Solved

Advice

Posted on 2001-06-27
43
314 Views
Last Modified: 2013-11-16
We have around 16 PC's in our office each with external IP addresses so we can play web games and goof off after hours.  What I'd like is some advice on the best way to protect these machines from attack but still keep their functionality.  I'm looking for at least a firewall but preferably a in line filter.  Also looking for a cost effective solution with ease of use.
0
Comment
Question by:jgreaves
  • 15
  • 11
  • 6
  • +5
43 Comments
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6232783
There's an old saying.  Fast, cheap, good.  Pick two.  In security it's secure, (end-user) easy to use, inexpensive (with tradeoffs between dollars and time).

PC personal firewalls (Norton, ISS/Network ICE) are ok on the security side and ease of use, inexpensive in dollars, but have to be maintained on all the PC's which takes a lot of time.

Small firewall appliances (Linksys, Netgear) are ok on the security side and ease of use, inexpensive in dollars, but have to be configured which can be a pain.

Larger firewall appliances (Cisco PIX, SonicWall, Intrusion.com, Netscreen) are excellent on security and ease of  use, easier to configure than the smaller firewalls, but expensive in dollars.
0
 

Author Comment

by:jgreaves
ID: 6232834
We tried the SOHO watch guard and it will only filter if you have internal IP address.  And for a while we used Proxy with filtering but once again all the machines had to have internal IPs.  I would like to be able to have external IP on our subnet but filter from one centralized place all packets going in annd out.  What is a good way to do this.  Can we do it with Linux? Or is hardware recommended.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6232899
You could do this with Linux or *BSD, but the configs would be painful.  Another possibility in this medium-rent district is to run Firewall Feature Set on any existing Cisco routers.

If you have the money, you should check out the Intrusion.com, Cisco PIX, and Netscreen boxes (actually, the low end here is not really that much more $$ than a new nicely configured PC to run Linux or *BSD).
0
 

Author Comment

by:jgreaves
ID: 6232973
Will those allow me to keep our external IPs and still filter dynamically on them?
We had problems with the soho box because it want all the PCs to have internal IPs 192.168.0.x to do any filtering.
If these can do external filtering that would be an exceptable solution.  Also which would you recomend and which are you using or have used?

Thanks for the insight
0
 

Author Comment

by:jgreaves
ID: 6232982
If I already have a multi-homed box (our old proxy server) is there a software solution you'd recomend our do you still think hardware is the way to go?
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6233028
If you want to get into the grubby details, you might consider the native Linux or *BSD stuff.  If you have a bit of cash you can consider CheckPoint for Linux.  It'll be a lot easier if you go with one of the boxes I listed though.
0
 

Author Comment

by:jgreaves
ID: 6233059
Will those allow me to keep our external IPs and still filter dynamically on them?
We had problems with the soho box because it want all the PCs to have internal IPs 192.168.0.x to do
any filtering.
If these can do external filtering that would be an exceptable solution.  Also which would you recomend
and which are you using or have used?
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6233081
Yes, they would all allow you not to do NAT.

I actually haven't used any of these solutions to protect any of my own (or my employer's) networks.  But I've investigated them all to a reasonably large degree.

My personal recomendation would probably be the Netscreen, but you rmileage may vary.
0
 

Author Comment

by:jgreaves
ID: 6233089
Will those allow me to keep our external IPs and still filter dynamically on them?
We had problems with the soho box because it want all the PCs to have internal IPs 192.168.0.x to do
any filtering.
If these can do external filtering that would be an exceptable solution.  Also which would you recomend
and which are you using or have used?
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6233321
jgreaves a netscreen 5 elite is super simple to setup.. You can use mapped IP's for all the workstations.. Or install it in "transparent mode".. This means, you drop it inplace between your router & hub.. Stations keep their existing IP's & you filter with policies on the netscreen..
p.s creating policies is simply a question of clicking on pre-defined services & adding them. (All web UI based, from inside of course).. It will also allow you to access your computers with 3des Ipsec from "outside"..
0
 
LVL 2

Expert Comment

by:obg
ID: 6234342
Putting a Linux firewall in front of these machines would not require that much work. For Linux there is a free package called ipchains that work very well. You would have to come up with any old Pentium machine with at least 32M RAM and 500M HD (1G recommended), and that's all that costs money. (The rest just costs some time...)

ipchains can be configured any way you'd like it. I would recommend allowing anything to go out, and accept input on allowed ports only. I use a configuration like that, and I'm very satisfied.

There are very good Linux/ipchains HOWTOs at http://www.linuxdoc.org
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6235013
I'll generally agree with that.  But instead of ipchains (2.0 kernel), you should use iptables (2.4 kernel, and much more flexible).
0
 

Author Comment

by:jgreaves
ID: 6235538
Will it work with our external IPs on the machines?
What I'm looking at so far wants to have internal IPs on the machines.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6235551
Yes, it will work with your external IP's.
0
 

Expert Comment

by:emil_needguide
ID: 6235655
I highly recommend that you install firewall, a good firewall for small group will cost you from 1500 to 5000 depends on added feature. You still be able to get the same access as you add protection to your network.

Visit www.needguide.com technology security section.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6235663
Umm, how is this "answer" somehow different than everyone else's advise?
0
 

Expert Comment

by:emil_needguide
ID: 6235693
Chris,

You are unix expert that want to stay in unix solution, there are lots of firewall solution that runs out of the box.

Emil.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6235784
I think if you examine my postings in this thread you'll see that I suggeted a stand-alone firewall early in the game, but jgreaves indicated his strong desire to reuse existing hardware and spend as little money as possible, thus leading to the recommendation of iptables.

Not to mention that most of the firewall appliances run BSD under the hood anyway :-O
0
 

Expert Comment

by:emil_needguide
ID: 6235799
Chris,

You are unix expert that want to stay in unix solution, there are lots of firewall solution that runs out of the box.

Emil.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6235808
I think you said that already ;-)
0
 

Expert Comment

by:emil_needguide
ID: 6235809
OK.

0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6235817
I think you said that already ;-)
0
 

Expert Comment

by:emil_needguide
ID: 6235844
Chris,

What do you in a regular basis, are you a UNIX consultant or technical writer? I have a proposition to discuss with you regarding UNIX/LINUX, maybe you have some documentation and would like to share this information, please send it to me so I can post this to www.needguide.com in UNIX/LINUX section, If you have a website to recommend let me know.

Cheers,
Emil.
0
 

Author Comment

by:jgreaves
ID: 6235846
So far I'm looking into some of the hardware solutions that chris suggested and the linux howto from obj but thanks for the answer.  I'm installing red hat to see how easy it will be and how well ipchains seem to work and I have quotes coming from a couple of hardware vendors so please bear with me.

And thanks for all the help so far.

0
 

Author Comment

by:jgreaves
ID: 6235912
So far I'm looking into some of the hardware solutions that chris suggested and the linux howto from obj but thanks for the answer.  I'm installing red hat to see how easy it will be and how well ipchains seem to work and I have quotes coming from a couple of hardware vendors so please bear with me.

And thanks for all the help so far.

0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6235922
emil_needguide,

I'm mostly a security guy, but with a very strong Unix background (I'm actually #1 in the EE Unix forum).
E-mail me at chris_calabrese@yahoo.com
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6236275
jgreaves , just so you know... Installing  redHat is technically a software solution & not a hardware solution. A hardware solution is a "real firewall", not an OS configured to act "like a firewall".
-Im not specifically saying I disagree with the choice, its obviously the cheapest solution available, but understand that it is limited compaired to a firewall box. Not too hard to take down b.t.w
0
 

Author Comment

by:jgreaves
ID: 6236405
Most of the hardware solutions I'm looking are running a streamline os linux and running checkpoint or some other firewall software.
0
 

Expert Comment

by:emil_needguide
ID: 6236420
Have you tried Netscreen Firewall/VPN products... this is one of the three best brand in Firewall industry right now.

The other two are Cisco Pix and CyberGuard.
0
 
LVL 2

Expert Comment

by:obg
ID: 6237198
Housenet, how would you "take down" a Linux/ipchains firewall?
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6237795
Well let?s see... There is syn attacks, icmp floods, udp floods, ping of death, land attacks, packet denials, sweep attacks, tear drop attacks. Send Me an IP & I'll show you.
-Good hardware firewalls detect & prevent such attacks...
-obg, you asked so I told you. I don?t want to make a big deal out of this. It is unlikely that someone would want to maliciously attack jgreaves network, so the UNIX box will probably be fine.
0
 
LVL 2

Expert Comment

by:obg
ID: 6237817
Ok. Last I heard was that Linux and ipchains has become imune to most of those attacks. It would be nice to see how (and if) it resists your attacks, but I want to be on site when it happens. If you don't mind experimenting a little, please send me a mail at o.borg@telia.com. Please tell me your time zone as well. I live in Sweden (GMT+2).
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6237866
OK, let me keep pounding this one.  IPTABLES, not ipchains.  iptables is the new version that's in the 2.4 kernel.  If you're going with Linux, this is what you want to use.  Another good choice would be OpenBSD with IPfilter.
0
 
LVL 2

Expert Comment

by:obg
ID: 6237879
Ok, we hear you. Do you mind describing in more details what is the advantage of iptables (vs ipchains)? Is it configured in the same way? - Is it faster, more stable, more advanced...?
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6237961
iptables are stateful rather than than being simple packet filters.  So you can properly handle things like FTP.
0
 

Author Comment

by:jgreaves
ID: 6238724
Does anyone have any info that points to the howto for iptables its relatively new with very little info about set up.

Thanks.

I got pricing for the CISCO PIX 506
How do you guys feel about this firewall?
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6239016
The PIX is a very nice product line.  Unless you really can't afford it, using it is going to be a lot easier than setting up iptables (assuming non-trivial rules, desire for logging, etc.).  But I'd be surprised if the PIX 506 is less expensive the the low end netscreen or intrusion.com boxes, which are also very nice.

Meanwhile, check out
http://www.boingworld.com/workshops/linux/iptables-tutorial/
and
http://www.telematik.informatik.uni-karlsruhe.de/lehre/seminare/LinuxSem/downloads/netfilter/iptables-HOWTO.html
0
 

Author Comment

by:jgreaves
ID: 6239098
Thanks for your help so far chris
I posted a 100 points for you for your help so far so I could leave this open because the input has been great.
Its under this section title "points for chris_calabrese

Thanks again

Jim
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6239106
Thanks.
0
 
LVL 1

Expert Comment

by:batkung
ID: 6293128
try www.tinysw.com and download their tiny personal firewall.

it's good, it's rule-based, bi-directional (ie, it can block both outgoing and incoming connections) and best of all.....IT'S FREE!

oh yeah, and it's endorsed by the US Air Force.

I use it, it will do all you want it to do, plus it will open your eyes to what your computer is doing without your knowledege whilst your are on the net.

another good one is Zonealarm www.zonelabs.com

Hope this helps
0
 
LVL 2

Expert Comment

by:ritupatel112699
ID: 6645634
hey two optios
1> use Linux with IPCHAINS and mapp your all PCs for teh NAT  and block the unnecessary access to your network putting some specific rules.

2> if you have router which connects your Office network to internet just use NAT on your server and then configure ONE to ONE NAT which will mapp your real IPs with your Internal IPS and put some baisc access list to prevant the un authorize access to your internal LAN.
0
 

Accepted Solution

by:
themole earned 200 total points
ID: 6653139
I had a similar problem and this is how I solved it:

Using RedHat with IPTables (not chains) and the Shorewall utility, I was able to set up a fairly decent firewall that allowed real IP addresses on the inside.  I think any linux distro would do, but Shorewall had an rpm, so I used REdHat.  Their website is:

http://www.shorewall.net

You basically fill in your information and the Shorewall scripts set up the firewall for you.  It's great for linux/firewall newbies (like myself), but seems to allow a more experienced person to still get under the hood and make some tweaks.  I used proxyarp to allow the internal (real IPs) and the gateway (real IP) to think they were on the same network, even though internal firewall NIC had a 192.168.x.x address.  Not very elegant, as I had to manually type in each IP, but it worked on a small network.

Hope this helps,

M
0
 

Expert Comment

by:themole
ID: 6653184
I had a similar problem and this is how I solved it:

Using RedHat with IPTables (not chains) and the Shorewall utility, I was able to set up a fairly decent firewall that allowed real IP addresses on the inside.  I think any linux distro would do, but Shorewall had an rpm, so I used REdHat.  Their website is:

http://www.shorewall.net

You basically fill in your information and the Shorewall scripts set up the firewall for you.  It's great for linux/firewall newbies (like myself), but seems to allow a more experienced person to still get under the hood and make some tweaks.  I used proxyarp to allow the internal (real IPs) and the gateway (real IP) to think they were on the same network, even though internal firewall NIC had a 192.168.x.x address.  Not very elegant, as I had to manually type in each IP, but it worked on a small network.

Hope this helps,

M
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now