advice wanted on structuring LAN + internet

Larry Schmid larry@penguinnetworking.com
Wed, 27 Dec 2000 08:44:52 -0700 

On Wednesday 27 December 2000 06:17, you wrote:
> Hi David,
>
> "David P. Schwartz" wrote:
> > Usually, static IPs come in a block of 8. ....
>
> Hmmm...
>
> If you get a block of eight, the first is your subnet number, and the
> last is your broadcast address, leaving six for use.  I wonder why
> you only get five to use?


Don't forget the gateway.



> <rant>
> And there has never been a security exploit in any OS, right?  There
> has never been a vulnerability in Cicso IOS, either (boaahahaha).  How
> do you update a ROM when some cracker finds an exploit to the D-Link
> OS and all the script-kiddies come knocking.  Surely D-Link has
> thought of this, so what do you do?  Buy new ROMs, or a new router?
> Maybe it's flash ROM and you can update it from their website, which
> brings me back to vulnerabilities - ever hear of the Chernobyl
> (W95.CIH) virus or the Millennium Internet Worm?
>
> No thanks - I'll stay with something I control and I can update.
> </rant>
>
> George

What?  IOS had a bug?  :^) 

I gotta agree.  While one might make the case that a pnp firewall/hub 
'solution' is better than nothing for Joe Six-Pack and his shiny new cable 
modem, the only way to go for any serious firewalling is to have a box that 
you understand and control.  (Even PIX -- and I hated PIX.)  You can put 
together a decent firewall system for not much more than a D-Link.

With a dedicated firewall box you can run other services for your internal 
network like dhcp and dns, as long as you write appropriate port-blocking 
rules for the external interface.  Keep in mind, though, that every service 
you run is a potiential risk.  The best firewall has no available services, 
even dhcp.

OTOH, if this is a business hookup and one of those drop-in firewall thingies 
are mandated by the boss, be sure to check out the competition.  3Com and 
others make similar products.  I don't know about anyone else, but when 
someone says 'D-Link', 'security' does not immediately come to mind.  :^)

Larry