Well, an example would be a techie with a network, running a few open servers, and 1 or a few of his computers not running open servers.
a solution might be that watchguard firewall applicance you speak of, with the same ip on each physical port, transfers between physical ports based on tcp port, and can have a NAT Router connected to a port. That could then provide a physical port for a (real) DMZ, another for the untrusted network (the internet), and another for the LAN.
You said that was a solution for the ignorant masses though. So I wondered what other examples(uses/solutions) you had in mind, that you wouldn't categorise as being 'for the ignorant masses'.
I'm sure you could think of more technical situations&solutions?
I am not facing issues with a situation. My question is as I posted it.
I asked it to Leythos in a previous thread, after reading his advice there. He asked for an example to demonstrate the question, and I gave one, and then he suggested I make a new thread of it, and I did. It was addressed to him though he thought others would have contributions too. I needn't link to the previous thread, it might defeat the purpose of starting a new one!
Like that is fine. Could add a VNC server on boxes 1-4. would be mostly 'private' but any of them may be occassionally accessed by a particular comp outside of the local network. Similarly with FTP server, but for boxes 3,4.
I don't know what you would call that but for now i'll call it semi-private. i.e. private but one remote ip allowed from time to time. And, as you said, about the HTTP, let's have another public web server on another box.
Could have 3 more comps that run only private servers, just a private VNC server, Ultra VNC, for viewing and file transfer.
so BOX 1: FTP Public BOX 1: HTTP Public BOX 1: SSL Public Box 1: VNC Semi-Private
BOX 2: Public Game Server (Ports TCP 1234, 1235,1236) BOX 2: SMTP PUBLIC/LAN BOX 2: SSL PUBLIC/LAN BOX 2: POP3 PUBLIC/LAN Box 2: FTP Server Semi-private Box 2: VNC Server Semi-private Box 2: HTTP PUBLIC
BOX 3: Personal Computer 1 Box 3: VNC Server semi-private Box 3: FTP server semi-private
BOX 4: Personal Computer 2 Box 4: VNC Server semi-private Box 4: FTP Server semi-private
Based on all the FTP with public access, that means you're going to have to have at least 4 Public IP addresses for routing or other, so that counts out almost all of the cheap SOHO units.
The DFL-700 would work in this case, as would any real firewall that supports LAN/DMZ networks in a true separate network.
As this is not a "techie" network, at least none of the low level techies I know can afford 4+ IP in most cases, and since none of the home user service providers (at least most) don't allow FTP, HTTP or SMTP servers on their network, this would be a Business Solution or a solution for someone that builds networks.
So, on the very cheapest side, a business class internet solution, lets say 6 usable IP, and your Personal boxes are in the LAN and the others are in the DMZ.
The SEMI - Private items make them NOT SEMI-PRIVATE, so the two PC's will be in the LAN and not have FTP or VNC exposed except to Firewall authenticated users. Box 1 and 2 will be public and their services will be exposed to the PUBLIC.
They are both solutions for the ignorant masses, but we're not talking about the Ignorant masses here - stop diverting from the subject.
And many ISP, most, have a TOS that does not permit users to run servers
- that and that's the crux of the issue for that.
No, you understand to the level of your experience, but your scope is limited.
You are playing games again and I'm not going to play along.
This thread, as you posted, is not about the Ignorant Masses and you're taking things out of context - you are really starting to look like you are trolling.
No, if you have enough Public IP you can use the WG (any firewall that supports it) in a mode that all devices work of public IP's, it's up to you, but that's not what you asked and not the solution that one would offer based on what you asked.
Again, THIS solution was presented based on what you asked and said you wanted. One solution does not fit all scenarios, please be more specific if you want a different answer.
I did ask the real question and never changed it. I'll explain the context so you can understand that this is a question and not a game. In the previous thread, 2 setups was discussed, one involving a NAT Router, and the other that firewall appliance we have spoken about. You said that both were for the ignorant masses.
So I ask[ed] you. Can you give an example - in this thread you use the term scenario so i've used that term. Can you give a scenario , a set up, that isn't what you deem to be " for the ignorant masses "
You appear to have answered that, by saying, I think, that this example is not for the ignorant masses.
I was aware of the solution of the firewall appliance since you mentioned it in the previous thread. But in that thread, you said it was for the ignorant masses. That's why I asked you what set up you deem as not being for the ignorant masses.
Here was the exchange
In the previous thread, there was this exchange
" Leythos Since most techie people already have a firewall appliance or a NAT appliance, they already have the solution for the ignorant masses, they know what they can do with a NAT router, they know that they can, in most cases, block outbound traffic, etc...
jameshanley39 So now a firewall appliance is for the ignorant masses. I was of the impression that maybe, when you wrote of a watchguard firewall appliance, you had a higher view of it. What is your option above that? "
Leythos Are you going to play games like this?
Do know full well what I've been talking about this entire thread, it was not and is not directed at the tech/security types, and no one reading the subject would think it was about upper level information.
So, that thread left me with the impression that you figured the Firewall appliance was what you deem to be 'for the ignorant masses'.
Clearly I misunderstood you.
The firewall appliance is for tech/security types. Not for the ignorant masses.
I don't understand why you wrote as you did in the previous thread, but anyhow.
You speak of 2 appliances.
A NAT router alone, for the ignorant masses. A firewall appliance for tech/security types.
No use you telling me that, do you expect me to argue against that, e.g. writing a long explanation and let you be the teacher and mark me on it? This is not the issue. But we can make it a subissue if you want.
You certainly deem some solutions to be for the ignorant masses. I just want to know which.
It seems from this thread that you deem NAT Routers to be for the ignorant masses. And firewall appliances to be for technical / not for the ignorant masses.
I can't get consistency with the quoted dicussion from the previous thread. But anyhow.
Is that distinction accurate?
Or do you further distinguish between Firewall appliances with NAT, and firewall appliances without NAT.
BTW: Incase it isn't clear. I can read. I do see that a firewall appliance without NAT needn't have what you suggested in the previous thread - one ip on each port. It could have different registered ips on each port, or even a subnet or block of them on a port.
NAT routers are the minimum level of protection that I would suggest any person use, the minimum. They work for the ignorant masses because they don't require anything from the ISP or the User, and they don't really break anything that the Ignorant masses typically make use of.
For the Ignorant masses I would suggest that all ISP's enable NAT on their ISP provided modem/router device and only disable it if the customer is smart enough to know the difference.
You keep going around in circles and I'm not going to play that game, it's that simple.
Well, fortunately for you, I will reply to this, otherwise, i wouldn't have the last post, and you would be even more inconsistent.
I'll take this opportunity to point out to you, that the purpose of this thread, from start to finish, was to understand what you meant. That was 'the question'. Fortunately, in your attempt to search for some 'real question', you answered the original question you were trying to avoid.
And so this has been resolved. Whether you realise it or not.
And in the future, if you use the phrase 'for the ignorant masses', we will be better informed as to what you do and do not mean.
I don't think anyone except you misunderstands the phrase "Ignorant Masses" when it comes to security - it's like the phrase Sheep when it comes to politics or protection of the country - which, again, is security.