[AccessD] OT: DSL/IIS/Viruses

Frank Tanner III pctech at mybellybutton.com
Fri May 23 10:54:09 CDT 2003


Depends.

If you go the "firewall appliance" route, such as
SinocWall, you're looking at close to a thousand bucks
(the last time I checked).  If you go the "I'm taking
a PC, putting multiple network cards in it and making
a firewall out of it." you can get away for free if
you have the hardware readily available.

My firewall is a P3-700 PC with 256MB of RAM, an 8GB
hard drive and 4 network cards.  Hardware-wise this
firewall is way overkill for what I need, .  I
wouldn't recommend anything less than a P2-333 for a
firewall though if you have a DSL or cablemodem based
Internet connection.  For an OS it's running a
hardened minimilistic flavor of Red Hat Linux 8.0. 
I'm running the built-in IPTables firewall for all of
my firewalling needs.  That makes the OS and firewall
free too.

--- Jim DeMarco <Jdemarco at hshhp.org> wrote:
> Thanks Martin.  
> 
> >From what I'm gathering from this thread I should
> look into a hardware solution (that the fact that
> I'm running WinME on a P200 that's a relatively slow
> performer as is).  How costly might that be?
> 
> Jim DeMarco
> 
> 
> 
> -----Original Message-----
> From: Mwp.Reid at Queens-Belfast.AC.UK
> [mailto:Mwp.Reid at Queens-Belfast.AC.UK]
> Sent: Friday, May 23, 2003 11:12 AM
> To: accessd at databaseadvisors.com
> Subject: RE: [AccessD] OT: DSL/IIS/Viruses
> 
> 
> Jim
> 
> You run a web server at hoem your always at risk of
> hacking attempts. Put up a secent firewall.
> 
> I have IIS running on a server here but its not
> connected to the web. Dosnt matter for dev work at
> all. I connect as and when I need to. Other than 
> that I leave the server of the modems.
> 
> 
> 
> Martin
> 
> 
> On May 23 2003, Jim DeMarco wrote:
> 
> > What about running it on another machine on my
> (wireless) network that's > not directly connected
> to my DSL modem but has Internet access via that >
> connection? Is that any safer?
> > 
> > Jim DeMarco
> > 
> > 
> > -----Original Message-----
> > From: Frank Tanner III
> [mailto:pctech at mybellybutton.com]
> > Sent: Friday, May 23, 2003 9:29 AM
> > To: accessd at databaseadvisors.com
> > Subject: RE: [AccessD] OT: DSL/IIS/Viruses
> > 
> > 
> > Personally, I wouldn't run ANY public accessable
> > services on my LAN.  There is a MUCH safer way to
> do
> > it, but it isn't super cheap.
> > 
> > I have a custom built firewall, which I run at
> home. 
> > The "public" side of it connects directly to my
> > Internet connection, in this case a 1Mbit VDSL
> > connection.  Then I have a "private" side, which
> > connects to my LAN, and has my strict firewall
> rules. 
> > Only what I want gets in and out.  Lastly, I have
> a
> > "DMZ".  This is where I place my publicly
> accessable
> > machines.  It is still firewalled, but not as
> > stringently as the LAN side, since the public
> needs to
> > hit it.  Even in this DMZ I only let through the
> ports
> > I absolutely need to.  Such as 80 & 443 for Web,
> 25 &
> > 110 for e-mail, etc.  My LAN is also firewalled
> from
> > my DMZ in this configuration except for what's
> > absolutely needed.
> > 
> > In this confugiration, unless I specifically open
> an
> > e-mail with a virus attached, or something silly
> like
> > that, I'm about as safe as one can get from "the
> big
> > bad Internet".  The worst that can happen is that
> > there is an exploit for one of my publicly
> accessable
> > boxes and they get compromised.  My LAN is still
> safe.
> > 
> > As a side note, my firewall, web server, and
> e-mail
> > server are all running Linix or FreeBSD.  This
> makes
> > them less succeptable to all of the more common
> > attacks that the "script kiddies" like to use. 
> About
> > 80% of the attacks and defacements on publicly
> > accessable servers are done by "script kiddies". 
> An
> > added benifit is that IIS specific exploits have
> no
> > affect other than to fill my logs, which archive
> and
> > rotate off daily.
> > 
> > Is this a bit excessive, since I don't run a
> business
> > out of my home?  Yeah, it is.  But there's no such
> > thing as too much security.
> > 
> > --- John Frederick <j.frederick at att.net> wrote:
> > > Yes, it is necessary.  When I started doing .asp
> on
> > > the same machine I used
> > > to dial-up to get email, I got, over some period
> of
> > > time, about a dozen
> > > different viruses, some of which propagated
> through
> > > my lan to other
> > > machines.  If you can't block the access from
> the
> > > net to your machines, you
> > > need to either use a firewall or disconnect the
> pws
> > > machine from the lan.
> > > 
> > > P.S.: If you put firewalls, such as Norton or
> McAfee
> > > on your machines, you
> > > can ask to be warned and have a change to say ok
> or
> > > no when a program tries
> > > to access another machine or the net.  You'll be
> > > amazed about how many
> > > Microsoft and other vendow programs do so for no
> > > reason related to your
> > > current operation in progress.  If you're not
> > > already paranoid, that will
> > > make you so.
> > > 
> > > -----Original Message-----
> > > From: accessd-bounces at databaseadvisors.com
> > > [mailto:accessd-bounces at databaseadvisors.com]On
> > > Behalf Of Jim DeMarco
> > > Sent: Friday, May 23, 2003 8:03 AM
> > > To: AccessD (E-mail)
> > > Subject: [AccessD] OT: DSL/IIS/Viruses
> > > 
> > > 
> > > List,
> > > 
> > > A while back I got a DSL connection on my home
> > > office PC which I
> > > occasionally use for web development using
> Personal
> > > Web Server (Win 9x/ME
> > > version of IIS).  I was advised by our staff
> network
> > > person NOT to run PWS
> > > after the DSL was up because I'd be succeptable
> to
> > > attacks and viruses.
> > > Does anyone know if this is true?  I have not
> run
> > > PWS in a couple of months
> > > and have been using a disconnected laptop to
> write
> > > ASP code but I'm
> > > wondering if this is necessary.  Would I need to
> > > install a firewall if I
> > > want to run PWS?
> > > 
> > > Thanks,
> > > 
> > > Jim DeMarco
> > > 
> > > 
> > >
> >  
> >  
> >
>
****************************************************************************
> > > *******
> > > "This electronic message is intended to be for
> the
> > > use only of the named
> > > recipient, and may contain information from
> Hudson
> > > Health Plan (HHP) that is
> > > confidential or privileged.  If you are not the
> > > intended recipient, you are
> > > hereby notified that any disclosure, copying,
> > > distribution or use of the
> > > contents of this message is strictly prohibited.
>  If
> > > you have received this
> > > message in error or are not the named recipient,
> 
=== message truncated ===



More information about the AccessD mailing list