?
Solved

How to build a solid Firewall

Posted on 2003-03-13
29
Medium Priority
?
563 Views
Last Modified: 2013-11-16
Dear firewall experts.

I have just installed ADSL and I need to firewall myself.

What I have:

1. Win 2000 server connected to ADSL modem on one NIC and rerouting to local network on another NIC
2. Hub for local network
3. 4 Win XP computers running on the network
4. Cisco 800 router currently not used

The only role of Win 2000 is to connect to ADSL and share the access

How can I best protect the network? Can the Cisco router be of any use? or should I go for Linux?

Please be as informative as possible
0
Comment
Question by:graga
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 5
  • +7
29 Comments
 

Expert Comment

by:madcrb
ID: 8137951
how important is your information?  if you really want to restrict access, application layer fw is the only way to go.

I do suggest that if the only thing you are using the internet feed for is http/https then lock down all the other ports on the win2k box.

If you need a decent lockdown walk through, go here:
http://csrc.nist.gov/itsec/guidance_W2Kpro.html


It is also a good idea to go ahead and disable any services you don't need.

Netscreen has a decent low end firewall: NS5XP.
It has a lot of capability for a soho enviroment.
0
 

Author Comment

by:graga
ID: 8138068
madcrb,

The page has information on WIN2000 Pro only:

"These recommendations and security templates should be applied only to the Windows 2000 Professional workstation."

0
 

Expert Comment

by:madcrb
ID: 8138116
my bad...

This link has the baseling 2k server Security checklist:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/chklist/w2ksvrcl.asp

It also has the links to several tools for securing 2k server.

0
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

 
LVL 2

Expert Comment

by:MCSE-2002
ID: 8140908
If you have a static IP Address, set up the cisco box for NAT. Enable access lists incoming on the External Port.

If you have DHCP(most dsl setups do), then download Blackice, or Tiny Personal Firewall. It works pretty well for home computers, and if your a cheapskate the cracks are pretty easy to find.

Dont bother trying to secure a Windows 2000 server, unless you plan on getting a divorce, selling your kids to slave traders, quitting your job, and downloading patches 8 times per day. Automatic updates are a good start though. (sorry madcrb)

Basically the idea you should pursue is to prevent everything, and only allow what you need to get to your network. I.e. web, ssl, smtp, pop3, terminal services, etc.
 
Good luck!
0
 

Author Comment

by:graga
ID: 8140961
I have tried Tiny and quite frankly I wasn't too happy about it.
I agree it is okay for stand alone computers but I could not set it to work correctly on my network.

I'm thinking more of using Cisco router to connect to my ADSL modem (somehow) and become DHCP for internal network. In this case I won't need the Win2000 server at all.

I don't have static IP, but disconnections are rare and even after disconnecting, in most cases I have the same IP, so I may always re-configure the router.
Does this sound feasible?
0
 
LVL 2

Expert Comment

by:MCSE-2002
ID: 8141170
Yes.

You will find reconfiguring the cisco twice a week to be a pain in the arse.  

I have set up dhcp on my cisco routers (I have 23 cisco 1720s) and it works great (better than winders version).

I have never heard of setting a cisco to receive a dhcp address, but maybe?

If you pony up the dough for a static address, you can definitely do it, and it will be rock solid. "The voice of experience".

I have had both windows and linux hacked when exposed to bare internet, so be sure and do something. It sucks to have to wipe a system, and reinstall everything.
0
 

Author Comment

by:graga
ID: 8141268
Static address still too expensive.
I have just downloaded Zone Alarm Pro. Will give this a go and see...
I think there are some ADSL modems with built-in firewall, might be worth buying one.
0
 
LVL 1

Expert Comment

by:Hartman
ID: 8144535
Graga,

If you Hub is a router/hub/DHCP like a LinkSys just put it connected to the ADSL. Then connect all the windows boxes inside on the fake IP 192.168.0.0/24. This is cheap and affective.

I would just buy a simple Linksys for about $50-100. While it is not a true firwall it offers good protection for the home.

Hartman
0
 

Expert Comment

by:shawnpbcomp
ID: 8149452
mcafee firewall pro
0
 

Expert Comment

by:madcrb
ID: 8153160
Look,

Using linksys or cisco (especially cisco) as a security device is just plane stupid.  There are more known hacks against cisco (and more popping up every day).

As to using Black ice or TPF, good luck.  It is like patching a sinking ship with masking tape. (bad analagies are my specialty)

If you spend the 3-500 dollars and get a decent layer 2 firewall (not that i recomend a layer 2, but it would be the cheapest way to go) you can install it with a rules set that would allow outbound connections only.

The only inbound connection (ie a connection that originates outside of your network) you would ever allow would be to your web server, which (hopefully)should be on a dmz and not on the internal network.

If you are to cheap to protect your network, research and download a decent linux based firewall and build one.

And finally,  if you really want to have your network secured for the least amount of dollars....

unplug it from the wall.

nuff said

mad
0
 

Author Comment

by:graga
ID: 8154346
So far I have tested practically all Windows based firewalls and they all have problems on my network - I'm using Win200 server's IP Routing.
I will try to a bit more, and then will try Linux.
0
 
LVL 4

Expert Comment

by:ferg-o
ID: 8163988
Are you hosting/serving anything to the 'net? If not then you don't need a real address. If your machines don't have real IP addresses you've solved most of the problem.

To do this set the 800 up as a PPPoE client with NAT - this will show you how:

http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080094475.shtml

This means that the 800 is the one logging into your ISP and it gets the real IP address. Run NAT behind as described in the article - your 2k server then becomes invisible. If you want set your clients up to use the Cisco as default gateway - then they can all sit on the same network and your second nic on the 2k box becomes redundant.

Agreed that Cisco has its fair share of vulnerabilities so make sure that no connections are permitted to it from outside.

Personal firewalls suck ass as a rule. If you want to be more secure than this then set up outbound access lists on the 800 to limit your outbound traffic. Also use the second NIC and some proxying software to separate your client machines again from the Cisco. This makes the network between the 800 and the 2k server a DMZ (or service network depending on the vendor :-]

Harden your 2k box as madcrb said. Patch your 2k box. Keep it up to date. This is just good practice. Do this for all your machines. Don't run IIS!!!!

And get some antivirus software for your clients - in the above environment your biggest threat is trojans etc being downloaded and communicating out. I like this guy:

http://www.grisoft.com

Sorry for the lengthy discourse - still feeling last night's many beers.

0
 

Author Comment

by:graga
ID: 8164234
ferq-o
This sounds vevry interesting. I'm just setting up linux to see how this will behave.
I will check your suggestion as soon as I finish with Linux.
0
 
LVL 4

Expert Comment

by:ferg-o
ID: 8164279
Quick warning - Linux needs to be hardened as well - personal opinion it is easier to do the above with Cisco, less knowledge required. A default implementation of linux is *not* secure.

If you let me know which linux you are running I'll send you through a hardening guide.
0
 
LVL 2

Assisted Solution

by:zekker
zekker earned 300 total points
ID: 8175584
I would be putting in a linux solution with iptables or a cisco router. You can put in a cisco 2600 running the Cisco IOS feater set.

See: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html
http://www.sans.org/rr/firewall/CBAC.php




In short you can run CBAC which is "Content Based Access Control"  it is fairly easy to configure and runs much like a cisco Pix.  I would also make sure I had a syslog server of some sort running. YOu can setup a linux box to do that for you, its free.

You may also look at the Cisco PIX 515E or other models. I highly recommend this product.


http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm

In my opinion using a microsft box as your firewall platform will not do the job by itself, you will need to purchase some sort of firewall for it that sits ontop of the 2000 OS.  Checkpoint is a good product but costly. Linux IPTABLES is stable and also free.  I suppose it depends on how much you want to spend on security.

- Zekker
0
 

Expert Comment

by:madcrb
ID: 8175927
Concerning Cisco Pix:
I can't believe anyone can "highly recommend this product"
It is weaker than the average UN resolution.
Just go to : http://www.securityfocus.com/ and take a look at the vulnerabilities section.  Or type in pix hack on any search engine.

It may be the most widely used firewall, but it is also the most hacked.

The Pix getting EAL4 Certified was as on the money as OJ Simpson being declared innocent.  A lot of money must have exchanged hands.

but that is just my opinion.  I could be wrong.


nuff' said

madcrb
0
 
LVL 2

Expert Comment

by:zekker
ID: 8176807
How can i recommend a cisco PIX? easily i use it and its a good device.  EVERY box out there has vulnerabilities, look at microsoft, linux etc. nothing is perfect.

Any serious security professional can tell you that,  instead of pointing to the link, why not point out the actual LINK with the actual document you seem to be saying is there...  Just saying "go there" does not show much. However I could also be wrong.  

I sleep better at night knowing my firewall is based upon a PIX than a "hardened" windows 2000 box.  As for your reply, why dont you give the guy an option.  You say its not a good product, thats fine, thats your opinion however he did not ask for your opinion on my comment, he asked for options that can help him. We are doing that. are you?

- Zekker
0
 
LVL 2

Expert Comment

by:zekker
ID: 8177011
To follow up.....

I searched the security focus web site and found vulnerabilities in the following products


PIX compared to checkpoint
===========================
PIX         11     1999-06-01 to 2002-11-20
Checkpoint  25     1999-06-01  to  2002-10-08


PIX OS compared to Microsoft, Unix, Linux:
===========================================
Windows 2000  85 2000-12-01 to 2003-03-14
Microsoft     500 over all
Unix  50      25-11-1999 to 10-01-2003
Linux 50      09-10-2001 to 17-03-2003

As I said in my other comment, no operating system is 100 percent. Every system running as a firewall MUST be hardened and checked with security tools such as nessus.

Due care must be taken in any type of internet edge device to ensure that the only services that are open are the ones needed for a specific reason..

Anyone can configure a router / PIX to work on DSL, or Linux for that matter, but how is it configured? That is the issue here. There is also the question of application security. How secure is that web app of yours?

Just as a side note, we run nessus scans against all our devices and our PIX is invisible to it. Just as an FYI, Cisco is purchasing Lynksis, please see :

http://newsroom.cisco.com/dlls/corp_032003.html

- Zekker

0
 

Expert Comment

by:madcrb
ID: 8177134
1.  I didn't mean to piss on someones parade.
2.  Yes all firewalls have vulnerabilities. (Except for Sidewinder by Secure Computing ---Never Been Hacked---)
3.  You are absolutely correct. No OS is 100%.  But some are a lot easier to lock down than others. Just as some are easier to open up like a can of tuna.

4.  As to pointing out to the actual link to pix Vulnerabilities?

I could point out a lot of urls.  
If you go to securityfocus.com and do a search on Cisco Pix in their bugtraq section, you will find a lot.

http://www.cisco.com/warp/public/707/pix-multiple-vuln-pub.shtml

http://www.secunia.com/advisories/7568/

As I have stated before: Any firewall is better than no firewall at all.  Be it Cisco, Netscreen or Black Ice Defender.
However...

If you go for an Application Layer /Proxy firewall, you will be much better off and much more secure (As I am sure any security pro. worth his or her salt will tell you.)

It is to bad that due to great marketing, a router with rules is now considered a firewall.  Cisco, Netscreen, SonixWall, Watchguard... these are all routers with rules.

nuff' said

madcrb
0
 
LVL 10

Expert Comment

by:brakk0
ID: 8178843
I've been running a similar network on both DSL and Cable for about 5 years now. I have a pentium 133 machine running WinNT 4 and use WinRoute pro for NAT/routing, firewall, and DHCP for my internal network. It has had almost zero downtime in all those years, and I have never had any problems with it. You can get a demo of winroute pro, or full version of winroute lite from www.kerio.com. It is very easy to configure and will let you do everything you are trying to do.  (It will also work with other versions of windows, but the machine it's on won't handle much more.)
0
 
LVL 2

Expert Comment

by:zekker
ID: 8181082
Whatever.........  ;-)

The whole idea around this "service" we are providing is to give people options.  I dont know what your problem is with cisco but thats your opinioin.  I deal with a lot of security people and the pix product is not as bad as you say.  Also, you still have not given him an option!  That is what we are here for. Right?  

If you knew what a PIX firewall is, its NOT a router, yes it can route, all firewalls have to do that, but it is NOT a router.  Just becuase it has the word cisco associated with it.........

Lets just agree to disagree...

as you say

Nuff said....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8187852
Seems to be an interesting thread with some good points/counter-points. My $0.02 for what it's worth:

I agree with some of the comments provided, especially the most obvious -
If you want your network secure, unplug it. In other words, it will never be 100% secure, so you have to determine
the balance point of how much you want to risk vs the value of what you have, vs how much you want to spend.

IMHO, there will never be a Windows-based software firewall that is secure enough to even consider using. You can never "harden" the OS enough. Talk about the most-hacked operating system out there!

Some clarifications:
Yes, cisco routers can be DHCP client on one interface, and DHCP server on another at the same time.

I have to back zekker on some clarifications to defend the Cisco PIX.
The PIX is not a router, it never was a router, it was built from the ground up as a firewall and only a firewall.
It is still the only firewall that is certified by the National Security Agency (EAL4), because Cisco is the only company that
would put their product through such exhaustive steps.

Cisco has added Firewall features to their router IOS, but that still does not make a router a PIX, or vice versa. zekker provided some good links that explain this feature quite well.

The PIX is just like any other security product that must be maintained with latest patches, etc. Security is not a one-time act of putting in a firewall and forgetting it. Security is a PROCESS that must be continually monitored, maintained and adjusted.

Also, a good security posture includes a complete program, and a 'defense in depth', with your 1st layer of defense a well secured border router, 2nd layer a well-configured firewall, and other levels of security inside including Intrusion detection, anti-virus, and finally system and file-level access controls to control access. Another MUST have for any business before they can even start, is to define a security POLICY that weighs the risks and vulnerabilties, and spells out the procedures that will be used to mitigate each of the risks.
0
 
LVL 1

Accepted Solution

by:
sKuLLsHoT earned 200 total points
ID: 8191643
i was using a simlar setup to you but turned to installing smoothwall (www.smoothwall.org) onto my gateway machine and havent looked back, it might not be the titan of security but with the upcoming GPL2 release using IPtables its going to be stronger..

smoothy supports firewalling and uses snort for an IDS, its easy to do updates, and supports having a separate DMZ network for those untrusted local machines..

a similar option is IPcop although the two are very similar

thats just a suggestion if you are already looking at linux..
0
 
LVL 2

Expert Comment

by:zekker
ID: 8195532
I have never used smoothwall, but I would like to on a test box.  my question is

1. Does it sit on a current Linux Install? or do I have to reinstall the entire OS
2. Does it intergrate with Apache web on the same box? or is it just a stand alone firewall with no other apps on it.


Reason i ask is I have a client that this may fit into.

Any comments would be helpful.  

Thanks!
0
 
LVL 2

Expert Comment

by:zekker
ID: 8196263
I have never used smoothwall, but I would like to on a test box.  my question is

1. Does it sit on a current Linux Install? or do I have to reinstall the entire OS
2. Does it intergrate with Apache web on the same box? or is it just a stand alone firewall with no other apps on it.


Reason i ask is I have a client that this may fit into.

Any comments would be helpful.  

Thanks!
0
 

Expert Comment

by:madcrb
ID: 8196535
Ok.
Lets do a little clarification.
The OSI model (7 Layer dip).

http://www2.rad.com/networks/1994/osi/layers.htm

If a firewall doesn't look at all 7 layers, they are vulnerable.

As to the pix being the only EAL4 certified.  Nope.  
Sidewinder was also eal4 certified.
As is Borderwares Firewall (6.2 I think)

The problem with eal4 certs is that with every release of the product, the company has to go through the testing again.

Again,  pix is better then nothing at all.  

I know it is not a router, but it functions as a router with rules.


0
 
LVL 1

Expert Comment

by:sKuLLsHoT
ID: 8198664
zekker, smoothwall is effectively a linux distribution, a very small iso, u would have to reinstall the os on an existing machine, but it does come with apache and all that ready-to-go out of the box, but that is for the webmin system, most of the dev tools are taken out of the distro as the smoothwall team strongly believe a firewall should run minimal services, they dont support "modifications" but i do this all the time, its not too hard to make smoothy do a little more than what it does out-of-the-box
0
 
LVL 2

Expert Comment

by:zekker
ID: 8203354
You do realize that you just grouped every firewall out there as a router with rules.....  

anyway, Uncle you win..  I surrender....  I know nothing I admit it.  Darn where did those 17 years in IT go to!


Thanks for the Info on the smoothwall firewall, i read some more on it.  I appreciate it.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8452948
G'day, graga
It has been 51 days since you posted this question.
Do you still need help? Have you received enough information?
Can you close out this question?
Ways to close questions: http://www.apollois.com/EE/Help/Closing_Questions.htm
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question