Does a ISDN Lan Modem require a separate firewall?

Folks,

Currently I connect my home office LAN to Freeserve via ICS and BT Home
Highway. The ICS host machine has a ZoneAlarm firewall to protect the
network.

But I find ICS a bit flaky - usually its OK but can go AWOL leaving the
client machines unable to connect. This happens often enough to make it a
problem.


I am thinking of getting a secondhand 3Com ISDN LAN modem - this is an ISDN
T/A with 4 ethernet
ports. It has NAT etc to hide the LAN machine IP addresses.

Do I need a firewall as well or can I get good protection from configuring
the TA? What are the security issues to consider?


TIA - Adam






Adam Lipscombe

In message <bmmiqm$7io$(E-Mail Removed)>, Adam Lipscombe
<(E-Mail Removed)> writes

>I am thinking of getting a secondhand 3Com ISDN LAN modem - this is an ISDN
>T/A with 4 ethernet
>ports. It has NAT etc to hide the LAN machine IP addresses.
>
>Do I need a firewall as well or can I get good protection from configuring
>the TA? What are the security issues to consider?

I haven't used that particular model but I have used an equivalent
broadband router. NAT will protect you against attacks originating
outside your network. It doesn't offer any protection against trojans
and gullible users so you still need personal firewalls on each machine
in the network.



--
Bernard Peek
London, UK. DBA, Manager, Trainer & Author. Will work for money.

Bernard Peek <(E-Mail Removed)> wrote:
> In message <bmmiqm$7io$(E-Mail Removed)>, Adam Lipscombe
> <(E-Mail Removed)> writes
>
> >I am thinking of getting a secondhand 3Com ISDN LAN modem - this is an ISDN
> >T/A with 4 ethernet
> >ports. It has NAT etc to hide the LAN machine IP addresses.
> >
> >Do I need a firewall as well or can I get good protection from configuring
> >the TA? What are the security issues to consider?
>
> I haven't used that particular model but I have used an equivalent
> broadband router. NAT will protect you against attacks originating
> outside your network. It doesn't offer any protection against trojans
> and gullible users so you still need personal firewalls on each machine
> in the network.
>
I don't really see how a firewall protects against "trojans and
gullible users", surely for that you need an anti-virus program such
as McAffee (how do you spell that?).

FWIW I have a home network connected by an Elsa LANCOM ISDN router
with NAT etc., I don't run any other sort of firewall and haven't had
any problems in the several years that I have been running the system.

--
Chris Green ((E-Mail Removed))

(E-Mail Removed) <(E-Mail Removed)> wrote:
> Bernard Peek <(E-Mail Removed)> wrote:
> > In message <bmmiqm$7io$(E-Mail Removed)>, Adam Lipscombe
> > <(E-Mail Removed)> writes
> >
> > >I am thinking of getting a secondhand 3Com ISDN LAN modem - this is an ISDN
> > >T/A with 4 ethernet
> > >ports. It has NAT etc to hide the LAN machine IP addresses.
> > >
> > >Do I need a firewall as well or can I get good protection from configuring
> > >the TA? What are the security issues to consider?
> >
> > I haven't used that particular model but I have used an equivalent
> > broadband router. NAT will protect you against attacks originating
> > outside your network. It doesn't offer any protection against trojans
> > and gullible users so you still need personal firewalls on each machine
> > in the network.
> >
> I don't really see how a firewall protects against "trojans and
> gullible users"

If they foolishly run something that they shouldn't, the firewall will
prevent the trojan from accessing the network. Likewise with worms that
use their own SMTP engine.

Rob Morley <(E-Mail Removed)> wrote:
> (E-Mail Removed) <(E-Mail Removed)> wrote:
> > Bernard Peek <(E-Mail Removed)> wrote:
> > > In message <bmmiqm$7io$(E-Mail Removed)>, Adam Lipscombe
> > > <(E-Mail Removed)> writes
> > >
> > > >I am thinking of getting a secondhand 3Com ISDN LAN modem - this is an ISDN
> > > >T/A with 4 ethernet
> > > >ports. It has NAT etc to hide the LAN machine IP addresses.
> > > >
> > > >Do I need a firewall as well or can I get good protection from configuring
> > > >the TA? What are the security issues to consider?
> > >
> > > I haven't used that particular model but I have used an equivalent
> > > broadband router. NAT will protect you against attacks originating
> > > outside your network. It doesn't offer any protection against trojans
> > > and gullible users so you still need personal firewalls on each machine
> > > in the network.
> > >
> > I don't really see how a firewall protects against "trojans and
> > gullible users"
>
> If they foolishly run something that they shouldn't, the firewall will
> prevent the trojan from accessing the network. Likewise with worms that
> use their own SMTP engine.

If SMTP is blocked how do you send mail?

--
Chris Green ((E-Mail Removed))

In message <bmo93h$p7dk3$(E-Mail Removed)>,
(E-Mail Removed) writes
>Bernard Peek <(E-Mail Removed)> wrote:
>> In message <bmmiqm$7io$(E-Mail Removed)>, Adam Lipscombe
>> <(E-Mail Removed)> writes
>>
>> >I am thinking of getting a secondhand 3Com ISDN LAN modem - this is an ISDN
>> >T/A with 4 ethernet
>> >ports. It has NAT etc to hide the LAN machine IP addresses.
>> >
>> >Do I need a firewall as well or can I get good protection from configuring
>> >the TA? What are the security issues to consider?
>>
>> I haven't used that particular model but I have used an equivalent
>> broadband router. NAT will protect you against attacks originating
>> outside your network. It doesn't offer any protection against trojans
>> and gullible users so you still need personal firewalls on each machine
>> in the network.
>>
>I don't really see how a firewall protects against "trojans and
>gullible users", surely for that you need an anti-virus program such
>as McAffee (how do you spell that?).

No. You need one of those as well. A personal firewall doesn't stop you
installing a trojan but it does intercept outbound connections from
trojans that have been installed. An antivirus program might allow you
to install a program like Gator but a good personal firewall would
intercept outbound connections from Gator.

If a new virus gets loose it will only propagate if it can defeat all of
the current antivirus programs. So you can be reasonably certain that
any major virus epidemic will defeat your current antivirus program
because only viruses that can do that will cause epidemics. A personal
firewall could stop you from spreading the infection any further.

>
>FWIW I have a home network connected by an Elsa LANCOM ISDN router
>with NAT etc., I don't run any other sort of firewall and haven't had
>any problems in the several years that I have been running the system.

Your system probably is clean, but without further checks it is
impossible to be sure. I suspect most viruses and trojans are on
machines that their owners believe to be clean.




--
Bernard Peek
London, UK. DBA, Manager, Trainer & Author. Will work for money.

In message <bmouj8$poenm$(E-Mail Removed)>,
(E-Mail Removed) writes


>> If they foolishly run something that they shouldn't, the firewall will
>> prevent the trojan from accessing the network. Likewise with worms that
>> use their own SMTP engine.
>
>If SMTP is blocked how do you send mail?

The firewall identifies the program that is trying to establish an SMTP
connection. You decide in advance which programs are permitted to make
outbound SMTP connections. The trojan won't be on the list and so
hopefully won't be able to spread beyond the infected machine.



--
Bernard Peek
London, UK. DBA, Manager, Trainer & Author. Will work for money.

Bernard Peek <(E-Mail Removed)> wrote:
> In message <bmouj8$poenm$(E-Mail Removed)>,
> (E-Mail Removed) writes
>
>
> >> If they foolishly run something that they shouldn't, the firewall will
> >> prevent the trojan from accessing the network. Likewise with worms that
> >> use their own SMTP engine.
> >
> >If SMTP is blocked how do you send mail?
>
> The firewall identifies the program that is trying to establish an SMTP
> connection. You decide in advance which programs are permitted to make
> outbound SMTP connections. The trojan won't be on the list and so
> hopefully won't be able to spread beyond the infected machine.
>
Huh! That *really* doesn't make sense unless you're suggesting some
sort of PGP signing process for the program. Any fool trojan can
pretend it's any old mail program.

--
Chris Green ((E-Mail Removed))

In message <bn05kj$q16r9$(E-Mail Removed)>,
(E-Mail Removed) writes
>Bernard Peek <(E-Mail Removed)> wrote:
>> In message <bmouj8$poenm$(E-Mail Removed)>,
>> (E-Mail Removed) writes
>>
>>
>> >> If they foolishly run something that they shouldn't, the firewall will
>> >> prevent the trojan from accessing the network. Likewise with worms that
>> >> use their own SMTP engine.
>> >
>> >If SMTP is blocked how do you send mail?
>>
>> The firewall identifies the program that is trying to establish an SMTP
>> connection. You decide in advance which programs are permitted to make
>> outbound SMTP connections. The trojan won't be on the list and so
>> hopefully won't be able to spread beyond the infected machine.
>>
>Huh! That *really* doesn't make sense unless you're suggesting some
>sort of PGP signing process for the program. Any fool trojan can
>pretend it's any old mail program.

At the very least it would need the trojan to overwrite an existing
program file that was already authorised to make an outgoing connection.
Some firewall programs take a checksum when you first authorise the
program. So a trojan would need to have the same file name and the same
checksum too. It's possible, but unlikely.





--
Bernard Peek
London, UK. DBA, Manager, Trainer & Author. Will work for money.

Bernard Peek <(E-Mail Removed)> wrote:
> In message <bn05kj$q16r9$(E-Mail Removed)>,
> (E-Mail Removed) writes
> >Bernard Peek <(E-Mail Removed)> wrote:
> >> In message <bmouj8$poenm$(E-Mail Removed)>,
> >> (E-Mail Removed) writes
> >>
> >>
> >> >> If they foolishly run something that they shouldn't, the firewall will
> >> >> prevent the trojan from accessing the network. Likewise with worms that
> >> >> use their own SMTP engine.
> >> >
> >> >If SMTP is blocked how do you send mail?
> >>
> >> The firewall identifies the program that is trying to establish an SMTP
> >> connection. You decide in advance which programs are permitted to make
> >> outbound SMTP connections. The trojan won't be on the list and so
> >> hopefully won't be able to spread beyond the infected machine.
> >>
> >Huh! That *really* doesn't make sense unless you're suggesting some
> >sort of PGP signing process for the program. Any fool trojan can
> >pretend it's any old mail program.
>
> At the very least it would need the trojan to overwrite an existing
> program file that was already authorised to make an outgoing connection.
> Some firewall programs take a checksum when you first authorise the
> program. So a trojan would need to have the same file name and the same
> checksum too. It's possible, but unlikely.
>
How can a *firewall* checksum a program? All it has to work with is
IP packets, in most cases a firewall will be on a different piece of
hardware from where the mail program is running.

--
Chris Green ((E-Mail Removed))