Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

firewall

Posted on 2004-10-29
13
Medium Priority
?
228 Views
Last Modified: 2013-11-16
Good Day,

I work in a large private residence hall at a major university. Our network is part of the larger network, but we control only the subnets attached to the university router. They control the router.

At present, our network and the university's is pretty wide open. We all have public IPs.

Our administrative staff comprise an organizational unit within a campus wide windows domain.

We will be soon installing a residence hall management system that will contain personal data of our residents, and we have to come up with a security solution.

The simplest approach I've considered is to put our servers behind a router and limit traffic with ACLs. I am not very familiar with ways this might be defeated, such as spoofing an IP.

Additionally, more and more of our staff are requesting to work from home. Presently, they connect to their windows machine using remote desktop. We have no real control over their home machines.

We have a small staff and not much bidget this year so a state of the art firewall/vpn concentrator is not going to happen soon.

Any thought appreciated

Thanks



0
Comment
Question by:apertyx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +2
13 Comments
 
LVL 1

Accepted Solution

by:
The_Real_Clipper earned 172 total points
ID: 12447419
Hi,

A router with ACL is better than nothing, although it does NOT replace
a firewall. You might start with this as a basic security practice

You might find affordable combined firewall/vpn appliances at
http://www.juniper.net and http://www.symantec.com among others.

If your budget is really limited, the low cost (but still extremely good) solution
is to put an old pc with two ethernet cards and IPCop :
http://www.ipcop.org/modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id_cat=2
which is a free firewall. Knowledge required might prevent you from doing this, you
might need to get some help from some linux guys around.

hope this helps
Clipper
0
 
LVL 4

Assisted Solution

by:WerewolfTA
WerewolfTA earned 164 total points
ID: 12447859
apertyx,

Wow, that's a big order.  First, make sure that whatever you're planning to do is cool with your parent IT group or someone over them, if you're into jumping chain of command.  The best intentions can still get you unemployed.

Hmmm, minimal budget.  Might I suggest a *nix or bsd?  Since you're a Windows shop, or so it sounds, you might be best to get an all-in one solution, something with a web-based gui to configure your settings instead of a bunch of text-based commands and much configuration time.  Here are some sites you may wish to take a look at:
http://www.ipcop.org/
http://www.smoothwall.org/

There are others, but those are the 2 I'm familiar with.  Both're pretty easy to work with and will run on older hardware.  THat will get you a basic firewall/nat/vpn/ids/web-hosting solution.  Once you get comfortable with the basics, you can add on dansguardian support, which does web content filtering, and antivirus software.  There are some with that already built in, but I don't remember where they're at.  Start going through the forums on those sites and regarding those products, and you'll turn up links to several competitors.

This probably won't do too much to work on your problem of no control over the home pc's states.  You need something that gives them partial access while it verifies minimal security settings (antivirus with up-to-date defs, maybe a software firewall, Windows patches, etc.).  MS has a deal with that on 2003 Server with RRAS, but that ain't free.  On the other hand, I think education licensing through MS is damn near free.  I don't remember the deal with that.  They covered it in a TechNet briefing I attended, and I thought it sounded really cool, but since we don't let people connect into our network from their home computers (other than our web site/Intranet portal for web apps), I've never looked into it.  Symantec also has something like that, I believe.  You may also wish to look into an alternative to giving them a direct method of accessing their desktop.  Try something like VNC.  It's possible to build a VNC forwarder.  So, they'll VNC into the server and then the server will establish the connection with the desktop.  So, you only have to worry about how secure your server is.  Since it's a specialized Linux box, vulnerabilities present on their Windows home PC should be far less likely to exploit your server.  I believe it was from Ultr@VNC's site that I was reading about VNC forwarders (http://ultravnc.sourceforge.net/).  Ultr@ even has an encryption plugin, so you don't have to worry about establishing a VPN tunnel, first.

Your ACL's through one of those all-in-ones probably isn't going to work, either, unless something's changed.  It is possible, for example, to make Dansguardian and Squid work with ACL's, but I think you're going to have to do a regular Linux install with DG and Squid and do a bunch of typing.  It may do by IP ranges, but like you said, an IP address could be reassigned.  If you have a simple access set to set up, like this group gets unlimited Internet access while everyone else gets this set of allowed sites, you could just setup 2 boxes, one wide open and one with the restrictions on it, and set your default gateway accordingly.  Hopefully, you have your boxes locked down so that users can't tinker with them.  Keep everyone from being able to modify or even view their IP settings, and even if somebody comes in with a laptop, they won't know what gateway to point to.  Or, you can set through group policy for your limited users, if they have a definite set of sites they should be able to access and no others, a bogus proxy with the legit sites set to bypass that proxy.  Or if there are just some sites you don't want them going to, that should be easy to setup for everyone on the firewall or by machine through a HOSTS file.

Good Luck!
0
 
LVL 7

Assisted Solution

by:shahrial
shahrial earned 164 total points
ID: 12448610
The above are good suggestions. When its affordable, you may wish to consider an appliance plugged between your router and your subnet switch such as the FortiNet Fortigate firewall (AntiVirus Firewall / VPN / IDS/IPS / Content-Filtering...etc.
It's affordable and multi-roled. You can google it to find out more...;-)  
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:WerewolfTA
ID: 12448916
That's what our parent IT group uses - the fortigates.  They love 'em.  I haven't had the need or time to mess with them myself.  Damned expensive, though, at least the models they bought.  They got 2.  It was either $20,000 for both or apiece.  I'm sure there are cheaper models.  The sad thing is, they're only using a fraction of the capabilities.

I have mixed emotions about appliances.  They're simple to use and set up, but limited on upgrading/customizing potential and seem to be pricey.  As an example, we have a Symantec 200R here in our office.  It's been ok, but you can't set it to drop "ping" packets.  WTF?  Even my little $40 linksys at the house will drop icmp packets.  Yet this at-the-time several hundred dollar business-grade appliance doesn't have that option.  On the other hand, the 200R will do load-balancing/failover between 2 WAN connections and failover-only to a serial modem.  That's kind of cool.  

Anyway, that's my $.02, something to keep in mind when you do get that money coming in and can get an enterprise-grade solution and you're trying to decide between an appliance and a regular server solution.  What you gain in ease of setup and use you may sacrifice in flexibility and upgradeability.
0
 
LVL 7

Expert Comment

by:shahrial
ID: 12450057
At work, we had evaluated the Symantec box, too. On average, you can get 2 Fortigate boxes for 1 Symantec box of a similar specs. As for performance, the fortigate performs better (in the in-house test we conducted).
Agreed with WerewolfTA on his last comment, the last paragraph, though. ...;-)
0
 
LVL 1

Expert Comment

by:The_Real_Clipper
ID: 12451120
As a sidenote, remember that an open source solution like IPCop mentionned
earlier is perfect in terms of scalability. You want to add one or more DMZs later ?
no problem, just add one or more ethernet cards. You have more traffic, find a "less old"
PC. You have more than one connection ? use BGP, HSRP, load balancing, whatever. For
not a single buck more.

In all other cases, more traffic or more interfaces or more clients means more licenses
usually, and again, the performances are not better in a relatively small environment like
yours.

The issue with security is that you always have to pay for it when you don't need it, and
you always wonder "do I really need this, I never had a security problem before". But it's
exactly like backups. You don't need them until you lost everything.

Cheers
Clipper
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 12455825
For home users i would reccomend providing with them with instructions in getting personal security such as a simple firewall (www.zonelabs.com) and antivirus software. If they have full access to the system the users will be the weak spot to a compromise within the main part of the system. It is best to prevent the weakness in their system aswell as strengthening the main system.

Regards,

Hypoviax
0
 

Expert Comment

by:houber
ID: 12456174
Hi,

You can also try using Safe@Office which is a checkpoint appliance for small business, it support all your needs and very easy to install and operate.

regards

houber
0
 
LVL 1

Expert Comment

by:The_Real_Clipper
ID: 14292246
Any update on this, were our answers useful ?

Thanks
Clipper
0
 
LVL 1

Expert Comment

by:The_Real_Clipper
ID: 14880678
Hi apertyx,

did you find one of our suggestions helpful ?

Thanks
Clipper
0
 
LVL 1

Expert Comment

by:The_Real_Clipper
ID: 15379129
apertyx,

Are you able to close this question ?

Cheers
Clipper
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How does someone stay on the right and legal side of the hacking world?
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question