Solved

Firewall Needs for Win9x P2P network on DSL

Posted on 2001-07-31
33
355 Views
Last Modified: 2013-11-21
We run a Win9x peer to peer network using DSL for internet access.  We have 5 static IP's, plus am using ICS to share some of the IP's.  I have not yet set up a firewall, so that is my next project.    I plan on using one of our older PC's (486 based) as the hardware for the firewall between the network and the Cicso 675 router.

What do you suggest for firewall software?  Does this install only on the 486?  Any other software that I need?  Any other tips??

Obviously, I am a novice at this!  Thanks in advance.  Gregg
0
Comment
Question by:borleymsgs
  • 6
  • 5
  • 5
  • +8
33 Comments
 
LVL 14

Expert Comment

by:chris_calabrese
Comment Utility
Your best bet given the hardware is to install the latest version of your favorite Linux distro or OpenBSD and use the built-in firewalling tools.

In the case of Linux, that's IPtables.  In the case  of OpenBSD that's IPfilter.
0
 
LVL 12

Expert Comment

by:Housenet
Comment Utility
I suggest FREESCO, http://www.freesco.org/ . Its a linux based Nat, router that runs on 1 diskette. It will give you the firewall feature protection youre looking for.
0
 
LVL 3

Accepted Solution

by:
Bruce_R earned 100 total points
Comment Utility
or there's smoothwall, firewall router distro, also includes VPN.

www.smoothwall.org
0
 

Author Comment

by:borleymsgs
Comment Utility
Everyone seems to be suggesting Linux OS, which I am not surprised at, BUT I know nothing about LINUX.  I am fairly computer savy, but have never delved into this area. Is it realistic and/or practical for me to utilize another OS just for a firewall?  

I could utilize a faster PC if that is what is making everyone suggest LINUX, but I was under the impression that firewalls do not take many resources, thus thought this would be a good use for an older PC.
0
 
LVL 1

Expert Comment

by:batkung
Comment Utility
an older pc is ideal.

the firewall/gateway machine should have the minimum amount of extra services running on it so that there are no other avenues for a malicious attacker to compromise your box.

I personally use FreeBSD, but I would suggest putting something like redhat linux on your box and then installing the bastille linux enhancement. This will effectively shut off all unused and unneeded services, and will add a pre-built firewall to your system for a good level of basic protection. The Bastille linux installation is very easy, even for new users. It asks you all manner of questions in an easy to understand way that doesn't use much jargon.

redhat is a good choice because it has a gui installation program, and bastille was originally written for redhat.

hope this helps you.
0
 
LVL 1

Expert Comment

by:fobzz
Comment Utility
I totally agree with batkung. That would probably be the best way to go. Redhat is easy to install and bastille is a perfect firewall solution. But, make sure you update all the needed packages for redhat.
0
 
LVL 1

Expert Comment

by:batkung
Comment Utility
as another tip...when you put 2 network cards in it, try to use 2 different makes, this makes it easier to differentiate between incoming and outgoing network cards.

if you don't have 2 different net cards, remember that the device name takes it's number from the pci bus (ie, the slot nearest the video card slot)

for example, if you have 2 3com nics, they will be called xl0 and xl1, xl0 is the top card, xl1 is underneath it.
0
 
LVL 3

Expert Comment

by:Bruce_R
Comment Utility
with smoothwall you don't need to know Linux. You just boot it from the CD, it installs itself on the HD with a few questions about your hardware etc.. You then manage it from a web browser.
0
 
LVL 1

Expert Comment

by:batkung
Comment Utility
agreed, the easiest alternative is a floppy boot-based forewall, but having apache running in order to configure the firewall is a bit much.

what if the webserver that is running:-

1. isn't up to date, and has security problems
2. doesn't use secure http to authenticate user logons
3. has a weak password (i.e. swordfish)

if there is a web interface to control a firewall, it can be easily susceptible to a brute-force password attack.

the best (read recommended) way to manage a firewall is to physically be at the keyboard in order to make changes to it, that way you know nobody else can gain access to configuring it from outside.

another thing to note if you decide to use a web based remote config for your firewall is what happens if you set a rule that locks you out of the system?

just my $0.02 worth
0
 
LVL 12

Expert Comment

by:Housenet
Comment Utility
borleymsgs its too bad you're not intrested in using a "real firewall". When I say that, I mean a hardware device that is specifically designed for that function.
-The fact is, there is not more secure or robust than a hardware firewall.. I personally would recommend a netscreen 5. It is simple to configure (no need to learn linux). Gives you more protection (mapped IP's, tons of detection & anti-hacker cacabilities, excellent control of inward & outward bound traffic). It will also allow you to vpn into your lan using 3DES Ipsec.
0
 
LVL 1

Expert Comment

by:batkung
Comment Utility
apart from the fact that a hardware firewall will cost you $xx,000 compared to using a linux/bsd firewall which costs you little if nothing apart from having to learn something new.

Hardware firewalls are not usually an option unless you have money to burn.

and if you wanted to have an application layer of protection, why not just use a reverse proxy in front of your web server.

hey housenet....it says you work for satan, does that mean that you are an MCSE?

me, I work for myself, that way, if I'm happy with the results, I know there's nothing better that I can do.
0
 
LVL 12

Expert Comment

by:Housenet
Comment Utility
batkung , you dont work for yourself...you work for me turnin tricks.
-Since it seems like your last comment addressed my previous comment, I have a few thought...

-A netscreen 5 is very inexpensive  about $500 u.s
-How is a hardware firewall an "application layer of protection" ? Black Ice, or some other half assed software is an application. A hardware firewall works at a much lower levels.
-Plus personally after installing various firewalls for a couple of years now, I can tell you that there is no way in hell any OS compairs to a device like a netscreen or Pix. They're simply in different leagues.
-Devices like netscreens offer the highest forms of security available in the world, & unix firewalls offer some forms of limitted protection & none of the lastest security protocols support.



0
 
LVL 55

Expert Comment

by:andyalder
Comment Utility
>How is a hardware firewall an "application layer of protection"?

You'd better ask that Q of Cisco with respect to PIX and to IP+/FW IOS on a router and of Nokia with their imbedded FW1/router. Could name a dozen other hardware firewalls that work at the application layer but can't be bothered.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
all the pros and cons about hardware vs. software firewall,
did any of you check the known vulnerabilities about firewalls, for example at http://www.securityfocus.com/ ?
You'll be suprised about Cisco, netscreen compared to no-costs like *BSD's ipfilter or Linux's ipchains/iptables.

Well, if someone won't be bothered with lerning something about security, it'll be ok to pay for proprietary things, and pay again for patches etc..
That's the price you pay for a simple configuration (as announced in coloured advertising papers), while security may be weak due to lack of immediate patches.

IMHO (and probably some other's:-) "security by obscurity" is not worth a try (except someone gives a warannty/garanty for any damage 'caused by hacked/bypassed proprietary firwalls).

Go with an i386 (out of your corner, somewhere), plug in a 2'nd NIC, use one of the already suggested solutions (bastille, trinux, etc.), and learn a little about iptables. It's worth a try, and you get used to the basics of security too ;-)

Just my 2 pence ..
0
 
LVL 12

Expert Comment

by:Housenet
Comment Utility
ahoffmann please do not get personally offended. Open debate is a good thing & helping the questioner is the point here.
-Where is this comparison between BSD & netscreen ? I didnt find it.
-Unix is more secure as a firewall than a hardware firewall is essentially what you are saying, correct ?
-Funny that this goes against the majority view of leading security consultants on the matter, & you happen to be a unix specialist.
-Please do not presume that others who are commenting on this thread are simply offering suggestions that are "easy ways out" & dont know anything about security.
-The fact is, there is no solution that 100% secure & invulnerable. Surley you are not suggesting that BSD has no vulnerabilities, or even less vulnerabilities ?
http://www.openbsd.org/security.html#29
http://securityportal.com/topnews/weekly/bsd20001120.html
http://bsd.reedmedia.net/Security/Exploits/
-You suggest that BSD is more secure than a Netscreen. I contend that it is less secure.
-IMHO It offers no 3des, no redundancy option, & you should ask yourself why do organizations like network solutions & many NA government networks that have serious security requirements choose to use netscreen's as opposed to options like bsd?
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
an other off topic comment, somehow. Sorry for that, borleymsgs.

Just to clarify: I did't say (unlike other commentators:), that this or that product is better. I just gave a few hints so that the questioner may have a look at security things from an other point of view. It's up to the reader to make ratings (based on all hints;-)
I just gave a few examples/products by name, as example, nothing more. Could also mention M$ (definitely not the choice for security), Checkpoint, SonicWall, etc. etc.
And, if you read the question first, and then my comment, you'll see that I tried to focus on the question (and some statements thrown in by other commentators).

It's not wrong if it's implyed that I prefer open source against proprietary products (no security by obscurity).
If you (your company) have the $$$ **and** the power to make contracts about waranty for proprietary products, go with these products. I would too ..
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
.. and a collection of other peoples opinions:
http://www.securityfocus.com/frames/?content=/templates/library.html%3Fid%3D3446
(hope the link isn't broken)
0
 
LVL 12

Expert Comment

by:Housenet
Comment Utility
-Just to be clear I'm not suggesting windows-anything as a firewall & never would. Thread is long & quickly getting off topic so Im out, unless borleymsgs has somthing to say.
0
 
LVL 1

Expert Comment

by:CompuNerd19
Comment Utility
Ouch!  Never seen so many complaints in my life.  Anyhow, I don't think anybody should let good equipment go to waste because they do not understand it.  After all, most security blunders are caused because people are using things they are not comfortable with.  If you have a cisco router in the first place, why not use it?  If you are running 98 machines I would block tcp/udp ports 135-139 and then go ahead and filter all the other fav protocols dns, snmp, icmp, etc...  You can use access lists in order to do this.  Instead of blocking the ports I would suggest routing it to a null interface.  This is much quicker and would make a "script kiddies" scanning tool think you are not there. As far as buying a pix firewall for a home network!!!  Come on guys, this isn't your job we are talking about.  On the other hand, programs like black ice is not "half assed".  All softwares capabilities are based on how the user sets it up.  Black Ice is great for both filtering and logging.  Using a strange OS and then trying to apply security to it would be a nightmare....not to mention time consuming.  Lets keep it simple and stupid shall we?  Start with the router (by managing traffic a little better)and move to any IDS system that you understand, and THEN worry about whose dick is bigger.

Note:  I am not saying that discussion is not good.  I just believe that this is a forum whose base is to help those with questions and not blunder and confuse them with things they do not understand.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
.. no more confusing [p|b]lunder ;-)  out 'till  borleymsgs
responds ..
0
 
LVL 27

Expert Comment

by:Asta Cu
Comment Utility
Listening to learn.
Asta
0
 
LVL 4

Expert Comment

by:jwalsh88
Comment Utility
Judging by your question borleymsgs,

I would say it's safe to assume that you want to use existing equipment (PCs) for your firewall.  
IF that's the case then you really should look at Bruce R's solution.  Smoothwall.  at www.smoothwall.org

And don't worry about using a web browser to manage it.  Most of the best firewalls will be managed through a browser or gui.  Just make sure you secure that stuff and lock it down.  

I would seriously look at smoothwall, it's free , it's easy and it works good.  Obviously you are not looking to spend alot of money so You are not going to get a high end firewall, you are just looking for a little more security and control.  I wouldn't start doing most of those things on the router except with using access lists to create another layer of protection and locking down the router itself.

And remember you get what you pay for, I have used alot of firewalls in my day and believe me a cheap netscreen is okay but don't be fooled into thinking it's just a little smaller version of their high end equipment that is so good.  

Housenet you have been reading netscreen and cisco's hype and believing it a little too much.  These products are not all that great, they have their own vulnerabilities, about the only thing they are heralded for is being a little or alot faster then most LINUX/UNIX/NT based firewalls.  but that is changing.  Probably the two fastest (and Best in my opinion) firewalls out today are based on linux.
The Nokia IP740.
http://www.nokia.com/securitysolutions/platforms/740.html
  **which by the way is called an appliance but is simply a Hard disk drive, Intel powered, Linux based router/workstation, not what I would consider hardware  No different then if you built the linux yourself except Nokia has it hardened for you**

StoneSoft StoneGate with ZumaNetworks
http://www.zumanetworks.com/press2001-0319.html
  **An awesome product that will destroy any other firewall in speed.  It is a hardware solution but is using Linux**

Anyway, saying all that I would say stick to your plan and keep it simple as you don't want to learn more then you need.  (meaning you know security just don't want to learn Linux or another OS to implement it)

go with Bruce R's solution and use smoothwall.
0
 
LVL 1

Expert Comment

by:CompuNerd19
Comment Utility
I somewhat agree with the above.  The product is good.  But you should always strive to learn as much as you can.  Ignorance is not an excuse for lack of security.  To many people get used to automated settings and default adjustements (hince all the vulnerabilities).  What I was saying is that he shouldn't implement something on a network where he is not comfortable with the platform.  I didn't say not to try and learn it :)  Good luck!
0
 
LVL 3

Expert Comment

by:Bruce_R
Comment Utility
Looks like it might be worth waiting for the 0.99 release of smoothwall later this month. Based on the new kernel, it's even got IDS, and a much improved user interface.

http://www.smoothwall.org/gpl/articles/dickmorrell.0.9.9-update.html

0
 

Author Comment

by:borleymsgs
Comment Utility
Hi Everyone- What a discussion!  Sorry that I have been away for quite a while.  To bring you up to date, before reading this thread, we purchased RedHat Linux, believing that it had firewall capabilities built into it.  Are we not correct in believing that!  Is Bastille, for example, an enhancement of firewall capabilities??

Since getting Linux, we discovered that it needs more resources than our 486 had (only 16 meg ram and 287 meg HD), so rather than upgrading an obsolete machine, we have devoted an older Pentium (180 mhz) machine to the usage.  My novice knowledge showed up!

If anyone has any further comments to guide me, I will welcome them, else I will try to close the discussion soon.  Thanks to all.
0
 
LVL 1

Expert Comment

by:batkung
Comment Utility
yes redhat has firewalling capabilites..it's called ipchains, for more info on it, type man ipchains at a shell prompt.

Bastille basically switches off stuff you don't need, and hardens your linux installation against any possible attacks from outside. The firewalling part of bastille is a different script from your normal redhat firewall (located in /etc/rc.firewall) and is a better one too...It still uses IPCHAINS though.

Your choice of machine is fine, put plenty of ram in it though..I would recommend 64megs to start with.

oh, and don't install anything on the linux box that you don't *really* need. If you have sniffers and compilers installed and it does get compromised, it only makes the hackers job easier to set up your box to run anything they want. The bastille script will take care of most things for you, but be warned.

I hope you have as much fun as I did when I setup my first linux box, you've got it a bit easier now though...support is much better these days. Welcome to the open source community.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> .. our 486 had (only 16 meg ram and 287 meg HD),

That's enough for a simple firewall based on Linux and ipchains/iptables.

As mentioned before, just install the minimum of the distribution. Don't know if RH supports a the choice "Firewall" or "Router" in the setup (like SuSE does), that's what you need.

You also my have a look at
    http://www.trinux.org/
    http://sunsite.dk/mulinux/
    http://www.zelow.no/floppyfw/
 
0
 

Author Comment

by:borleymsgs
Comment Utility
Where we ran into problems with the 486 is installing RedHat. Most likely the 486 for a firewall would be OK if I knew Linux and installed only the kernel.  Correct?

What is SuSE?  
0
 
LVL 3

Expert Comment

by:Bruce_R
Comment Utility
SuSE is a company like RedHat, they do a full linux distribution like RedHat, you'd probably have just as much problem installing that on a 486. Without Linux knowledge you will not know which parts not to install.

Smoothwall is optimised to run on a 486 or low end pentium. All the unnecessary stuff is already taken out. You don't really need to know much about linux to run it.


0
 

Author Comment

by:borleymsgs
Comment Utility
Am going with Bruce R as it seemed his answer best suits my original question and needs--something simple, usable on a 486, without having to know Linux in depth.

However, I appreciate everyone's input and will be considering your advice also.  I plan on learning Linux and using it for a better firewall here at work and use Smoothwall at home.

Thanks to all for your interesting and enlightening input.
0
 
LVL 55

Expert Comment

by:andyalder
Comment Utility
The more of us that contribute the more chance that it gets awarded a B rather than an A grade. Totally different behaviour in the programming areas, they lock questions early and demand big points. complain if anything but A. There there is an exact answer, you write the code thus.. Here there is a meeting of minds.

Tell me guys, since many of you come to EE via the partner sites, do you still see squirrel "Hey, the name's Shawn" as the expert of the week for the last three months solid or do I have a cache problem?
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
andyalder, probaly my knowledge of english is to weak to understand your comment, or does it mean that you're willing to answer only if you can expect (and get) an A?
But you haven't been graded here, I'm confused, somehow ..
0
 
LVL 55

Expert Comment

by:andyalder
Comment Utility
I'm sorry, I don't know how I added that comment to this topic, It thought it was the lounge. If the selected answer is only worth a B grade then what of the rest of us? our comments are worth less than the chosen solution so a C for you and a D for me maybe.

Don't get upset by me getting upset about B rather than A, just that if you complain to community support they'll adjust it to A anyway.

I blather, ignore me or beat me up in lounge.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now