The Cisco IOS firewalling code works quite well.  If he has the equipment
and an IOS upgrade would be cheap, I would suggest that.  Putting a separate
box in for the firewall when you already have one piece of equipment capable
of doing what you want is just adding needless complexity and one more thing
to manage.

Actually, he might be able to get the new IOS code because of the SNMP
vulnerabilities recently.  Cisco usually offers free upgrades when security
holes are found.  Of course, a firewall isn't going to save you from
vulnerabilities in publically accessible services (like IIS).  You'll still
have to make sure you patch your servers.

Jay

> -----Original Message-----
> From: Carl Zeilon [mailto:cznews at att.net] 
> Sent: Tuesday, February 26, 2002 10:20 AM
> To: tclug-list at mn-linux.org
> Subject: [TCLUG] Firewall suggestions?
> 
> 
> My father helps run the computer network for a small public 
> library in 
> Maine.  They run a W2000 server (donated by MS) that provides 
> about 15 
> machines with Internet access, book checkout data, card catalog info, 
> etc.  They also host the library's website from this machine. 
>  As you can 
> guess, they have been Nimda'd & everything else imaginable to 
> death.  They 
> have a T1 line to a Cisco 1605R router (no firewall software 
> installed) to 
> a network hub.  I first suggested they insert a Linux box 
> running IPcop, 
> because they have lots of old machines they can use.  What do 
> you think the 
> best, easiest, cheapest setup would be?  Linux firewall box, purchase 
> software for the Cisco, purchase a simple Linksys router w/firewall 
> software already in it....    Keep in mind that these are all library 
> volunteers with VERY little knowledge in this area (I don't have much 
> more).  It's hard to walk them through complex stuff from 
> here.  Thanks
> 
> _______________________________________________
> Twin Cities Linux Users Group Mailing List - Minneapolis/St. 
> Paul, Minnesota
> http://www.mn-linux.org
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>