[ previous ] [ next ] [ threads ]
 
 From:  "Bob Young" <bob at lavamail dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] LAN/WISP block or WAN block ?
 Date:  Mon, 31 Jul 2006 19:58:10 -0400
Hi Chris, krk, Andrew and everybody:
 
Thank you for your help and time.
 
I hope I'm responding properly here.  I'm just learning how to respond to
the lists responses.  It's so great that you all are here helping us
Monowall newbies out.  I'm sure happy I learned about Monowall.
 
To get to what you mentioned about network security, I'll try to explain why
I picked trying to block just certain data:
 
I'm going to use my Monowall in a WISP operation, whereby I won't know what
types of data and applications my WISP customers will be using.  
 
I figure I could take one of two different approaches:
1.  DENY MODE, whereby I allow only what I know is safe and deny all else (I
would use a "kill" rule at the end that blocks everything not permitted in a
previous rule).
2.  ALLOW MODE, whereby I will allow everything unless it is explicitly
denied.
 
In my WISP operation, if I blocked everything and allowed data I know to be
safe to pass, I still might be blocking valid data from my WISP customers,
since I probably will never know all the different valid applications they
will be running.  And I could get my WISP customers mad at me.  That's why I
was worried about blocking everything and allowing just some types of data
to pass.
 
So I decided to use the ALLOW MODE, and just block the data I know is
bad.but I probably won't get it all.  I will also require my customers to
use Zone Alarm on their computers, as an extra firewall measure.  Also I'll
tell my customers they can't run any P2P applications.although I don't know
how that will go over.  Plus I guess I'll have to get an MRTG program and
collect stats to see if any one customer is overloading my network.  I don't
want any power users.just average users.
 
And, in the Traffic Shaper, I'll put certain types of data at the top, like
VoIP, ACK, DNS.  And regular browsing will be a little below the VoIP.  And
P2P and what's left over will be put right at the bottom of the cue.although
I still have to learn how to set up my Traffic Shaper.I'm going to get to
that this week.
 
From what I have explained, does the allow mode seem ok for my WISP
operation?
 
Thank you all for your help,
 
 
Bob Young
 
--------------------------------------
 
On 7/31/06, C. Andrew Zook <andrewzook at pdqlocks dot com> wrote:
> If you are worried about the security of your network, it would be a lot
> safer to just block everything and allow only the ports that you need
> rather than try to figure out what bad ports to block.
> 
 
Yes.  Doing otherwise violates both #1 and (to a lesser extent) #2 of
The Six Dumbest Ideas in Computer Security.  I'll let Marcus explain.
http://ranum.com/security/computer_security/editorials/dumb/index.html
 
-Chris