lovedelphi
asked on
How to get help to design firewall
I want to design a firewall and I am now collect the document that talking about how to do this.
who can tell me where to get it !!!
sicerely yours
lovedelphi
who can tell me where to get it !!!
sicerely yours
lovedelphi
probably the best site for firewall principles and configuration is at http://www.phoneboy.com
ASKER
I have visite the http://www.phoneboy.com and find that there is limited thing I want. I want to know if there is a site that discuss the theory of the firewall and how to program a firewall.
thank you
lovedelphi
thank you
lovedelphi
ASKER
I have visite the http://www.phoneboy.com and find that there is limited thing I want. I want to know if there is a site that discuss the theory of the firewall and how to program a firewall.
thank you
lovedelphi
thank you
lovedelphi
ohhh...
probably the best you're going to do is by digging through source code for some of the unix-based firewalls.
here's a url that contains a list of various firewall sources
http://packetstormsecurity.org/UNIX/firewall/
probably the best you're going to do is by digging through source code for some of the unix-based firewalls.
here's a url that contains a list of various firewall sources
http://packetstormsecurity.org/UNIX/firewall/
there's a good article here.
http://www.securityportal.com/articles/prereq20010219.html
the rest of his articles are worth reading as well.
http://www.bastille-linux.org/jay/security-articles-jjb.html
http://www.securityportal.com/articles/prereq20010219.html
the rest of his articles are worth reading as well.
http://www.bastille-linux.org/jay/security-articles-jjb.html
For the theory of firewalls, you need to get some genuine paper book. I usggest Checwick and Bellovin 's _Firewalls_and_Internet_Se curity_ and Chapman and Zwickey's _Building_Internet_Firewal ls)
There are several Web pages that will walk you through (some what) in configuring a box running a BSD/Linux/Unix variant to act as a firewall.
The FAQS:
http://www.faqs.org/faqs/firewalls-faq/
A Book:
http://www.wiley.com/legacy/compbooks/catalog/35366-3.htm
Some Articles:
http://tha.lmann.ch/projects/BBISEC/Setting_up_a_secured_OpenBSD_Box.html
http://members.theglobe.com/pattonme/firewall_guide.html
http://www.cpio.org/obsd_firewall.html
http://www.acme.com/firewall.html
http://vintners.net/~mikel/howto/firewall.html
http://www.onlamp.com/pub/a/bsd/2000/07/05/OpenBSD.html
http://www.openlysecure.org/content/html/ch9-27.html
Some Free Firewalls (floppy):
Linux Floppy Firewall - http://www.zelow.no/floppyfw/
NetBSD Floppy Firewall - http://www.dubbele.com/
Some Free Firewalls (Partition):
Smoothwall - http://www.smoothwall.org/
http://www.sentryfirewall.com/
I personally like these two articles:
http://members.theglobe.com/pattonme/firewall_guide.html
http://www.cpio.org/obsd_firewall.html
Even though some call OpenBSD the "lazy system administator's OS", one can't argue with the fact - "OpenBSD - Four years without a remote hole in the default install!"
Plus a floppy firewall (read-only) with the Harddisk used as log storage is pretty secure.
Hope This Helps
ne0
The FAQS:
http://www.faqs.org/faqs/firewalls-faq/
A Book:
http://www.wiley.com/legacy/compbooks/catalog/35366-3.htm
Some Articles:
http://tha.lmann.ch/projects/BBISEC/Setting_up_a_secured_OpenBSD_Box.html
http://members.theglobe.com/pattonme/firewall_guide.html
http://www.cpio.org/obsd_firewall.html
http://www.acme.com/firewall.html
http://vintners.net/~mikel/howto/firewall.html
http://www.onlamp.com/pub/a/bsd/2000/07/05/OpenBSD.html
http://www.openlysecure.org/content/html/ch9-27.html
Some Free Firewalls (floppy):
Linux Floppy Firewall - http://www.zelow.no/floppyfw/
NetBSD Floppy Firewall - http://www.dubbele.com/
Some Free Firewalls (Partition):
Smoothwall - http://www.smoothwall.org/
http://www.sentryfirewall.com/
I personally like these two articles:
http://members.theglobe.com/pattonme/firewall_guide.html
http://www.cpio.org/obsd_firewall.html
Even though some call OpenBSD the "lazy system administator's OS", one can't argue with the fact - "OpenBSD - Four years without a remote hole in the default install!"
Plus a floppy firewall (read-only) with the Harddisk used as log storage is pretty secure.
Hope This Helps
ne0
ASKER
Thank you for your advices and I now just want to design firewall on windows 2000 , and I want the resource about this field.
yours
lovedelphi
yours
lovedelphi
In the Win* world, you're pretty much stuck with the more expensive commercial firewalls. Check out PGP.com's (nee NAI's) Gauntlet and Symantec's Raptor.
But be aware that you could get a much better system for less money. Either by using the same hardware to run Linux or OpenBSD and free firewall code, or by using a firewall appliance like Netscreen, Cisco PIX, or Intrusion.com's CheckPoint based appliance.
But be aware that you could get a much better system for less money. Either by using the same hardware to run Linux or OpenBSD and free firewall code, or by using a firewall appliance like Netscreen, Cisco PIX, or Intrusion.com's CheckPoint based appliance.
I assume you mean a hardware based firewall rather than a software based one.
chris_calabrese is right on the money...
I wouldn't want to run a software firewall on the environment you stated. That would essentially still be allowing everyone to your server which is not good considering the vulnerabilities of the OS in question. Not to mention that Win OSes leave different fingerprints than Nix OSes. So If a vulnerability came out about the software firewall then you would still be in trouble.
Also don't forget the memory usage of the software based firewalls. Gauntlet I believe is TSR (Unsure though). None-the-less that would be one more program in memory that would be using the same system resources as the other application on that server... Example: IIS/Firewall on the same box.... SQL/Firewall.... eeeiiisshh
You would get a better product if you wnet with a BSD/Nix firewall or an appliance. At least then if someone is poking around in your system they will only get to you firewall, not your firewall/application server.
Hope This Helps
ne0
chris_calabrese is right on the money...
I wouldn't want to run a software firewall on the environment you stated. That would essentially still be allowing everyone to your server which is not good considering the vulnerabilities of the OS in question. Not to mention that Win OSes leave different fingerprints than Nix OSes. So If a vulnerability came out about the software firewall then you would still be in trouble.
Also don't forget the memory usage of the software based firewalls. Gauntlet I believe is TSR (Unsure though). None-the-less that would be one more program in memory that would be using the same system resources as the other application on that server... Example: IIS/Firewall on the same box.... SQL/Firewall.... eeeiiisshh
You would get a better product if you wnet with a BSD/Nix firewall or an appliance. At least then if someone is poking around in your system they will only get to you firewall, not your firewall/application server.
Hope This Helps
ne0
It sounds like you want a software based firewall rather than a hardware based one.
chris_calabrese is right on the money...
I wouldn't want to run a software firewall on the environment you stated. That would essentially still be allowing everyone to your server which is not good considering the vulnerabilities of the OS in question. Not to mention that Win OSes leave different fingerprints than Nix OSes. So If a vulnerability came out about the software firewall then you would still be in trouble.
Also don't forget the memory usage of the software based firewalls. Gauntlet I believe is TSR (Unsure though). None-the-less that would be one more program in memory that would be using the same system resources as the other application on that server... Example: IIS/Firewall on the same box.... SQL/Firewall.... eeeiiisshh
You would get a better product if you wnet with a BSD/Nix firewall or an appliance. At least then if someone is poking around in your system they will only get to you firewall, not your firewall/application server.
Hope This Helps
ne0
chris_calabrese is right on the money...
I wouldn't want to run a software firewall on the environment you stated. That would essentially still be allowing everyone to your server which is not good considering the vulnerabilities of the OS in question. Not to mention that Win OSes leave different fingerprints than Nix OSes. So If a vulnerability came out about the software firewall then you would still be in trouble.
Also don't forget the memory usage of the software based firewalls. Gauntlet I believe is TSR (Unsure though). None-the-less that would be one more program in memory that would be using the same system resources as the other application on that server... Example: IIS/Firewall on the same box.... SQL/Firewall.... eeeiiisshh
You would get a better product if you wnet with a BSD/Nix firewall or an appliance. At least then if someone is poking around in your system they will only get to you firewall, not your firewall/application server.
Hope This Helps
ne0
It sounds like you want a software based firewall rather than a hardware based one.
chris_calabrese is right on the money...
I wouldn't want to run a software firewall on the environment you stated. That would essentially still be allowing everyone to your server which is not good considering the vulnerabilities of the OS in question. Not to mention that Win OSes leave different fingerprints than Nix OSes. So If a vulnerability came out about the software firewall then you would still be in trouble.
Also don't forget the memory usage of the software based firewalls. Gauntlet I believe is TSR (Unsure though). None-the-less that would be one more program in memory that would be using the same system resources as the other application on that server... Example: IIS/Firewall on the same box.... SQL/Firewall.... eeeiiisshh
You would get a better product if you wnet with a BSD/Nix firewall or an appliance. At least then if someone is poking around in your system they will only get to you firewall, not your firewall/application server.
Hope This Helps
ne0
chris_calabrese is right on the money...
I wouldn't want to run a software firewall on the environment you stated. That would essentially still be allowing everyone to your server which is not good considering the vulnerabilities of the OS in question. Not to mention that Win OSes leave different fingerprints than Nix OSes. So If a vulnerability came out about the software firewall then you would still be in trouble.
Also don't forget the memory usage of the software based firewalls. Gauntlet I believe is TSR (Unsure though). None-the-less that would be one more program in memory that would be using the same system resources as the other application on that server... Example: IIS/Firewall on the same box.... SQL/Firewall.... eeeiiisshh
You would get a better product if you wnet with a BSD/Nix firewall or an appliance. At least then if someone is poking around in your system they will only get to you firewall, not your firewall/application server.
Hope This Helps
ne0
It sounds like you want a software based firewall rather than a hardware based one.
chris_calabrese is right on the money...
I wouldn't want to run a software firewall on the environment you stated. That would essentially still be allowing everyone to your server which is not good considering the vulnerabilities of the OS in question. Not to mention that Win OSes leave different fingerprints than Nix OSes. So If a vulnerability came out about the software firewall then you would still be in trouble.
Also don't forget the memory usage of the software based firewalls. Gauntlet I believe is TSR (Unsure though). None-the-less that would be one more program in memory that would be using the same system resources as the other application on that server... Example: IIS/Firewall on the same box.... SQL/Firewall.... eeeiiisshh
You would get a better product if you wnet with a BSD/Nix firewall or an appliance. At least then if someone is poking around in your system they will only get to you firewall, not your firewall/application server.
Hope This Helps
ne0
chris_calabrese is right on the money...
I wouldn't want to run a software firewall on the environment you stated. That would essentially still be allowing everyone to your server which is not good considering the vulnerabilities of the OS in question. Not to mention that Win OSes leave different fingerprints than Nix OSes. So If a vulnerability came out about the software firewall then you would still be in trouble.
Also don't forget the memory usage of the software based firewalls. Gauntlet I believe is TSR (Unsure though). None-the-less that would be one more program in memory that would be using the same system resources as the other application on that server... Example: IIS/Firewall on the same box.... SQL/Firewall.... eeeiiisshh
You would get a better product if you wnet with a BSD/Nix firewall or an appliance. At least then if someone is poking around in your system they will only get to you firewall, not your firewall/application server.
Hope This Helps
ne0
Sorry about those, looks like EE had a little downtown and it queued up.
ditto ne0, go w/ H/W. For Win2K consider following Microsoft lead (sample):
Microsoft Internet Security and Acceleration Server 2000 (ISA) Technical Overview
http://www.microsoft.com/TechNet/isa/isatecov.asp
"By default, no traffic can pass through the ISA Server. The packet-filtering feature of ISA Server allows the administrator to control the flow of IP packets to and from ISA Server. When packet filtering is enabled, all packets on the external interface are dropped unless they are explicitly allowed?either statically by IP packet filters or dynamically by access policy or publishing rules. "
Microsoft Internet Security and Acceleration Server 2000 (ISA) Technical Overview
http://www.microsoft.com/TechNet/isa/isatecov.asp
"By default, no traffic can pass through the ISA Server. The packet-filtering feature of ISA Server allows the administrator to control the flow of IP packets to and from ISA Server. When packet filtering is enabled, all packets on the external interface are dropped unless they are explicitly allowed?either statically by IP packet filters or dynamically by access policy or publishing rules. "
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Given MS's track record on high security coding, I woulnd't use MS ISA if you paid me. It remains one of three firewalls on the market which have had exploitable vulnerabilities crop up in them. This is the kiss of death for a security device.
Just to be complete:
The WDJ issue is October 2000 (Vol 11, Nr 10)
and as for all others WDJ articles the full
code for a simple packet filter is available
for download
I used it to create a simple "fw" based on a text
file describing filtering rules, btw there's more
to do (like logging etc..) but imho it's a really
good starting point
ASKER
thank you anzen
lovedelphi
lovedelphi