses.  The first one will be a local IP 
> address that is 
> not routable (like 192.168.1.1), the second IP address it 
> will get from 
> your cable modem via DHCP.  The second IP address will be 
> routable on the 
> internet.
> 
> All your other boxes, will boot up and get their IP addresses 
> from the 
> firewall.  They will get addresses in the 192.168.1.... 
> range.  Since these 
> addresses are not routable across the internet, you are 
> "somewhat" safe.  
> Your boxes will send all their internet traffic to the 
> Firewall/router.  
> The Firewall/router will strip out the local IP address and 
> replace it with 
> the valid one that it got from your cable modem, then it will 
> resend the 
> packet out the cable modem.
> 
> This is called IP Masquerading.  The returning traffic comes to the 
> firewall and the firewall then looks up the information about 
> where the 
> packet should be routed to, and forwards it on to the 
> apropriate local 
> computer.
> 
> ===
> If you do not have a spare intel-based computer to turn into a 
> firewall/router, then I would suggest something like the 
> LinkSys Router, 
> which sells for around $120 (American) and does everything a 
> good firewall 
> should, plus it allows PPTP (Microsoft's vpn client) and IP 
> Sec to pass 
> through it - though the AH portion of IP Sec is necessarily broken...
> 
> I run small businesses of up to 15 computers off of LinkSys 
> boxes with no 
> problems.  There are also some Firewall/routers that do 
> Dynamic DNS as well 
> as all the Firewalling, DHCP, etc that the LinkSys boxes do - 
> for about the 
> same price.
> 
> Hope this helps,
> 
> Jon Carnes
> 
> On Thursday 21 June 2001 12:17, Stephen Chowning wrote:
> > I am (sooner or later) going to hook a (mostly Mac, one PC) 
> small lan to
> > a cable modem internet connection. I have looked at various hardware
> > solutions (cable/dsl routers) available for under $200. And 
> at software
> > solutions such as IPNetRouter for under $100. IPNetRouter 
> claims to do
> > all that a hardware device does for less money. As the 
> hardware devices
> > are not that much more $, I don't feel that this is a major issue. I
> > would like to implement VPN also, so I would like to know 
> which option
> > hardware vs. software is the better solution especially as 
> it pertains
> > to implementing VPN, but also in a more general sense, i.e. ease of
> > setup/use, security, etc. From reading the posts to this 
> newsgroup, I
> > suspect that the main difference will be what my cable co. allows or
> > disallows as far as encrypted packets.
> >
> > On another note, does anyone feel like explaining how the software
> > solution protects the non-gateway machines on the lan? I 
> believe that I
> > understand how the hardware works, having an upstream and a 
> downstream
> > connection. But my simple, small lan has an ethernet hub with all
> > devices plugged into it. Would the gateway machine need two ethernet
> > cards, one designated as "upstream", the other "downstream" 
> plugged into
> > the hub?
> >
> > Thanks,
> > Steve
> >
> >
> > VPN is sponsored by SecurityFocus.com
> 
> VPN is sponsored by SecurityFocus.com
> 

******************************************************************************
This email is confidential and intended solely for the use of the
individual to whom it is addressed. Any views or opinions
presented are solely those of the author and do not necessarily
represent those of Energis Integration Services. If you are not the
intended recipient, be advised that you have received this email
in error and that any use, dissemination, forwarding, printing,
or copying of this email is strictly prohibited.

We have an anti-virus system installed on all our PC's and
therefore any files leaving us via e-mail will have been checked
for known viruses.

Energis Integration Services accepts no responsibility once
an e-mail and any attachments leave us.
If you have received this email in error please notify Energis
Integration Services Communications IT department on
+44 (0) 1494 476222.
******************************************************************************


VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list