You might want to check out http://www.astero.com - they have an excellent firewall (requires a standalone box with a 400 MHz processor and 128 MB RAM); it runs on a hardened Linux distro, and you can include Kapersky AV for a nominal price (or free, if you particpate actively in the :"power users forums:). It's freely downloadable for personal use.
----- Original Message ----- From: "Ansgar Wiechers" <[EMAIL PROTECTED]> To: "'Security-Basics'" <[EMAIL PROTECTED]> Sent: Tuesday, July 22, 2003 10:21 AM Subject: Re: configuration settings > On 2003-07-22 Kelly Martin wrote: > > On Mon, 21 Jul 2003, Ansgar Wiechers wrote: > > [ Running public servers from a home LAN ] > > > > Do not run servers on firewalls. Just don't. Every service allowing > > > inbound connections which runs on your firewall adds a potential > > > security breach. > > > > This is the ideal case, > > It is, and it's not that hard to achieve. IMHO. > > > however for smaller networks a server/firewall may be the only > > practical route. A stateful firewall (such as pf or iptables) with all > > incoming ports blocked except port 80 for httpd, and an administrator > > who keeps on top of patches can still be reasonably secure. > > It may be considered reasonably secure, but I still suggest to avoid it > and rather spend a couple $CURRENCY. > > > As you said, running minimal services is very important. And this is > > better than just port-forwarding port 80 to an insecure box on a > > private network, IMO. > > Well, *that* goes without saying. If anyone considers himself totally > secure just because of having a router (or even a firewall) between his > server and the rest of the world, he'd better stop dealing with servers > immediately. > > > > Small routers (e.g. from Netgear) aren't *that* expensive and I > > > don't assume you are going to need a Cisco or something for your > > > private LAN. What kind of connection do you have? > > > > Personally, those cheap (sub $100) routers make me nervous... > > Oh, I wasn't aiming that low. Take the Netgear FVS318 [1] for example > (sorry, don't mean to advertise). It provides stateful firewalling, > VPN-support and some other goodies for about 120 USD. > > > at least with a software firewall you know what you've got and can > > keep it patched. > > On the other hand hardware routers are much more specialized than > general purpose OSs can be, so they are likely to have fewer bugs > (simply due to the fact that there's a smaller code-base). And you can > keep them patched as well. Just keep the Firmware up to date. > > [1] http://www.netgear.com/products/details/FVS318.asp?view=sb > > Regards > Ansgar Wiechers > > -------------------------------------------------------------------------- - > -------------------------------------------------------------------------- -- > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
