Re: Home Automation - Firewalls

["Pete Shew" <ukha_d@xxxxxxxxxxxxxxxxxx>]

David Buckley said most of it. NAT is certainly an excellent first line of
protection and largely stops outside agencies getting in. I also use Kerio
or Zone Alarm on every computer to prevent anything that got in via the web
or email from getting out. These aren't really firewalls, in my opinion,
but can prevent access to the world on a program to program basis.

I have a real DMZ, with an ADSL NAT router on the outside, a DMZ hub, and a
Linksys router/switch. On the DMZ, I have a single computer which is
minimally configured and runs a web proxy called Orenosp. This exposes my
real web server and some other things. For example my mail server runs on
the "safe" side of the Linksys and has a webmail feature. Orenosp
proxies this as a secure https web site.

I understand Orenosp has an authentication feature so any internal web
services - i.e. not on the DMZ - can be accessed securely from outside,
provided a pinhole is made through the inner NAT router.

I have used Smoothwall in the past with a cable modem, and it ran fine on a
24K 486/66 - using this as a three legged router would give you a DMZ with
little exposure.

On the subject of multiple IP addresses, I have never seen the need for
more than a single external address. Even a mostly stable dynamic one can
be handled with a DynDns type of solution. I segregate different inbound
web traffic on the hostname or path.

Pete



*********** REPLY SEPARATOR  ***********

On 23/03/2004 at 23:14 Mark McCall wrote:

>As broadband nears a reality I'm continuing to look into security for
my
>home network. I have done a little reading and this is my (simplistic)
>understanding so far.
>
>1. I need a firewall
>At this stage I plan to buy a router/firewall box
>
>2. Anything "Public facing" should go on the De-militarised
Zone (DMZ)
>Whilst I have nothing that needs to be open to the public I will need
>access
>to some things from the outside like my CCTV server, TiVo, Comfort etc.
>I'm
>unsure whether those systems need to be on the DMZ or not?
>
>I've read that the DMZ interface should really be a separate interface
(in
>the case of a PC acting as a router that would be a 2nd NIC).  Does
this
>mean that a hardware router/firewall isn't as secure?  I've also read
the
>term Virtual LANs (VLANs), supported by the Vigors for example, which
seems
>to have some security advantages?
>
>I have placed my broadband order with Eclipse and have applied for a
batch
>of static IPs which I hope to assign to some of the various boxes
mentioned
>above as well as possibly running my own email server.  How do I got
about
>this?
>
>As you can see I have lots of thoughts going round in my head (some of
them
>doubtlessly wrong).  I need someone with experience of this to tell me
the
>right way to go about all this.
>
>In fact, as this will doubtless be of interest to lots of people now,
and
>in
>the future, I'd like to put all the info on a page for the website.
>
>All help / comments appreciated.
>
>Thanks
>
>M.
>
>
>
>
>UK Home Automation Meet 2004 - BOOK NOW!
>http://www.ukha2004.com
>
>http://www.automatedhome.co.uk
>
>Member Offers - http://www.freeranger.co.uk/ukha
>Yahoo! Groups Links
>
>
>