what firewall/security network configurations do techies tend to have?

Describe the situations that you want a solution for.

Well, an example would be a techie with a network, running a few open servers, and 1 or a few of his computers not running open servers.

a solution might be that watchguard firewall applicance you speak of, with the same ip on each physical port, transfers between physical ports based on tcp port, and can have a NAT Router connected to a port. That could then provide a physical port for a (real) DMZ, another for the untrusted network (the internet), and another for the LAN.

You said that was a solution for the ignorant masses though. So I wondered what other examples(uses/solutions) you had in mind, that you wouldn't categorise as being 'for the ignorant masses'.

I'm sure you could think of more technical situations&solutions?

TIA

Provide the situtaion you facing issues with..

I am not facing issues with a situation. My question is as I posted it.

I asked it to Leythos in a previous thread, after reading his advice there. He asked for an example to demonstrate the question, and I gave one, and then he suggested I make a new thread of it, and I did. It was addressed to him though he thought others would have contributions too. I needn't link to the previous thread, it might defeat the purpose of starting a new one!

And the point is that you kept going in circles in another thread.

So, your NEED, for a "techie" is:

"a techie with a network, running a few open servers, and 1 or a few of his computers not running open servers."

What server apps on which servers?

We need to know how many HTTP services on which servers - this will determine if he needs more than 1 IP since a single IP/HTTP can only be routed to 1 IP on the LAN/DMZ

Need more details, that's what I said before, give a list of Servers (as in Boxes) and what services are running on them, and list Public or Private for a started.

Example:

BOX 1: FTP Public BOX 1: HTTP Public BOX 1: SSL Public

BOX 2: Public Game Server (Ports TCP 1234, 1235,1236) BOX 2: SMTP PUBLIC/LAN BOX 2: SSL PUBLIC/LAN BOX 2: POP3 PUBLIC/LAN

BOX 3: Personal Computer 1 BOX 4: Personal Computer 2

Give us something like this

As you can see, with two different boxes needing SSL, that means we need at least 2 public IP, so the devil is in the details.

Like that is fine. Could add a VNC server on boxes 1-4. would be mostly 'private' but any of them may be occassionally accessed by a particular comp outside of the local network. Similarly with FTP server, but for boxes 3,4.

I don't know what you would call that but for now i'll call it semi-private. i.e. private but one remote ip allowed from time to time. And, as you said, about the HTTP, let's have another public web server on another box.

Could have 3 more comps that run only private servers, just a private VNC server, Ultra VNC, for viewing and file transfer.

so BOX 1: FTP Public BOX 1: HTTP Public BOX 1: SSL Public Box 1: VNC Semi-Private

BOX 2: Public Game Server (Ports TCP 1234, 1235,1236) BOX 2: SMTP PUBLIC/LAN BOX 2: SSL PUBLIC/LAN BOX 2: POP3 PUBLIC/LAN Box 2: FTP Server Semi-private Box 2: VNC Server Semi-private Box 2: HTTP PUBLIC

BOX 3: Personal Computer 1 Box 3: VNC Server semi-private Box 3: FTP server semi-private

BOX 4: Personal Computer 2 Box 4: VNC Server semi-private Box 4: FTP Server semi-private

Box 5,6,7: 'personal computers', Running Private VNC

Based on all the FTP with public access, that means you're going to have to have at least 4 Public IP addresses for routing or other, so that counts out almost all of the cheap SOHO units.

The DFL-700 would work in this case, as would any real firewall that supports LAN/DMZ networks in a true separate network.

As this is not a "techie" network, at least none of the low level techies I know can afford 4+ IP in most cases, and since none of the home user service providers (at least most) don't allow FTP, HTTP or SMTP servers on their network, this would be a Business Solution or a solution for someone that builds networks.

So, on the very cheapest side, a business class internet solution, lets say 6 usable IP, and your Personal boxes are in the LAN and the others are in the DMZ.

The SEMI - Private items make them NOT SEMI-PRIVATE, so the two PC's will be in the LAN and not have FTP or VNC exposed except to Firewall authenticated users. Box 1 and 2 will be public and their services will be exposed to the PUBLIC.

LAN IP: 192.168.16.0/24 DMZ IP: 192.168.32.0/24

NAT to map public IP to proper private IP....

You can do the rest I'm sure...

FTP would run on different ports. I wasn't planning on many ips for that.

You said the Watchguard firewall was a solution for the ignorant masses. How is this DFL-700 not ?

That's weird, i've never had a problem running an http server if i wanted to, and others i've shown how to do that, haven't had a problem either. It isn't blocked by their isp.

Anyhow.. let's assume that the ISP doesn't block every server you suggested we use on this network. Maybe i'm misunderstanding you.

This looks like the watchguard appliance, with LAN and DMZ. But you called that a solution for the ignorant masses. So, I was wondering what you considered a solution not for the "ignorant masses".

Out of interest. Is it pointless to have that watchguard appliance you spoke of with NAT turned off, and NAT Routers connected to each port.

Since, as you suggest here, may as well turn NAT on, and port redirect to comps on whichever subnet.

You didn't specify that.

They are both solutions for the ignorant masses, but we're not talking about the Ignorant masses here - stop diverting from the subject.

And many ISP, most, have a TOS that does not permit users to run servers

- that and that's the crux of the issue for that.

No, you understand to the level of your experience, but your scope is limited.

You are playing games again and I'm not going to play along.

This thread, as you posted, is not about the Ignorant Masses and you're taking things out of context - you are really starting to look like you are trolling.

No, if you have enough Public IP you can use the WG (any firewall that supports it) in a mode that all devices work of public IP's, it's up to you, but that's not what you asked and not the solution that one would offer based on what you asked.

Again, THIS solution was presented based on what you asked and said you wanted. One solution does not fit all scenarios, please be more specific if you want a different answer.

Well, what I wanted was -for you to give an example- of a set up - a scenario - that wasn't what you consider as being 'for the ignorant masses'. I'm sorry if that wasn't clear

I don't mind what specifics you use, as long as the outcome is not something you'd consider as being 'for the ignorant masses'. I hope that's clearer.

And the above is not for the ignorant masses - what part do you have trouble understanding?

Maybe you should ask the real question you want instead of playing the game.

I did ask the real question and never changed it. I'll explain the context so you can understand that this is a question and not a game. In the previous thread, 2 setups was discussed, one involving a NAT Router, and the other that firewall appliance we have spoken about. You said that both were for the ignorant masses.

So I ask[ed] you. Can you give an example - in this thread you use the term scenario so i've used that term. Can you give a scenario , a set up, that isn't what you deem to be " for the ignorant masses "

You appear to have answered that, by saying, I think, that this example is not for the ignorant masses.

I was aware of the solution of the firewall appliance since you mentioned it in the previous thread. But in that thread, you said it was for the ignorant masses. That's why I asked you what set up you deem as not being for the ignorant masses.

Here was the exchange

In the previous thread, there was this exchange

" Leythos Since most techie people already have a firewall appliance or a NAT appliance, they already have the solution for the ignorant masses, they know what they can do with a NAT router, they know that they can, in most cases, block outbound traffic, etc...

jameshanley39 So now a firewall appliance is for the ignorant masses. I was of the impression that maybe, when you wrote of a watchguard firewall appliance, you had a higher view of it. What is your option above that? "

Leythos Are you going to play games like this?

Do know full well what I've been talking about this entire thread, it was not and is not directed at the tech/security types, and no one reading the subject would think it was about upper level information.

So, that thread left me with the impression that you figured the Firewall appliance was what you deem to be 'for the ignorant masses'.

Clearly I misunderstood you.

The firewall appliance is for tech/security types. Not for the ignorant masses.

I don't understand why you wrote as you did in the previous thread, but anyhow.

You speak of 2 appliances.

A NAT router alone, for the ignorant masses. A firewall appliance for tech/security types.

And you can't seem to grasp the difference between a NAT Router and a Firewall that may or may not use NAT.

No use you telling me that, do you expect me to argue against that, e.g. writing a long explanation and let you be the teacher and mark me on it? This is not the issue. But we can make it a subissue if you want.

You certainly deem some solutions to be for the ignorant masses. I just want to know which.

It seems from this thread that you deem NAT Routers to be for the ignorant masses. And firewall appliances to be for technical / not for the ignorant masses.

I can't get consistency with the quoted dicussion from the previous thread. But anyhow.

Is that distinction accurate?

Or do you further distinguish between Firewall appliances with NAT, and firewall appliances without NAT.

BTW: Incase it isn't clear. I can read. I do see that a firewall appliance without NAT needn't have what you suggested in the previous thread - one ip on each port. It could have different registered ips on each port, or even a subnet or block of them on a port.

Again, you still can't grasp simple concepts.

NAT routers are the minimum level of protection that I would suggest any person use, the minimum. They work for the ignorant masses because they don't require anything from the ISP or the User, and they don't really break anything that the Ignorant masses typically make use of.

For the Ignorant masses I would suggest that all ISP's enable NAT on their ISP provided modem/router device and only disable it if the customer is smart enough to know the difference.

You keep going around in circles and I'm not going to play that game, it's that simple.

you've made a good attempt to go round in a circle by avoiding the question, and repeating what you already said. But you failed

By your own accidental choice of words this time round, you've changed or revealed your position a bit more.

Instead of saying it's a solution for the ignorant masses, you now say it works for the ignorant masses.

That's a different statement. The implications are different.

Dude, you are completely off your rocker. You can have the last post, I'm done with you trolling ass.

Well, fortunately for you, I will reply to this, otherwise, i wouldn't have the last post, and you would be even more inconsistent.

I'll take this opportunity to point out to you, that the purpose of this thread, from start to finish, was to understand what you meant. That was 'the question'. Fortunately, in your attempt to search for some 'real question', you answered the original question you were trying to avoid.

And so this has been resolved. Whether you realise it or not.

And in the future, if you use the phrase 'for the ignorant masses', we will be better informed as to what you do and do not mean.

I don't think anyone except you misunderstands the phrase "Ignorant Masses" when it comes to security - it's like the phrase Sheep when it comes to politics or protection of the country - which, again, is security.