Solved

firewall

Posted on 2004-10-29
223 Views
Last Modified: 2013-11-16
Good Day,

I work in a large private residence hall at a major university. Our network is part of the larger network, but we control only the subnets attached to the university router. They control the router.

At present, our network and the university's is pretty wide open. We all have public IPs.

Our administrative staff comprise an organizational unit within a campus wide windows domain.

We will be soon installing a residence hall management system that will contain personal data of our residents, and we have to come up with a security solution.

The simplest approach I've considered is to put our servers behind a router and limit traffic with ACLs. I am not very familiar with ways this might be defeated, such as spoofing an IP.

Additionally, more and more of our staff are requesting to work from home. Presently, they connect to their windows machine using remote desktop. We have no real control over their home machines.

We have a small staff and not much bidget this year so a state of the art firewall/vpn concentrator is not going to happen soon.

Any thought appreciated

Thanks



0
Question by:apertyx
    11 Comments
     
    LVL 1

    Accepted Solution

    by:
    Hi,

    A router with ACL is better than nothing, although it does NOT replace
    a firewall. You might start with this as a basic security practice

    You might find affordable combined firewall/vpn appliances at
    http://www.juniper.net and http://www.symantec.com among others.

    If your budget is really limited, the low cost (but still extremely good) solution
    is to put an old pc with two ethernet cards and IPCop :
    http://www.ipcop.org/modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id_cat=2
    which is a free firewall. Knowledge required might prevent you from doing this, you
    might need to get some help from some linux guys around.

    hope this helps
    Clipper
    0
     
    LVL 4

    Assisted Solution

    by:WerewolfTA
    apertyx,

    Wow, that's a big order.  First, make sure that whatever you're planning to do is cool with your parent IT group or someone over them, if you're into jumping chain of command.  The best intentions can still get you unemployed.

    Hmmm, minimal budget.  Might I suggest a *nix or bsd?  Since you're a Windows shop, or so it sounds, you might be best to get an all-in one solution, something with a web-based gui to configure your settings instead of a bunch of text-based commands and much configuration time.  Here are some sites you may wish to take a look at:
    http://www.ipcop.org/
    http://www.smoothwall.org/

    There are others, but those are the 2 I'm familiar with.  Both're pretty easy to work with and will run on older hardware.  THat will get you a basic firewall/nat/vpn/ids/web-hosting solution.  Once you get comfortable with the basics, you can add on dansguardian support, which does web content filtering, and antivirus software.  There are some with that already built in, but I don't remember where they're at.  Start going through the forums on those sites and regarding those products, and you'll turn up links to several competitors.

    This probably won't do too much to work on your problem of no control over the home pc's states.  You need something that gives them partial access while it verifies minimal security settings (antivirus with up-to-date defs, maybe a software firewall, Windows patches, etc.).  MS has a deal with that on 2003 Server with RRAS, but that ain't free.  On the other hand, I think education licensing through MS is damn near free.  I don't remember the deal with that.  They covered it in a TechNet briefing I attended, and I thought it sounded really cool, but since we don't let people connect into our network from their home computers (other than our web site/Intranet portal for web apps), I've never looked into it.  Symantec also has something like that, I believe.  You may also wish to look into an alternative to giving them a direct method of accessing their desktop.  Try something like VNC.  It's possible to build a VNC forwarder.  So, they'll VNC into the server and then the server will establish the connection with the desktop.  So, you only have to worry about how secure your server is.  Since it's a specialized Linux box, vulnerabilities present on their Windows home PC should be far less likely to exploit your server.  I believe it was from Ultr@VNC's site that I was reading about VNC forwarders (http://ultravnc.sourceforge.net/).  Ultr@ even has an encryption plugin, so you don't have to worry about establishing a VPN tunnel, first.

    Your ACL's through one of those all-in-ones probably isn't going to work, either, unless something's changed.  It is possible, for example, to make Dansguardian and Squid work with ACL's, but I think you're going to have to do a regular Linux install with DG and Squid and do a bunch of typing.  It may do by IP ranges, but like you said, an IP address could be reassigned.  If you have a simple access set to set up, like this group gets unlimited Internet access while everyone else gets this set of allowed sites, you could just setup 2 boxes, one wide open and one with the restrictions on it, and set your default gateway accordingly.  Hopefully, you have your boxes locked down so that users can't tinker with them.  Keep everyone from being able to modify or even view their IP settings, and even if somebody comes in with a laptop, they won't know what gateway to point to.  Or, you can set through group policy for your limited users, if they have a definite set of sites they should be able to access and no others, a bogus proxy with the legit sites set to bypass that proxy.  Or if there are just some sites you don't want them going to, that should be easy to setup for everyone on the firewall or by machine through a HOSTS file.

    Good Luck!
    0
     
    LVL 7

    Assisted Solution

    by:shahrial
    The above are good suggestions. When its affordable, you may wish to consider an appliance plugged between your router and your subnet switch such as the FortiNet Fortigate firewall (AntiVirus Firewall / VPN / IDS/IPS / Content-Filtering...etc.
    It's affordable and multi-roled. You can google it to find out more...;-)  
    0
     
    LVL 4

    Expert Comment

    by:WerewolfTA
    That's what our parent IT group uses - the fortigates.  They love 'em.  I haven't had the need or time to mess with them myself.  Damned expensive, though, at least the models they bought.  They got 2.  It was either $20,000 for both or apiece.  I'm sure there are cheaper models.  The sad thing is, they're only using a fraction of the capabilities.

    I have mixed emotions about appliances.  They're simple to use and set up, but limited on upgrading/customizing potential and seem to be pricey.  As an example, we have a Symantec 200R here in our office.  It's been ok, but you can't set it to drop "ping" packets.  WTF?  Even my little $40 linksys at the house will drop icmp packets.  Yet this at-the-time several hundred dollar business-grade appliance doesn't have that option.  On the other hand, the 200R will do load-balancing/failover between 2 WAN connections and failover-only to a serial modem.  That's kind of cool.  

    Anyway, that's my $.02, something to keep in mind when you do get that money coming in and can get an enterprise-grade solution and you're trying to decide between an appliance and a regular server solution.  What you gain in ease of setup and use you may sacrifice in flexibility and upgradeability.
    0
     
    LVL 7

    Expert Comment

    by:shahrial
    At work, we had evaluated the Symantec box, too. On average, you can get 2 Fortigate boxes for 1 Symantec box of a similar specs. As for performance, the fortigate performs better (in the in-house test we conducted).
    Agreed with WerewolfTA on his last comment, the last paragraph, though. ...;-)
    0
     
    LVL 1

    Expert Comment

    by:The_Real_Clipper
    As a sidenote, remember that an open source solution like IPCop mentionned
    earlier is perfect in terms of scalability. You want to add one or more DMZs later ?
    no problem, just add one or more ethernet cards. You have more traffic, find a "less old"
    PC. You have more than one connection ? use BGP, HSRP, load balancing, whatever. For
    not a single buck more.

    In all other cases, more traffic or more interfaces or more clients means more licenses
    usually, and again, the performances are not better in a relatively small environment like
    yours.

    The issue with security is that you always have to pay for it when you don't need it, and
    you always wonder "do I really need this, I never had a security problem before". But it's
    exactly like backups. You don't need them until you lost everything.

    Cheers
    Clipper
    0
     
    LVL 5

    Expert Comment

    by:Hypoviax
    For home users i would reccomend providing with them with instructions in getting personal security such as a simple firewall (www.zonelabs.com) and antivirus software. If they have full access to the system the users will be the weak spot to a compromise within the main part of the system. It is best to prevent the weakness in their system aswell as strengthening the main system.

    Regards,

    Hypoviax
    0
     

    Expert Comment

    by:houber
    Hi,

    You can also try using Safe@Office which is a checkpoint appliance for small business, it support all your needs and very easy to install and operate.

    regards

    houber
    0
     
    LVL 1

    Expert Comment

    by:The_Real_Clipper
    Any update on this, were our answers useful ?

    Thanks
    Clipper
    0
     
    LVL 1

    Expert Comment

    by:The_Real_Clipper
    Hi apertyx,

    did you find one of our suggestions helpful ?

    Thanks
    Clipper
    0
     
    LVL 1

    Expert Comment

    by:The_Real_Clipper
    apertyx,

    Are you able to close this question ?

    Cheers
    Clipper
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

    846 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    3 Experts available now in Live!

    Get 1:1 Help Now