>Richard said " Linksys and Netgear. They only let thru packets from the >outside world which are in response to packets originating from inside the >LAN. That's how NAT routers work."
I understand how these NAT routers work. The problem is that these routers also let OUT all packets originating from the PC or network WITHOUT discretion. Sooooo, if you are using Internet Explorer and happen upon a page with malicious code that the router is not equipped to look at, you can catch all sorts of little nasties (that problem in IE has not been patched for two months). If that malicious site happens to drop in a little Trojan, your whole network can be compromised. Your NAT router works at Layer 3. You still need a personal firewall or proxy system that looks at as many layers as possible. You need something like Sygate Personal Firewall that alerts you when an application or process that you have not approved tries to go OUT to the Internet from your PC. The newer NAT routers work in conjunction with software firewalls like Zone Alarm, but they are still are not as effective as having a software firewall running on your system. Software firewalls receive frequent updates that help defeat new threats that appear almost weekly. Router firmware updates come every quarter or so. At home I had a Linksys router, locked it down pretty good with additional custom rules (so I thought). I was surprised to see the type of messages that popped up when I installed a software firewall. I finally broke down and bought a Cisco 501 hardware firewall. So this is what I have at home: The Linksys is still on the network, but it does not perform NAT. It mainly acts as a perimeter router trying to keep the spoofers at bay. Static NAT is now performed by the Cisco 501 firewall, on which I placed a very restrictive set of access lists and some nice IDS rules. Norton Internet Security 2003 runs on all the PC's. Mozilla is the browser on the three PC's and Linux system. All Microsoft critical updates are installed on the PC's. The PC's also have Ad-Aware 6.0 installed from Download.com. For a home network, this is as about as secure as I plan on taking it. Linksys Router - $80 Cisco Pix 501 firewall - $400 Norton Internet Security 2003 for three PC's - $180 (Linux system does not have commercial firewall installed) Ad-Aware 6 - $0 Mozilla browser - $0 Total implementation time - About four hours Knowing that it's going to take some real effort to compromise my network without detection - priceless. Is my home network hack-proof? Of course not! Will some snot-nosed script kiddie running blind scans happen upon my network and enter undetected? Not bloody likely. I still apply patches and test my home defenses from time to time, but I think that I have a decent setup for now. Can some of the people who read and post to this thread break through my defenses? I think that some might be able to, which is why I am sending this message from a friend's house :) Bottom line, computer security is a process, not a product. This is why there is a layered approach to security. You watch the doors on the way in and on the way out (sometimes twice). You also have to watch the people authorized to operate within your environment. Makes you wonder why we even bother sometimes. Oh well, time to go look at some new Brittney Spears photos ;) -----Original Message----- From: Richard M. Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, January 15, 2004 10:22 PM To: James Patterson Wicks Subject: RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause Linksys and Netgear. They only let thru packets from the outside world which are in response to packets originating from inside the LAN. That's how NAT routers work. Richard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Patterson Wicks Sent: Thursday, January 15, 2004 9:33 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause A router that protects you from "Future security holes in the Windows networking software", huh? I would love a router like that! The thing is, Cisco, Symantec, Network Associates and Trend Micro have joined forces to try to do what you say your router is doing already. Tell me, what is this router have? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard M. Smith Sent: Thursday, January 15, 2004 6:28 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause I run a NAT router box at my house which acts as a hardware firewall for my home LAN. It protects me from the following problems: - Messenger popup spam - RPC worms - Accidentally sharing a disk directory with the world - Future security holes in the Windows networking software This type of firewall seems like a bargain to me. I would use one of these router boxes even it I had only one computer to connect to the Internet. Richard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brandon Butterworth Sent: Thursday, January 15, 2004 2:10 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause > I just wanted to remind everybody that tomorrow is Personal Firewall Day. Yuk. Whilst I support people taking care of their security I rank personal firewalls on the same level as virus detection They don't fix the real problems and lead to a dependency culture of constant upgrades (if people bother) and alternative vendor sales fud .... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This e-mail is the property of Oxygen Media, LLC. It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to [EMAIL PROTECTED] and destroy all electronic and paper copies of this e-mail. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html