Advice

There's an old saying.  Fast, cheap, good.  Pick two.  In security it's secure, (end-user) easy to use, inexpensive (with tradeoffs between dollars and time).

PC personal firewalls (Norton, ISS/Network ICE) are ok on the security side and ease of use, inexpensive in dollars, but have to be maintained on all the PC's which takes a lot of time.

Small firewall appliances (Linksys, Netgear) are ok on the security side and ease of use, inexpensive in dollars, but have to be configured which can be a pain.

Larger firewall appliances (Cisco PIX, SonicWall, Intrusion.com, Netscreen) are excellent on security and ease of  use, easier to configure than the smaller firewalls, but expensive in dollars.

We tried the SOHO watch guard and it will only filter if you have internal IP address.  And for a while we used Proxy with filtering but once again all the machines had to have internal IPs.  I would like to be able to have external IP on our subnet but filter from one centralized place all packets going in annd out.  What is a good way to do this.  Can we do it with Linux? Or is hardware recommended.

You could do this with Linux or *BSD, but the configs would be painful.  Another possibility in this medium-rent district is to run Firewall Feature Set on any existing Cisco routers.

If you have the money, you should check out the Intrusion.com, Cisco PIX, and Netscreen boxes (actually, the low end here is not really that much more $$ than a new nicely configured PC to run Linux or *BSD).

Will those allow me to keep our external IPs and still filter dynamically on them?
We had problems with the soho box because it want all the PCs to have internal IPs 192.168.0.x to do any filtering.
If these can do external filtering that would be an exceptable solution.  Also which would you recomend and which are you using or have used?

Thanks for the insight

If I already have a multi-homed box (our old proxy server) is there a software solution you'd recomend our do you still think hardware is the way to go?

If you want to get into the grubby details, you might consider the native Linux or *BSD stuff.  If you have a bit of cash you can consider CheckPoint for Linux.  It'll be a lot easier if you go with one of the boxes I listed though.

Will those allow me to keep our external IPs and still filter dynamically on them?
We had problems with the soho box because it want all the PCs to have internal IPs 192.168.0.x to do
any filtering.
If these can do external filtering that would be an exceptable solution.  Also which would you recomend
and which are you using or have used?

Yes, they would all allow you not to do NAT.

I actually haven't used any of these solutions to protect any of my own (or my employer's) networks.  But I've investigated them all to a reasonably large degree.

My personal recomendation would probably be the Netscreen, but you rmileage may vary.

Will those allow me to keep our external IPs and still filter dynamically on them?
We had problems with the soho box because it want all the PCs to have internal IPs 192.168.0.x to do
any filtering.
If these can do external filtering that would be an exceptable solution.  Also which would you recomend
and which are you using or have used?

jgreaves a netscreen 5 elite is super simple to setup.. You can use mapped IP's for all the workstations.. Or install it in "transparent mode".. This means, you drop it inplace between your router & hub.. Stations keep their existing IP's & you filter with policies on the netscreen..
p.s creating policies is simply a question of clicking on pre-defined services & adding them. (All web UI based, from inside of course).. It will also allow you to access your computers with 3des Ipsec from "outside"..

Putting a Linux firewall in front of these machines would not require that much work. For Linux there is a free package called ipchains that work very well. You would have to come up with any old Pentium machine with at least 32M RAM and 500M HD (1G recommended), and that's all that costs money. (The rest just costs some time...)

ipchains can be configured any way you'd like it. I would recommend allowing anything to go out, and accept input on allowed ports only. I use a configuration like that, and I'm very satisfied.

There are very good Linux/ipchains HOWTOs at http://www.linuxdoc.org

I'll generally agree with that.  But instead of ipchains (2.0 kernel), you should use iptables (2.4 kernel, and much more flexible).

Will it work with our external IPs on the machines?
What I'm looking at so far wants to have internal IPs on the machines.

Yes, it will work with your external IP's.

I highly recommend that you install firewall, a good firewall for small group will cost you from 1500 to 5000 depends on added feature. You still be able to get the same access as you add protection to your network.

Visit www.needguide.com technology security section.

Umm, how is this "answer" somehow different than everyone else's advise?

Chris,

You are unix expert that want to stay in unix solution, there are lots of firewall solution that runs out of the box.

Emil.

I think if you examine my postings in this thread you'll see that I suggeted a stand-alone firewall early in the game, but jgreaves indicated his strong desire to reuse existing hardware and spend as little money as possible, thus leading to the recommendation of iptables.

Not to mention that most of the firewall appliances run BSD under the hood anyway :-O

Chris,

You are unix expert that want to stay in unix solution, there are lots of firewall solution that runs out of the box.

Emil.

I think you said that already ;-)

OK.

I think you said that already ;-)

Chris,

What do you in a regular basis, are you a UNIX consultant or technical writer? I have a proposition to discuss with you regarding UNIX/LINUX, maybe you have some documentation and would like to share this information, please send it to me so I can post this to www.needguide.com in UNIX/LINUX section, If you have a website to recommend let me know.

Cheers,
Emil.

So far I'm looking into some of the hardware solutions that chris suggested and the linux howto from obj but thanks for the answer.  I'm installing red hat to see how easy it will be and how well ipchains seem to work and I have quotes coming from a couple of hardware vendors so please bear with me.

And thanks for all the help so far.

So far I'm looking into some of the hardware solutions that chris suggested and the linux howto from obj but thanks for the answer.  I'm installing red hat to see how easy it will be and how well ipchains seem to work and I have quotes coming from a couple of hardware vendors so please bear with me.

And thanks for all the help so far.

emil_needguide,

I'm mostly a security guy, but with a very strong Unix background (I'm actually #1 in the EE Unix forum).
E-mail me at chris_calabrese@yahoo.com

jgreaves , just so you know... Installing  redHat is technically a software solution & not a hardware solution. A hardware solution is a "real firewall", not an OS configured to act "like a firewall".
-Im not specifically saying I disagree with the choice, its obviously the cheapest solution available, but understand that it is limited compaired to a firewall box. Not too hard to take down b.t.w

Most of the hardware solutions I'm looking are running a streamline os linux and running checkpoint or some other firewall software.

Have you tried Netscreen Firewall/VPN products... this is one of the three best brand in Firewall industry right now.

The other two are Cisco Pix and CyberGuard.

Housenet, how would you "take down" a Linux/ipchains firewall?

Well let?s see... There is syn attacks, icmp floods, udp floods, ping of death, land attacks, packet denials, sweep attacks, tear drop attacks. Send Me an IP & I'll show you.
-Good hardware firewalls detect & prevent such attacks...
-obg, you asked so I told you. I don?t want to make a big deal out of this. It is unlikely that someone would want to maliciously attack jgreaves network, so the UNIX box will probably be fine.

Ok. Last I heard was that Linux and ipchains has become imune to most of those attacks. It would be nice to see how (and if) it resists your attacks, but I want to be on site when it happens. If you don't mind experimenting a little, please send me a mail at o.borg@telia.com. Please tell me your time zone as well. I live in Sweden (GMT+2).

OK, let me keep pounding this one.  IPTABLES, not ipchains.  iptables is the new version that's in the 2.4 kernel.  If you're going with Linux, this is what you want to use.  Another good choice would be OpenBSD with IPfilter.

Ok, we hear you. Do you mind describing in more details what is the advantage of iptables (vs ipchains)? Is it configured in the same way? - Is it faster, more stable, more advanced...?

iptables are stateful rather than than being simple packet filters.  So you can properly handle things like FTP.

Does anyone have any info that points to the howto for iptables its relatively new with very little info about set up.

Thanks.

I got pricing for the CISCO PIX 506
How do you guys feel about this firewall?

The PIX is a very nice product line.  Unless you really can't afford it, using it is going to be a lot easier than setting up iptables (assuming non-trivial rules, desire for logging, etc.).  But I'd be surprised if the PIX 506 is less expensive the the low end netscreen or intrusion.com boxes, which are also very nice.

Meanwhile, check out
http://www.boingworld.com/workshops/linux/iptables-tutorial/
and
http://www.telematik.informatik.uni-karlsruhe.de/lehre/seminare/LinuxSem/downloads/netfilter/iptables-HOWTO.html

Thanks for your help so far chris
I posted a 100 points for you for your help so far so I could leave this open because the input has been great.
Its under this section title "points for chris_calabrese

Thanks again

Jim

Thanks.

try www.tinysw.com and download their tiny personal firewall.

it's good, it's rule-based, bi-directional (ie, it can block both outgoing and incoming connections) and best of all.....IT'S FREE!

oh yeah, and it's endorsed by the US Air Force.

I use it, it will do all you want it to do, plus it will open your eyes to what your computer is doing without your knowledege whilst your are on the net.

another good one is Zonealarm www.zonelabs.com

Hope this helps

hey two optios
1> use Linux with IPCHAINS and mapp your all PCs for teh NAT  and block the unnecessary access to your network putting some specific rules.

2> if you have router which connects your Office network to internet just use NAT on your server and then configure ONE to ONE NAT which will mapp your real IPs with your Internal IPS and put some baisc access list to prevant the un authorize access to your internal LAN.

I had a similar problem and this is how I solved it:

Using RedHat with IPTables (not chains) and the Shorewall utility, I was able to set up a fairly decent firewall that allowed real IP addresses on the inside.  I think any linux distro would do, but Shorewall had an rpm, so I used REdHat.  Their website is:

http://www.shorewall.net

You basically fill in your information and the Shorewall scripts set up the firewall for you.  It's great for linux/firewall newbies (like myself), but seems to allow a more experienced person to still get under the hood and make some tweaks.  I used proxyarp to allow the internal (real IPs) and the gateway (real IP) to think they were on the same network, even though internal firewall NIC had a 192.168.x.x address.  Not very elegant, as I had to manually type in each IP, but it worked on a small network.

Hope this helps,

M