Discussion:
appliance firewall
(too old to reply)
Todd
2011-05-16 03:16:45 UTC
Permalink
Hi All,

I have a client with several small facilities. She is going
through a security audit with an insurance company that insures
again credit card theft. As part of the audit process, the
insurance company runs a scan against her routers.

Problem: the el-cheapo router-of-the-day from the various ISP's
that she uses fail this scan.

So I have been researching appliance firewalls for her. Watchguard
seems to have a good product, but I have never used them.

At some point Google does not fill the bill and you have to ask
for others personal experiences. Does anyone have a favorite
appliance firewall they have used and would recommend? Hopefully,
one that does not break the bank.

Many thanks,
-T
Keith Keller
2011-05-16 03:32:21 UTC
Permalink
Post by Todd
Problem: the el-cheapo router-of-the-day from the various ISP's
that she uses fail this scan.
More specifically: the firmware that ships with her router fails.
Post by Todd
At some point Google does not fill the bill and you have to ask
for others personal experiences. Does anyone have a favorite
appliance firewall they have used and would recommend? Hopefully,
one that does not break the bank.
I would recommend seeing if some open source firmware, like OpenWRT,
DD-WRT, or similar, will run on her router. If so, you get a real linux
that can do real firewalling without having to replace otherwise good
hardware. (There are also *BSD-based firmwares, but if you are already
familiar with iptables using a linux-based one will be a shorter
learning curve.)

--keith
--
kkeller-***@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
Thad Floryan
2011-05-16 04:51:42 UTC
Permalink
Post by Todd
Hi All,
I have a client with several small facilities. She is going
through a security audit with an insurance company that insures
again credit card theft. As part of the audit process, the
insurance company runs a scan against her routers.
Problem: the el-cheapo router-of-the-day from the various ISP's
that she uses fail this scan.
So I have been researching appliance firewalls for her. Watchguard
seems to have a good product, but I have never used them.
At some point Google does not fill the bill and you have to ask
for others personal experiences. Does anyone have a favorite
appliance firewall they have used and would recommend? Hopefully,
one that does not break the bank.
I've installed 100s of the SonicWALL appliances for clients at
everything from small sole proprietorships to medium-sized corporations
since the 1990s. Not one breakin, ever:

<http://www.sonicwall.com/>
<http://en.wikipedia.org/wiki/SonicWALL>

They have solutions from inexpensive hardcover-book-sized appliances
to large rack-mounted devices:

<http://www.sonicwall.com/us/products/TZ_Series.html#tab=models>
to
<http://www.sonicwall.com/us/products/SuperMassive_Series.html>

Here's a picture of my network demarc incorporating a SonicWALL
TZ170 with WAN, LAN and DMZ ports all at 100Mbps:

<Loading Image...>

and here's a picture of about 1/3 of the computers on my home LAN
behind that firewall:

<Loading Image...>

SonicWALL is literally a plug'n'play solution that just works.
Todd
2011-05-17 03:37:40 UTC
Permalink
Post by Thad Floryan
Post by Todd
Hi All,
I have a client with several small facilities. She is going
through a security audit with an insurance company that insures
again credit card theft. As part of the audit process, the
insurance company runs a scan against her routers.
Problem: the el-cheapo router-of-the-day from the various ISP's
that she uses fail this scan.
So I have been researching appliance firewalls for her. Watchguard
seems to have a good product, but I have never used them.
At some point Google does not fill the bill and you have to ask
for others personal experiences. Does anyone have a favorite
appliance firewall they have used and would recommend? Hopefully,
one that does not break the bank.
I've installed 100s of the SonicWALL appliances for clients at
everything from small sole proprietorships to medium-sized corporations
<http://www.sonicwall.com/>
<http://en.wikipedia.org/wiki/SonicWALL>
They have solutions from inexpensive hardcover-book-sized appliances
<http://www.sonicwall.com/us/products/TZ_Series.html#tab=models>
to
<http://www.sonicwall.com/us/products/SuperMassive_Series.html>
Here's a picture of my network demarc incorporating a SonicWALL
<http://thadlabs.com/PIX/ThadLABS_network_demarc.jpg>
and here's a picture of about 1/3 of the computers on my home LAN
<http://thadlabs.com/PIX/Thad_desk.jpg>
SonicWALL is literally a plug'n'play solution that just works.
Hi Thad,

100's. Hmmm. Exactly the information I was looking for.
Thank you!

The frustrating part of all this is that the scan is only of the
public IP address. It does not see anything, such as a firewall
on the other side of the router. This is really not about
security. Its about insurance provider avoiding liability.
Meaning that I can not put a firewall in between the router and the
internal network and be guaranteed to always pass their probe test.
All the customer's facilities use NAT. The probe doesn't even
know what the internal IP address are.

I can put the el-cheapo modem in bridge mode, but the next el-cheapo
low-bid-router-of-the-week will be back in regular mode and the
hassles will start all over. And, who know how long the el-cheapo
modems will still support bridge mode. Ever have an ISP tech
show up at a customer's facility and redo your entire configuration?

And if this weeks replacement el-cheapo doesn't pass their test,
they will void their liability.

-T
Todd
2011-05-17 03:39:40 UTC
Permalink
Post by Todd
Meaning that I can not put a firewall in between the router and the
internal network and be guaranteed to always pass their probe test.
oops. that should have said "not be guaranteed"
Thad Floryan
2011-05-17 09:05:56 UTC
Permalink
Post by Todd
Post by Thad Floryan
[...]
SonicWALL is literally a plug'n'play solution that just works.
Hi Thad,
100's. Hmmm. Exactly the information I was looking for.
Thank you!
You're welcome! It was someone posting in the ba.internet group
back in the mid-1990s that clued me in to SonicWALL and I've been
installing them for clients until 2008 when I retired.
Post by Todd
[...]
The frustrating part of all this is that the scan is only of the
public IP address. It does not see anything, such as a firewall
on the other side of the router. This is really not about
security. Its about insurance provider avoiding liability.
Meaning that I can not put a firewall in between the router and the
internal network and be guaranteed to always pass their probe test.
All the customer's facilities use NAT. The probe doesn't even
know what the internal IP address are.
I can put the el-cheapo modem in bridge mode, but the next el-cheapo
low-bid-router-of-the-week will be back in regular mode and the
hassles will start all over. And, who know how long the el-cheapo
modems will still support bridge mode. Ever have an ISP tech
show up at a customer's facility and redo your entire configuration?
And if this weeks replacement el-cheapo doesn't pass their test,
they will void their liability.
What EXACTLY is it they're testing? I have my SonicWALL TZ170 setup
to be in stealth mode -- there is absolutely NO response from the
SonicWALL to anything from the outside.

Another nice aspect of the SonicWALL is no moving parts and no heat
such as would be the case if I cobbled-up a linux-based system using
old hardware. Plug computers are a possibility, but I'm unaware of
any with multiple NICs -- my SheevaPlugs and GuruPlugs have single
GigE ports:

<Loading Image...>
<Loading Image...>
<Loading Image...>
<Loading Image...>

In case it wasn't obvious, the SonicWALL appliance is also a router.
I presently have a maxed DOCSIS 2.0 cable connection and here's a
simple diagram of my home office setup:

outdoor cable
________|_________
[ Motorola SB-5101 ]
[____cable modem___]
|
________|_________
[ SonicWall TZ170 ]
[__Firewall/Router_]
LAN | | DMZ
The Cisco router is ______|______ ______|_________
to get-around a LAN [Cisco BEFSR41] [ D-Link DIR-625 ]
license issue with [___Router____] [__(Guest Wifi)__]
the SonicWall due to | | | |
# of devices on LAN | | | |
various switches
for computers, printers,
LANCAMs, LAN WiFi, other
devices (RS-232, USB hub)

FWIW, there's double NATing from my LAN to the outside and it doesn't
seem to affect anything (home banking, Steam games, ssh, sftp, etc.).

Again, I'm really curious what it is they're testing.
Todd
2011-05-17 17:39:59 UTC
Permalink
Post by Thad Floryan
What EXACTLY is it they're testing? I have my SonicWALL TZ170 setup
to be in stealth mode -- there is absolutely NO response from the
SonicWALL to anything from the outside.
They are not saying. They just give you a write up as to what went
wrong. This is the worst they found:

Threat: This server uses TCP/IP implementation that respects
the "64K rule", or a "time dependent rule" for generating TCP
sequence numbers. Unauthorized users can predict sequence
numbers when two hosts are communicating, and connect to
your server from any source IP address. The only difference
with a legitimate connection is that the attacker will not
see the replies sent back to the authorized user whose IP
was forged.
Post by Thad Floryan
Another nice aspect of the SonicWALL is no moving parts and no heat
such as would be the case if I cobbled-up a linux-based system using
old hardware.
I absolutely concur. The old computer route is insane. Plus,
my customers do not have spare old computer. They are the ones
they are using (and won't replace). When they do replace their
computers, the old one have completely failed.

One could say that the two of us should go through and replace
all the fans (don't forget the power supply fan) and just grin and bear
it. Then all we have to do is wait for all the electrolytic capacitors
to start oozing. New and no moving parts is best.
Post by Thad Floryan
In case it wasn't obvious, the SonicWALL appliance is also a router.
It was obvious. (I read their manual.)
Post by Thad Floryan
FWIW, there's double NATing from my LAN to the outside and it doesn't
seem to affect anything (home banking, Steam games, ssh, sftp, etc.).
Double NAT'ing still will fail the insurance company's test.
They are testing the first thing they see, which would be the
first NAT. This is not about protecting the customer. This
is about denying coverage after a claim has been made.
Imagine the insurance companies lawyer in court pointing at
my customer and accusing them of having an unprotected network.
Post by Thad Floryan
Again, I'm really curious what it is they're testing.
Thank you for the thoughtful input!
-T
The Natural Philosopher
2011-05-17 18:41:16 UTC
Permalink
This post might be inappropriate. Click to display it.
Todd
2011-05-17 19:23:03 UTC
Permalink
This post might be inappropriate. Click to display it.
Todd
2011-05-17 19:24:09 UTC
Permalink
Post by Todd
think their is
oops. Should have been "there" (I went to publik skool.)

-T
The Natural Philosopher
2011-05-18 00:13:11 UTC
Permalink
Post by Todd
Post by The Natural Philosopher
What EXACTLY is it they're testing? I have my SonicWALL TZ170 setup
to be in stealth mode -- there is absolutely NO response from the
SonicWALL to anything from the outside.
They are not saying. They just give you a write up as to what went
Threat: This server uses TCP/IP implementation that respects
the "64K rule", or a "time dependent rule" for generating TCP
sequence numbers. Unauthorized users can predict sequence
numbers when two hosts are communicating, and connect to
your server from any source IP address. The only difference
with a legitimate connection is that the attacker will not
see the replies sent back to the authorized user whose IP
was forged.
Big fuckin deal.
Hear! Hear! Been chucklin' and grinnin' :-D
Post by The Natural Philosopher
So someone forges a return address and a sequence number and gets zilch
in return?
Not about protecting the customer. About denying a claim.
Your above comment very accurately describes it.
Post by The Natural Philosopher
team games, ssh, sftp, etc.).
Double NAT'ing still will fail the insurance company's test.
They are testing the first thing they see, which would be the
first NAT. This is not about protecting the customer. This
is about denying coverage after a claim has been made.
Imagine the insurance companies lawyer in court pointing at
my customer and accusing them of having an unprotected network.
Time to change insurance companies. Or boundary routers.
Have suggested the first to my customer already. Also suggested
they have their lawyer look over the policy before they purchase
it as I think their is little chance of a payout. You should see
the 200+ questionnaire they have to fill out!
As to the second. Good idea. Thad's Sonic WALL solution should
do the trick. My main problem is that every time a low-bid-router-
of-the-week gets replaced, the network will have to be re-configured.
I especially do not look forward to another high school drop out
strutting into my customer's facility and ...
Visualize an all steel "A" frame building with a six foot steel pole
extending above the roof with a microwave receiver on top of it.
The only thing missing is the "kick me" sign. Their router gets
taken out by lightening twice a year. (I have lightening
suppressors installed on their feed, but the router/modem
still gets nailed. At least the rest of the equipment longer
gets fried.)
Still chucklin' and grinnin',
-T
<pedant> Lightning.
Lightening is throwing the passengers out of the hot air balooon</pedant>

Try contacting someone who does real customer support, like Cisco, and
if they have a solution, then get them to respond formally to the above
problem.

Then get a 24 hour service contract, so if one goes bang, they fix it
under contract.

Finally get Cisco AND your insurance company to retest. Let them fight
it out. No sale if the Cisco don't pass the test.
Todd
2011-05-18 16:32:09 UTC
Permalink
Post by The Natural Philosopher
<pedant> Lightning.
Lightening is throwing the passengers out of the hot air balooon</pedant>
I always make that mistake. Made me look up "Pedant" too. :-)
The Natural Philosopher
2011-05-18 20:18:13 UTC
Permalink
Post by Todd
Post by The Natural Philosopher
<pedant> Lightning.
Lightening is throwing the passengers out of the hot air balooon</pedant>
I always make that mistake. Made me look up "Pedant" too. :-)
You missed the mistyping of balloon though ;-)
Todd
2011-05-19 19:13:50 UTC
Permalink
Post by The Natural Philosopher
Post by The Natural Philosopher
<pedant> Lightning.
Lightening is throwing the passengers out of the hot air
balooon</pedant>
I always make that mistake. Made me look up "Pedant" too. :-)
You missed the mistyping of balloon though ;-)
I am dooomed!

The Natural Philosopher
2011-05-16 11:53:47 UTC
Permalink
Post by Todd
Hi All,
I have a client with several small facilities. She is going
through a security audit with an insurance company that insures
again credit card theft. As part of the audit process, the
insurance company runs a scan against her routers.
Problem: the el-cheapo router-of-the-day from the various ISP's
that she uses fail this scan.
So I have been researching appliance firewalls for her. Watchguard
seems to have a good product, but I have never used them.
At some point Google does not fill the bill and you have to ask
for others personal experiences. Does anyone have a favorite
appliance firewall they have used and would recommend? Hopefully,
one that does not break the bank.
Many thanks,
-T
Frankly, best price performance is to buy better boundary routers.

Only if you have a really complex firewall and external limit access
situation does a complex 'software' firewall make sense.

In every case you cannot answer the question without absolutely defining
what access you need through your firewall, and what security you wih to
attach to it.

A firewall scan means little beyond its use as sales tool to sell you an
approach that passes the test!

However in this case we may presume the scan is professionally independent.

BUT it could be no more than badly configured routres,
technomaNge
2011-05-17 01:34:57 UTC
Permalink
Post by Todd
At some point Google does not fill the bill and you have to ask
for others personal experiences. Does anyone have a favorite
appliance firewall they have used and would recommend? Hopefully,
one that does not break the bank.
Can't get much cheaper than free!
For work, I grabbed an old computer from the stack,
added a second network card, and installed IPFire.

IPFire is a german built firewall/router. It has a graphical
interface. I set some port forwarding rules. Done.

Total new cost: my time and a blank CD.

See http://www.ipfire.org for more info and download.
Did I mention it is FREE?


technomaNge
--
The Natural Philosopher
2011-05-17 09:55:22 UTC
Permalink
Post by technomaNge
Post by Todd
At some point Google does not fill the bill and you have to ask
for others personal experiences. Does anyone have a favorite
appliance firewall they have used and would recommend? Hopefully,
one that does not break the bank.
Can't get much cheaper than free!
Power consumption?

work out what 10,000 hours at 60W costs you in a year.
Post by technomaNge
For work, I grabbed an old computer from the stack,
added a second network card, and installed IPFire.
IPFire is a german built firewall/router. It has a graphical
interface. I set some port forwarding rules. Done.
Total new cost: my time and a blank CD.
See http://www.ipfire.org for more info and download.
Did I mention it is FREE?
technomaNge
Mark
2011-05-17 09:08:25 UTC
Permalink
Post by Todd
Hi All,
I have a client with several small facilities. She is going
through a security audit with an insurance company that insures
again credit card theft. As part of the audit process, the
insurance company runs a scan against her routers.
Problem: the el-cheapo router-of-the-day from the various ISP's
that she uses fail this scan.
So I have been researching appliance firewalls for her. Watchguard
seems to have a good product, but I have never used them.
At some point Google does not fill the bill and you have to ask
for others personal experiences. Does anyone have a favorite
appliance firewall they have used and would recommend? Hopefully,
one that does not break the bank.
What test(s) does it fail?
--
(\__/) M.
(='.'=) Due to the amount of spam posted via googlegroups and
(")_(") their inaction to the problem. I am blocking some articles
posted from there. If you wish your postings to be seen by
everyone you will need use a different method of posting.
Todd
2011-05-17 17:53:32 UTC
Permalink
Post by Mark
What test(s) does it fail?
See my above post to Thad (made about 10 minutes ago)
Mark
2011-05-18 08:17:09 UTC
Permalink
Post by Todd
Post by Mark
What test(s) does it fail?
See my above post to Thad (made about 10 minutes ago)
So no real-world risk then.
--
(\__/) M.
(='.'=) Due to the amount of spam posted via googlegroups and
(")_(") their inaction to the problem. I am blocking some articles
posted from there. If you wish your postings to be seen by
everyone you will need use a different method of posting.
Todd
2011-05-18 16:31:02 UTC
Permalink
Post by Mark
Post by Todd
Post by Mark
What test(s) does it fail?
See my above post to Thad (made about 10 minutes ago)
So no real-world risk then.
None.
Loading...