[AccessD] OT: DSL/IIS/Viruses

Frank Tanner III pctech at mybellybutton.com
Fri May 23 14:29:28 CDT 2003 

Depends.  If your IP address will be changing, the
outside one, or you will be wanting to access it from
different locations, not likely.  Most consumer
firewalls don't have that sort of authentication
mechanism built into them.  It's sort of an
all-or-nothing solution.

Usually you will be stuck with a rule similar to :
>From WAN to LOCAL_IP forward Port_80 allow.  Something
similar to that.  Obviously that's "pseudo code". 
Your  firewall's syntax will vary.  If you will be
connecting from a non-random location with a static IP
address you can say : From WAN_IP to Local_IP forward
Port_80 allow.  Where WAN_IP would be the public IP
address of the remote location you will be connecting
from.

Alot of routers have an authentication piece in them,
but it'd for outgoing only.  That sorta thing is real
good for locking it down so your kids can't surf the
net or whatever without supervision.

--- "Hale, Jim" <jim.hale at fleetpride.com> wrote:
>  If I have a router with a built in firewall  and I
> set up a web server for
> development work on my lan behind the firewall  will
> I be able to access the
> web server sites but the outside world will not?
> Jim Hale
> 
> -----Original Message-----
> From: Frank Tanner III
> [mailto:pctech at mybellybutton.com]
> Sent: Friday, May 23, 2003 10:54 AM
> To: accessd at databaseadvisors.com
> Subject: RE: [AccessD] OT: DSL/IIS/Viruses
> 
> 
> Depends.
> 
> If you go the "firewall appliance" route, such as
> SinocWall, you're looking at close to a thousand
> bucks
> (the last time I checked).  If you go the "I'm
> taking
> a PC, putting multiple network cards in it and
> making
> a firewall out of it." you can get away for free if
> you have the hardware readily available.
> 
> My firewall is a P3-700 PC with 256MB of RAM, an 8GB
> hard drive and 4 network cards.  Hardware-wise this
> firewall is way overkill for what I need, .  I
> wouldn't recommend anything less than a P2-333 for a
> firewall though if you have a DSL or cablemodem
> based
> Internet connection.  For an OS it's running a
> hardened minimilistic flavor of Red Hat Linux 8.0. 
> I'm running the built-in IPTables firewall for all
> of
> my firewalling needs.  That makes the OS and
> firewall
> free too.
> 
> --- Jim DeMarco <Jdemarco at hshhp.org> wrote:
> > Thanks Martin.  
> > 
> > >From what I'm gathering from this thread I should
> > look into a hardware solution (that the fact that
> > I'm running WinME on a P200 that's a relatively
> slow
> > performer as is).  How costly might that be?
> > 
> > Jim DeMarco
> > 
> > 
> > 
> > -----Original Message-----
> > From: Mwp.Reid at Queens-Belfast.AC.UK
> > [mailto:Mwp.Reid at Queens-Belfast.AC.UK]
> > Sent: Friday, May 23, 2003 11:12 AM
> > To: accessd at databaseadvisors.com
> > Subject: RE: [AccessD] OT: DSL/IIS/Viruses
> > 
> > 
> > Jim
> > 
> > You run a web server at hoem your always at risk
> of
> > hacking attempts. Put up a secent firewall.
> > 
> > I have IIS running on a server here but its not
> > connected to the web. Dosnt matter for dev work at
> > all. I connect as and when I need to. Other than 
> > that I leave the server of the modems.
> > 
> > 
> > 
> > Martin
> > 
> > 
> > On May 23 2003, Jim DeMarco wrote:
> > 
> > > What about running it on another machine on my
> > (wireless) network that's > not directly connected
> > to my DSL modem but has Internet access via that >
> > connection? Is that any safer?
> > > 
> > > Jim DeMarco
> > > 
> > > 
> > > -----Original Message-----
> > > From: Frank Tanner III
> > [mailto:pctech at mybellybutton.com]
> > > Sent: Friday, May 23, 2003 9:29 AM
> > > To: accessd at databaseadvisors.com
> > > Subject: RE: [AccessD] OT: DSL/IIS/Viruses
> > > 
> > > 
> > > Personally, I wouldn't run ANY public accessable
> > > services on my LAN.  There is a MUCH safer way
> to
> > do
> > > it, but it isn't super cheap.
> > > 
> > > I have a custom built firewall, which I run at
> > home. 
> > > The "public" side of it connects directly to my
> > > Internet connection, in this case a 1Mbit VDSL
> > > connection.  Then I have a "private" side, which
> > > connects to my LAN, and has my strict firewall
> > rules. 
> > > Only what I want gets in and out.  Lastly, I
> have
> > a
> > > "DMZ".  This is where I place my publicly
> > accessable
> > > machines.  It is still firewalled, but not as
> > > stringently as the LAN side, since the public
> > needs to
> > > hit it.  Even in this DMZ I only let through the
> > ports
> > > I absolutely need to.  Such as 80 & 443 for Web,
> > 25 &
> > > 110 for e-mail, etc.  My LAN is also firewalled
> > from
> > > my DMZ in this configuration except for what's
> > > absolutely needed.
> > > 
> > > In this confugiration, unless I specifically
> open
> > an
> > > e-mail with a virus attached, or something silly
> > like
> > > that, I'm about as safe as one can get from "the
> > big
> > > bad Internet".  The worst that can happen is
> that
> > > there is an exploit for one of my publicly
> > accessable
> > > boxes and they get compromised.  My LAN is still
> > safe.
> > > 
> > > As a side note, my firewall, web server, and
> > e-mail
> > > server are all running Linix or FreeBSD.  This
> > makes
> > > them less succeptable to all of the more common
> > > attacks that the "script kiddies" like to use. 
> > About
> > > 80% of the attacks and defacements on publicly
> > > accessable servers are done by "script kiddies".
> 
> > An
> > > added benifit is that IIS specific exploits have
> > no
> > > affect other than to fill my logs, which archive
> > and
> > > rotate off daily.
> > > 
> > > Is this a bit excessive, since I don't run a
> > business
> > > out of my home?  Yeah, it is.  But there's no
> such
> > > thing as too much security.
> > > 
> > > --- John Frederick <j.frederick at att.net> wrote:
> > > > Yes, it is necessary.  When I started doing
> .asp
> > on
> > > > the same machine I used
> > > > to dial-up to get email, I got, over some
> period
> > of
> > > > time, about a dozen
> > > > different viruses, some of which propagated
> > through
> > > > my lan to other
> > > > machines.  If you can't block the access from
> > the
> > > > net to your machines, you
> > > > need to either use a firewall or disconnect
> the
> > pws
> > > > machine from the lan.
> > > > 
> > > > P.S.: If you put firewalls, such as Norton or
> > McAfee
> > > > on your machines, you
> > > > can ask to be warned and have a change to say
> ok
> > or
> > > > no when a program tries
> > > > to access another machine or the net.  You'll
> be
> > > > amazed about how many
> > > > Microsoft and other vendow programs do so for
> no
> > > > reason related to your
> > > > current operation in progress.  If you're not
> > > > already paranoid, that will
> > > > make you so.
> > > > 
> > > > -----Original Message-----
> 
=== message truncated ===>
_______________________________________________
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
>

More information about the AccessD mailing list