[ previous ] [ next ] [ threads ]
 
 From:  Jim Gifford <jim at giffords dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Feature request which would make m0n0wall even better ;)
 Date:  Tue, 27 Jan 2004 11:26:38 -0500
On Tue, Jan 27, 2004 at 09:59:28AM -0600, Brandon Holland wrote:
> How many computers do your parents have that'd warrant the necessity of
> DHCP? (on a firewall or not for that matter)

2 computers in the study, one in the sewing room, one downstairs, one in
the garage apartment, and dad has 3 laptops that get plugged in
occassionally.  More importantly, his primary laptop moves back and forth
between home and work, and is configured for DHCP at both locations.
This makes it painless for him.  I visit with my laptop, which also is
configured for DHCP.  Everywhere I take my laptop, there is DHCP if there
is any type of permitted access.

> You said something about APs?  That's scary.  Case and point: a rogue
> user gets access to your network (by breaking the pathetic WEP key, if
> you have even have onset )  and is automatically assigned an IP, mask
> and gateway.  That's nice.  I'm sure he appreciates that :)

Yep, one apple airport base station with 128bit WEP, not broadcasting
it's SSID, and the signal doesn't leave the house.  Believe me, I've
tried.  It barely reaches downstairs.  An intruder would pretty much have
to be in the house to gain access.  I'm pretty sure someone would notice
that.  *grin*

Additionally, since I'm the only one that ever uses the wireless, my
parents unplug it when I'm not there.  Each time I visit, I have to find
the stinking access point and plug it back in.

> Even a novice can have access to your internet now.

Once they've gotten into the house, that ceases to be a concern to be
honest.

> DHCP is a security risk.  You *say* that you *need* it.  I don't think
> you do for a network as small as around 3 (I'm guessing) computers.  I
> seriously do not think it needs to be part of a firewall either.  (I
> don't use it on the firewall) Is DHCP a good thing? Yes if it's needed.
> (I need it, and use it on a separate computer)

Everything is a security risk.  Having a machine plugged in and turned on
is a security risk.  It's not about blanket statements of "this is
insecure and evil" but more about statements of "I can accept this risk
for this benefit".

I know people that leave their key in the ignition of their car and leave
the doors unlocked.  To me, that's an unacceptible risk.  But they've
been doing that for 30+ years and never had a problem.  Do I condone it?
No.  Will I ever change their mind?  perhaps if I steal their car...
probably not.

> Are there free DHCP programs that could run internally on your network
> and not on the firewall? Yes.

I would hate to see a network dependant on a win98 box.

> My point is, people are willing to sacrifice all for functionality.  If
> you're willing to do that, please, don't download m0n0wall.  You're not
> looking for a firewall.  (I don't care if your 12 or 90, at home or at
> work, security is still, in my book, important)

I think you missed my point that life is about making the compromise
between ultimate security and ultimate easy of use (benefit, feature,
whatever terms you want to put there).  This isn't a simple case of black
and white.  I don't believe there is any absolute security possible.
Even NORAD could be taken out with a sufficient force.

For a home network, many people simply want something to protect them
from the big bad internet and still let them use it.  m0n0wall out of the
box is great for that right now.

I never spoke of sacrificing all for functionality.  But I am willing,
in some instances, to sacrifice *some* for functionality.  It is just
a matter of balancing the risk against the gain.

It sounds to me as if you feel no sacrifice is worth it, and that is a
valid opinion.  That is what fits for you.  That doesn't work for me,
but that's ok too.  I know my risks, and I am making informed decisions
when I allow those risks.  For my parents, I try to educate them about
the risks and help them make good decisions.  But the fact is, their
network belongs to them, and not me.  If they get compromised because
they didn't follow my advice, then they'll learn from it.

> Brandon

Thanks for your comments,
jim gifford