Anyone who mangage to skip through mjr's posting needs to go back and read
it. Superb. Just a couple of unrelated comments:
1) If faced with setting up a firewall and you feel overwhelmed, try this:
a) Tell everyone in the known world (or at least your organization) a 'wall
is about to go up. Announce which services will be available (Telnet,
FTP, HTTP) and ask if anyone has a special need that can be justified.
b) Deny everything (usually the default anyway but cannot hurt to make last
line in ACL.
c) Decide which protocols you will allow, and open those ports only. Test
them. Then open ICMP for PING and try again (when everything has stopped
this is what I usually find). Will probably need UDP 53 but is only UDP.
If you are real lucky your users will not be doing remote RPCs or
X-windoze. Yet.
d) Wait for the screams & decide which are legitemate. Do not be afraid
to say "why didn't you say something before."
2) The round love seats I have been exposed to have had either a Sunnyvale
User Network or a Virtual Address eXtension front end. These can make
pretty good Firewalls. Might be able to use a MASPAR or ALLIANCE with a
different processor assinged to each port. The crowbar would be
interesting...
Warmly,
Padgett
|
|
