Full config of a firewall - Win 2K home network

I have downloaded the CHX firewall and packet filtering application from their site (http://www.idrci.net), as suggested by several experts in other threads.

Now I have it, I just cant get it to do what I want.

Here's what I have:

 1 x Laptop (Win 2k Pro)
 2 x Deskop (Win 2k Pro)
 
 Speedtouch USB modem
 Lexmark Printer
 8 Port Switch

One of the desktop's is set up to be a file/print share and gateway. The other is a SQL / MySQL database server.

Everything was working fine using Windows filesharing and internet connection sharing (Speedtouch USB ADSL via BT Openworld). Since I installed the firewall, I just cant get the browsers to work on other PC's, no matter what I seem to edit in the filters list. I did once manage to get the PC's to be able to browse the network.

QUESTION:
How do I configure CHX to allow web and internal network trafic (auto IP addresses from internet connection sharing) from the two other computers, but stop pretty much everything else?

Once this part is up and running with no problems, I want to be able to turn on certain ports for other applications, such as MySQL, VNC, RealPlayer, IIS (possibly) etc.

I have uninstalled the firewall for now, so don't mind using a different one, if the job can be done for the same price... ie. nothing.

Obviously, I need to put some protection on to the gateway, so for a fast response I have stacked on some points.

I would like specific instructions on how to do this, as networking, just ain't my thang.

Any help greatly appreciated.

PS. I have had to remove Linux from one of the PC's in requirement of a 3 PC Windows based testing platform. The firewall was working fine with Redhat, and I will eventually return to it, so please don't suggest Linux!!
LVL 1
SamEdneyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

quarkxCommented:
Hi,

On the system running ICS, disable TCP/UDP stateful options on the Internal network interface(right click/properties/un-check the stateful boxes).

On the external interface, leave the stateful options active. You can now build your IP security policy as you need. Follow the instructions in the online manual for prohibitive rule sets.

If you are not at ease with networking and security in general - I'd suggest you try other applications(zone alarm, kerio, etc).

HTH,

Q.
0
SamEdneyAuthor Commented:
Thanks QuarkX.

What will I actually be disabling though?

I need this network to be secure, and opening any ports that are not absolutley necessary may be a problem. The data contained on the SQL database is quite sensitive.

The system running ICS is the external interface, isn't it?

If not, let me know what you mean please.

ZoneAlarm is fine, but the pop up options are not the best way to make a network secure. It gets far too anoying checking what you have and haven't allowed.

It would be great to have an application that just had a few wizards.

1. Gateway machine for LAN
2. Webserver on the internet using XXX services
3. Internal LAN webserver
4. Workstation on Internal LAN
5. Workstation with direct (modem etc) connection

After this, if you could turn on additional ports such as RealAudio etc, it would be a synch. Never mind. I guess complex jobs must be complex.
0
quarkxCommented:
Hi,

The system running ICS has two network interfaces; one expose to the Net and the other to the internal network.

The stateful options in CHX can be enabled per interface; so what I meant was to disable TCP/UDP stateful options on the Internal Network card. (the UDP stateful option is what is blocking internal PCs )

Once this is done, you can build your security policy. For Instance on the external interface:
a) Allow In TCP to ports > 1023
b) Allow TCP Ports = 80,443,etc
c) Allow UDP from DNS port 53 to ports >1023
d) Deny TCP SYN to ports >1023

Remember that Allow is prohibitive meaning that once an Allow or combination of Allows are used, everything else gets dropped.

HTH,

Q.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

quarkxCommented:
I forgot.....

Your weak point - and where you should concentrate the most - is the web /sql server. This will most likely be the point of an eventual successful attack. Achieving a solid IP security is quite trivial (using CHX or any other flexible packet filter), but protecting from payload attacks is not.

Ideally, the web server should reside on the DMZ, since you must depart from the premises that it will be vulnerable sooner or later.

You should deploy either a host based web application firewall on the web server or at the gateway. These creatures are quite expensive though...You can start with Microsoft's free tool (I think it's called UrlScan) then look into real application firewalls for enhanced security.

HTH,

Q.
0
SamEdneyAuthor Commented:
I will only need to access the MySQL server internally, over the LAN, as we are writing Windows applications to access it.

Due to security issues with Microsoft SQL server and IIS, we wont be using either now anyway.

I will remove all the filters, and start from scratch again.

Thanks for this so far QuarkX. I will give this all a try when I get back home tonight, and get back to you asap with my results.
0
SamEdneyAuthor Commented:
Also... what is DMZ?

Is there a god guide to the terminology used in firewalls anywhere I could read up on?

Thanks again.
0
SamEdneyAuthor Commented:
Also... what is DMZ?

Is there a god guide to the terminology used in firewalls anywhere I could read up on?

Thanks again.
0
quarkxCommented:
DMZ is usually viewed as a physically and logically separate segment that serves as a hosting place for public services (web, mail, dns,etc).

In your case, if you add a third network card to your gateway box it would look like this:

Internet
|
|
WAN Nic
|
|
-----------DMZ Nic--------Web Server
|
|
LAN Nic

The idea is to protect the LAN from the DMZ servers, since we consider them hostile (in the event they get compromised)

As for a good guide to security terminology I'd recommend the extensive use of the Google encyclopedia. :-)

Q.
0
quarkxCommented:
DMZ is usually viewed as a physically and logically separate segment that serves as a hosting place for public services (web, mail, dns,etc).

In your case, if you add a third network card to your gateway box it would look like this:

Internet
|
|
WAN Nic
|
|
-----------DMZ Nic--------Web Server
|
|
LAN Nic

The idea is to protect the LAN from the DMZ servers, since we consider them hostile (in the event they get compromised)

As for a good guide to security terminology I'd recommend the extensive use of the Google encyclopedia. :-)

Q.
0
SamEdneyAuthor Commented:
Thanks QuarkX.

I can sleep easier knowing that my ports can not be probed.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.