Friday, September 27, 2002

LAN (again)

So I am looking on and on for good boxes to route and firewall the internal LAN with. I find that there's this site where all these cheap boxes reviewed and user-commented, and wondered why anyone would ever want to buy the 350 bucks D-link box if all these cheap 150-or-so-tops webboxes are available. Then I realized that the cheapest ones only did NAT firewalling, and the ones that did actually do stateful inspection barely ever allow you to make rules to check the protocol of the packet before forwarding it to a port on a specific machine. Of the cheap boxes, few seems to compare to the sophistication of inspection on my OpenBSD box, and many have problems with keeping up a reliable DSL connection, according to user comments.

The web is so cool, where would I have found an repository of knowledge like this five years ago?

From there I also found an automated service to do a LAN security check, with a pretty thorough set of tests -- not just a standard portscan. They allow you to run the whole test for free but won't tell you of your highest-risk vulerabilities, just that you have them. They will show you your low- and medium-risk holes. So I thought I was pretty safe, anyway, I would only get low-riskers, and ran the thing.

11 high risk problems. I am in the third percentile of the systems they have tested over the last year. I sprung for the report -- I was curious -- by entering my credit card. They called later to say the card issuer wanted a little more info, like my address. Not surprising since I have the you-are-a-loser secured card, I always get this. I gave it, but also asked him if he knew what time it was where I was. He did not. 12:30 AM. We had already gone to bed. Oops, global web!

All the high risk vulnerabilities seem to be not in my firewall but in the web server Dino set up behind it that I forward to for mail/web/ssh, more specifically mostly in the versions of software that allow buffer- and root-exploits. We would never have known had I not found these tests. It was confused by the LISP webserver though, and thought it was a very, very strange IIS server. I should tell them about it.