• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 338
  • Last Modified:

Hardware & Software Firewall combo - will it work in tandem?

Hi All

I have a software firewall and i am now implementing a hardware firewall.

Is it possible to have one working off the other (i.e. Internet connection - Hardware Firewall - Software Firewall - LAN)

All the lan PCs connect through the software firewall (transparent proxy) to connect to the internet.

The idea is that the hardware firewall can host VPN connections and better beef up security - whilst the software firewall contains the port forwarding rules and content filtering.

PLEASE HELP - as i cant seem to get it to work properly!
0
BAFP
Asked:
BAFP
  • 4
  • 4
  • 2
1 Solution
 
richy92Commented:
You can set up two firewalls to work together no problem. The only thing to watch out for is your NAT/PAT settings
Remember that any incomming port forwarding rules (from outside to inside) will need to be setup on the firewall that connects to the internet - content filtering and transparent proxy should work fine on the other firewall - but I would probably make sure there is no NAT on the firewall closest to the clients. Do your NAT (Hide nat) and port forward on the one connected to the internet.
Tell me a bit more about the setup and I will try to help.
0
 
Freya28Commented:
i would not recommend running 2 firewalls at he same time.  this will just cause problems and confusion down the line.  it is best that you stick with the hardware fireall and for your workstations you should have a decent antivirus program without a software firewall,  i would also disable the windows firewall.  this one always creates issues.  to properly disable the windows firewall, you need to go into services and manually disable it.   disabling it in the network connections GUI does NOT disable it
0
 
richy92Commented:
I dont think this is a software firewall on each client - it says transparent proxy so im guessing its a linux box or similar with two net cards
Theres no reason that cant work before another firewall - I have seen lots of setups like this and I totally understand not wanting to reconfigure all the content restrictions etc
maybe BAFP can clarify the exact setup (what the transparent proxy is and how it is configured)
:)
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Freya28Commented:
true.  i just find have redundant firewalls can cause unwanted issues
0
 
BAFPAuthor Commented:
Hi All

Thanks for your input.

Richy92 you are right - i have a software firewall - kerio winroute firewall running on windows server 2003. It has all my definitions, traffic rules, port forwarding and content blocking etc..

The transparent proxy works to enable the content blocking and thats all.

The only reason i need a hardware firewall is so that i can get IPSEC vpn tunnels created so that i can get tele-works to connect to the lan and use VOIP (the VOIP needs IPSEC VPN Tunnels).

Ideally i would connect the hardware firewall and the software firewall would go behind that.

I will try out your suggestions and post my results here!

Thanks for all your help!
0
 
richy92Commented:
You can definately set it up like that if you wish - if you get stuck I will try and help

client > software firewall > hardware firewall - make sure any NAT / PAT / EXternal IP's are all on the hardware firewall - leave the software one to do the contant filtering /proxy

:)
0
 
BAFPAuthor Commented:
Hi Richy

I have tried it out now. The problem i have as both the NICS are on the same network so to speak the firewall doesnt understand or know which request to use where. i.e. send a web request to the LAN or the WAN.

Any ideas?
0
 
BAFPAuthor Commented:
sorry i click submit before i managed to finish what i wanted to say.

If i kept the firewall IP as 192.168.1.20
IP address of the NIC (on the software firewall) connecting to the firewall as 192.168.1.21
IP address of the NIC (on the Software Firewall) connecting to the LAN as 192.168.0.5

it all works fine.

The question now is - how do i get the VON Clients to see the LAN as i presume when they come in their IP will be 192.168.1.xxx
0
 
richy92Commented:
you need to add a ststaic route on the hardware firewall like so

destination net : 192.168.0.0
Dest mask : 255.255.255.0
Next Hop : 192.168.1.21

make sure all clients on 192.168.0.x net use 192.168.0.5 as there default gateway
make sure the default gateway on the software firewall is 192.168.1.20 and that its set in the properties of the nic with address (192.168.1.21) no DFG in properties of nic (192.168.0.5)

As long as the windows software firewall wilkl route packets - that will work
0
 
BAFPAuthor Commented:
Hi Richy92

Thanks for all your help - i got it working finally!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now