Solved

What Standalone Firewall? ComputerWith2XNic's or an off-shelf Router?

Posted on 2004-04-01
33
529 Views
Last Modified: 2012-06-27
I have been asked to setup a firewall. The only firewalls I have setup before are software based that include an application spawning sandbox etc and have all been on a Win2000 workstation acting as a server for less than 10 users. I am very familiar with such firewalls but not at all familiar with any version of windows that are in the server family SBS, NT, Win2000S.

The firewall I have been asked to do is for a computer that is running Small Business Server 2000.
The computer is not connected directly to a broadband modem etc but (Apparently) is plugged into an RJ45 wall socket that supplies the entire building (multiple companies) with the internet (I have no idea what this could be any ideas are gratefully received).
The staff are in a pickle about not having an external (to the SBS computer) firewall (management has decided it wants one) and cannot find out much about the system they have as they are not very technical so please excuse my lack of information.

So I need to put a firewall between the SBS computer and the RJ45 jack in the wall that provides the broadband. This all sounds good to me as I am less likely to cause problems with the SBS computer software of which is alien to me. Unfortunately the staff have just realised that there other branch link to there one via a VPN (I don't know the security type IPSEC?).

QUESTION 1A:
Can I build a Windows 2000 workstation (I don't know Linux) with two network cards in it and a software firewall and place it between the SBS computer and the Wall to allow ALL traffic, except that blocked by the firewall, to parse through from the WAN adapter to the LAN adapter? - Thus creating an external, to the SBS computer, firewall. I believe this is also called a sandbox.

QUESTION 1B:
If so do I just use the ADD ROUTE command to throw everything from the WAN adapter to the LAN adapter, except 127.0.0.1 and the local machine IP, and use the software firewall to do its business?

Question 2A:
Should I use an off the shelf combined firewall router with an RJ45 as the WAN instead of the standard (Remember I am only use to small systems) broadband telephone RJ11 port?

Question 2B:
If so what one? OK, just a hint or personal favourite then!


I have put 500 points on this because its urgent and you can bet someone answers with something I wont understand and I will need the idiots walk through guide : )

Thanks for your help in advance, Ralph.
0
Comment
Question by:RalphG
  • 16
  • 16
33 Comments
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10733454
I would use a router to router vpn solution, I am a cisco guy so I prefer either cisco or linksys. You need to find out what is on the other side of the rj11 port I would do an ipconfig from the server and see if it is a publicly routable ip address or a NAT address. Something like the befsx41 http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=433 should do the trick. Post the results of the ipconfig and we can see where to go from there.
0
 

Author Comment

by:RalphG
ID: 10733726
Problem there is that I would need to go to both premises to install the befsx41 and break the existing VPN tunnell to setup the befsx41 one! I am by no means a VPN guru and would likely do more harm than good. What I would realy like is the:

(Idont know whats here - black box tactic)<----->(Nothing gets past me that is not VPN or requested WEB - firewall)<----->(internal network with VPN server - SBS) solution.

I guess the befsx41 would be a good start if it will allow a VPN server on the LAN to be reached from the WAN port without having to use the befsx41 VPN server.
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10733884
Yes but you could use one of the cheaper vpn passthrough models. The current vpn in place is server to server?
0
 

Author Comment

by:RalphG
ID: 10733995
I believe "The current vpn in place is server to server?" to be correct! The only experience I have had with VPN passthrough off-the-shelf router/firewalls is that the passthrough only works from a LAN based client computer OUT through the WAN port to a server on the WEB , not IN through the WAN across the router/firewall and to a LAN-based VPN server. I have to admit though that this was with an ActionTech router/firewall (I did say I hadn't played with the big toys did't I :) )
Please advise!
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10734180
Then you could use the befsx41 and just do ipsec passthrough. If the tunnel is up and running currently, then it should pose no problem.
0
 

Author Comment

by:RalphG
ID: 10734338
If the befsx41 will allow VPN IN through the WAN across the befsx41 and to a LAN-based VPN server then you have solved my problem without the need for me to build a pc housing moving parts (HD, Fan) that could breakdown. Have you ever done that with a befsx41?
I will test your idea ASAP on a test setup If it works I will post you the points.
Thanks, Ralph

P.S. ("""Have you ever done that with a befsx41?""")
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10734607
I have connected to a vpn server from behind the linksys, and I have hosted from behind a linksys. I have never done both at the same time, everytime I have a linksys at both ends I setup the hardware router to router vpn.
0
 

Author Comment

by:RalphG
ID: 10734884
RE "I have hosted from behind a linksys". FANTASTIC! What linksys model did you host a VPN behind?
I will buy the befsx41 and if I have any problems hosting from behind it I will buy the one you used to host a VPN behind yourself, assuming they are different.
I worried about this problem all day, I am hovering above the "Give this person the points now button", because you obviously have the solution.

Thanks, a VERY happy Ralph.

P.S. Sorry for dragging this out.
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10735540
Well let's wait until the vpn is up and going. I have used the BEFSR41 As long as you will be connecting a single tunnel to a single tunnel it should go ok. I will be here with you until the tunnel is up and running. Did you do an ipconfig on the server yet?
0
 

Author Comment

by:RalphG
ID: 10739929
I have to wait till 14:30 to get the command run for me and results returned as the member of staff (the most IT familiar one) I am dealing with is unavailable till then.
The second I get the results I will post them up.
Thanks for all your help ewtaylor, Ralph.
0
 

Author Comment

by:RalphG
ID: 10739935
03:58AM PST (The displayed time of my post) = 12:58 on my clock. So just to clarify I mean 14:30 my time : )
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10740327
No problem I am in EST
0
 

Author Comment

by:RalphG
ID: 10741040
Following as an "IPCONFIG -ALL":

---------------------------------------------------------------------------------------

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

F:\Documents and Settings\Administrator>ipconfig -all

Windows 2000 IP Configuration

        Host Name . . . . . . . . . . . . : tc-sbs
        Primary DNS Suffix  . . . . . . . : taddcom.org
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : Yes
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : taddcom.org

Ethernet adapter WAN:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : 3Com Fast EtherLink 10/100Mb Bus-Mas
ter PCI Adapter
        Physical Address. . . . . . . . . : 00-A0-24-01-E4-58
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 213.166.80.186
        Subnet Mask . . . . . . . . . . . : 255.255.255.252
        Default Gateway . . . . . . . . . : 213.166.80.185
        DNS Servers . . . . . . . . . . . : 213.166.79.3
                                            213.166.79.210
                                            213.166.79.211

Ethernet adapter LAN:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/100+ Server Adapter (PI
LA8470B)
        Physical Address. . . . . . . . . : 00-02-B3-3B-3D-CA
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.16.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 192.168.16.2
        Primary WINS Server . . . . . . . : 192.168.16.2

PPP adapter RAS Server (Dial In) Interface:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.16.100
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 127.0.0.1

F:\Documents and Settings\Administrator>

---------------------------------------------------------------------------------------

Is this good news? Am I right in saying that because the WAN IP ADDRESS of the PPP RAS is 192.168.16.100 then there is something port-forwarding to this computer from the internet already?
I hope I can still use by black-box tactic!
0
 

Author Comment

by:RalphG
ID: 10741075
How I overlooked the "Ethernet adapter WAN" I have no idea!
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10741314
It looks like the server is multi homed (has 2 nic cards). Can you look at the back of this and confirm?
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10741442
If so everything just got a lot easier. We can just plug in the router assign it a non routable ip address in the 10.x.x.x range and go with it.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:RalphG
ID: 10741608
According to the staff yes there are two nics.
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10741759
Should be a piece of cake then.
0
 

Author Comment

by:RalphG
ID: 10745488
Would you be kind enough to explain what you mean by this "assign it a non routable ip address in the 10.x.x.x range".

My understanding is the following:

# The BEFSR41 router will be setup as:

Ethernet adapter WAN:
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 213.166.80.186
        Subnet Mask . . . . . . . . . . . : 255.255.255.252
        Default Gateway . . . . . . . . . : 213.166.80.185
        DNS Servers . . . . . . . . . . . : 213.166.79.3
                                            213.166.79.210
                                            213.166.79.211

Ethernet adapter LAN:
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.16.0
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : - (I don't think this will be an option to set)
        DNS Servers . . . . . . . . . . . : (I don't think this will be an option to set)
        Primary WINS Server . . . . . . . : (I don't think this will be an option to set)

        FORWARD ANYTHING VPN TO 192.168.16.1
        OPEN REMOTE ADMINISTRATION TO MY STATIC IP ONLY

# The actual SBS Computer will be setup as:

Ethernet adapter WAN:
        Connection-specific DNS Suffix  . :
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.16.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.252
        Default Gateway . . . . . . . . . : 192.168.16.0
        DNS Servers . . . . . . . . . . . : 192.168.16.0

Ethernet adapter LAN:
        Connection-specific DNS Suffix  . :
        DHCP Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.16.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 192.168.16.2
        Primary WINS Server . . . . . . . : 192.168.16.2

So I guess by "assign it a non routable ip address in the 10.x.x.x range"  there is a better way than mine.
Gulp! Would my setup details above even work?
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10758573
Actually I just reread the whole thread and looked over all the settings. It would appear they have a firewall in place, or at least the potential to. SBS 2000 is bundled with ISA server http://www.microsoft.com/sbserver/techinfo/planning/2000/internetsecurity.asp Check and see if it is running if so then they are already using a firewall.
0
 

Author Comment

by:RalphG
ID: 10761687
The staff are in a pickle about not having an external (to the SBS computer) firewall (management has decided it wants one).

I did some research on the "non routable ip address in the 10.x.x.x range" and presume you mean non-routable from outside the WAN. Because I am not a networker and more a programmer I am not familiar with the proper naming convention of things I have learnt on the way. I, for example, always use 192.*.*.* as internal IPs because I thought they were non-routable and reserved from the outside world but did not know 10.*.*.* was also in this set and therefore presumed you meant 10.*.*.* was non-routable from within the LAN giving the router some form of cleverly masked invisibility hence transparency from the SBS computer and hence solving the:
(I don’t know what’s here - black box tactic)<----->(Nothing gets past me that is not VPN or requested WEB - firewall)<----->(internal network with VPN server - SBS)
problem.

I now see that because the SBS computer has two nics in it, one for the WAN interface and one for the LAN interface I should be able to put the befsx41 between the SBS computer's WAN interface and the Wall socket that provides broadband to the office. I will need to alter the SBS computer's WAN interface to look for the befsx41's LAN interface and the befsx41's WAN interface to look for the connection provided by the wall socket.

As you can see, following on the convention apparently already used in the office of 192.168.16.* for internal IPs I have proposed 213.166.80.186 for the befsx41's WAN with 192.168.16.0 for its' LAN with and 192.168.16.1 for the SBS's WAN and 192.168.16.2 for its' LAN. The full details of my proposal are in the "04/02/2004 04:05PM PST" post. For the benefit of both myself and others that read this post for help in the future would you be kind enough to comment on the settings correctness and likely success?

Ralph.
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10765652
The problem is you do not want your lan to have the same ip addressing scheme as the remote lan. This plays hell with subnet masking and routing. There are certain reserved ip blocks. 192.168.xxx.xxx, 172.16.xxx.xxx - 172.31.xxx.xxx 10.xxx.xxx.xxx subnet is another. Anything addressed using these ip addresses is only for local routing and will not pass out the gateway/router. The probelm you will run into is that in some cases more is not better, in other words 2 firewalls not necessarily better than 1 and will actually cause more problems than it is worth. You have 2 options

1. Convince management that the Microsoft  ISA server provides all the firewall protection that you need. The benefits of this are that since it is a Microsoft product you get better interoperability. It also speeds up web browsing by cacheing websites. It will cost you nothing since it is bundled with SBS. The reviews rated it as a good firewall http://www.serverwatch.com/stypes/servers/article.php/16337_1299821 is one such.

2. Turn off the ISA server portion of SBS plug in the external firewall. With this all the machines would point to the linksys router as the gateway. You would need to resetup vpn access to the firewall (since it is currently routing through 2 nics you would have to totally rip it out and start from scratch). You would need to configure the router for vpn pass through (not as hard as it sounds usually only just a few clicks of  the mouse). You would also need to readdress the network so that the 2 networks do not conflict.

Either way I will help you with the decision they make. From an administration and support standpoint it would be better for them if they left it as it is and just verified that ISA server is indeed running on the SBS. Let me know

As for the above setup you cannot assign an ip address of 192.168.16.0 to the router .0 and .255 are special ip addresses and cannot be used you would have to assign it as .1 the server as .2  and point to the linksys as a gateway you would also want to setup dhcp on the linksys and have it assign ip information, however you would need to set a reservation for the server ( pretty much making it a static ip address). Then we would have to configure the router to pass ipsec passthrough on the router and resetup the vpn tunnel from both sides.
0
 

Author Comment

by:RalphG
ID: 10799325
Thanks for the very detailed response.
I have been away from the question for some time now as I have been researching what you have mentioned so as not to ask questions that would waste your time.

There is no way of convincing management that the built in SBS firewall is good enough for them as they have been informed by two different trusted sources, not me, that it is an external firewall they need. Oh boy, the comments we could both add just here!

I am therefore forced to take your option number 2 "Turn off the ISA server portion of SBS plug in the external firewall". With this I was very worried about "resetup VPN access", "totally rip it out and start from scratch" and finally "readdress the network so that the 2 networks do not conflict", hence the absence for vast quantities of reading and questions.
I now know that the office with the VPN server is the main office housing 10+ computers and there is not just 1 external VPN required but 2. Each of the two external offices that VPN in are home offices with only 1 computer each.
I will pause just there for your advice as I believe you may advise me to put a befsx41 on every VPN endpoint.

May I just ask though:
If I VPN link two offices together and one office has a computer on its LAN of 192.168.0.5 and the other office has a computer on its LAN with the IP 192.168.0.6 and both subnets were 255.255.255.0 could the two computers ping each other or does the sentence "Anything addressed using these IP addresses is only for local routing and will not pass out the gateway/router" mean they cannot communicate across a VPN?
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10805487
OKay so at least you know which direction to head.  Actually the resetup the vpn is not that hard if you go hardware to hardware. You can start here http://www.linksys.com/support/top10faqs/BEFSX41/Setting%20up%20a%20VPN%20tunnel%20between%20two%20BEFSX41%20routers.asp You see from this link that the linksys routers support up to 2 vpn tunnels. Yes each endpoint should have it's own BEFSX41 router. The problem with them all being on the 192.168.0.xxx subnet is that it will think it is local lan routing. Easiest way to set it up is to make the home office 192.168.0.xxx and the satelite offices as 192.168.1.xxx and 192.168.2.xxx this is easy to setup with dhcp and the linksys routers. Since each home office has only 1 workstation it should be no problem with addressing. Here is a good workup on the private ip and what they do and what they are http://www.cse.ohio-state.edu/cgi-bin/rfc/rfc1918.html

0
 

Author Comment

by:RalphG
ID: 10814078
First of all, thank you so much for the continued and forthcoming support. Not only do you present the information clearly but your supporting URLs are providing me with the opportunity to attempt to research in depth what you are kind enough to teach.

I have just purchased a befsx41 for the main office but whilst in the store I began wondering how to connect the other two befsx41's to the standard broadband sockets that will be at the home-based, single computer, offices. The box reads, under "minimum requirements": "Cable or DSL Modem with Ethernet Connection and Internet Access". I find myself once again asking if you have 1 used such a device before with the befsx41 (I have only used USB ADSL modems directly onto a computer) and 2 what modem did you use with the befsx41? I am going to presume that the home ADSL connections are not cable.
0
 

Author Comment

by:RalphG
ID: 10863341
I just couldn't get my head around using the befsx41 at a home address that is on ADSL.
UK ADSL is PPPOA, hence requiring a password. I have been wondering how it would be possible to get the befsx41 to communicate the username and password data it holds in its router across an Ethernet cable to the ADSL modem so that the modem can establish a broadband connection and parse it back to the befsx41?

This link appears to have my answer:
http://www.expansys.com/product.asp?code=110630
It appears that the modem can be smart enough to store and send its own username and password to establish a PPPOA ADSL connection and parse it out onto an RJ45 port that the befsx41 can connect to. That way the modem is not acting as a router so it shouldn't interfere with the befsx41's router and hence the full VPN capabilities of the befsx41 can be used.

What do you think?
0
 
LVL 11

Accepted Solution

by:
ewtaylor earned 500 total points
ID: 10868176
You should be able to put it into bridging mode and let the router do the routing. I cannot seem to find that product on dlink's website so I cannot download the user manual and confirm.
0
 

Author Comment

by:RalphG
ID: 10956509
I am setting up a testing platform and will post results ASAP.
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10958759
Great!
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 11310335
Well this should have worked for him. If not I would be happy to continue troubleshooting it with him...
0
 

Author Comment

by:RalphG
ID: 11313435
Through non related problems I have not finished setting up my testbed system with a friend. I would like to finish that and then post a comprehensive wording on how to do it all from scratch so others can benefit from all the help ewtaylor has given me. To allow the question to close I will award the, well deserved, points to ewtaylor (sorry for the delay).

If you are reading this for an answer then I will post the total report of how to do it at: http://81.130.194.47/ee/firewall-vpn-router-report.html
when I have finished it.

Ralph.
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 11317039
Thanks Ralph let me know if I can be of anymore help...
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now