BAFP
asked on
Hardware & Software Firewall combo - will it work in tandem?
Hi All
I have a software firewall and i am now implementing a hardware firewall.
Is it possible to have one working off the other (i.e. Internet connection - Hardware Firewall - Software Firewall - LAN)
All the lan PCs connect through the software firewall (transparent proxy) to connect to the internet.
The idea is that the hardware firewall can host VPN connections and better beef up security - whilst the software firewall contains the port forwarding rules and content filtering.
PLEASE HELP - as i cant seem to get it to work properly!
I have a software firewall and i am now implementing a hardware firewall.
Is it possible to have one working off the other (i.e. Internet connection - Hardware Firewall - Software Firewall - LAN)
All the lan PCs connect through the software firewall (transparent proxy) to connect to the internet.
The idea is that the hardware firewall can host VPN connections and better beef up security - whilst the software firewall contains the port forwarding rules and content filtering.
PLEASE HELP - as i cant seem to get it to work properly!
i would not recommend running 2 firewalls at he same time. this will just cause problems and confusion down the line. it is best that you stick with the hardware fireall and for your workstations you should have a decent antivirus program without a software firewall, i would also disable the windows firewall. this one always creates issues. to properly disable the windows firewall, you need to go into services and manually disable it. disabling it in the network connections GUI does NOT disable it
I dont think this is a software firewall on each client - it says transparent proxy so im guessing its a linux box or similar with two net cards
Theres no reason that cant work before another firewall - I have seen lots of setups like this and I totally understand not wanting to reconfigure all the content restrictions etc
maybe BAFP can clarify the exact setup (what the transparent proxy is and how it is configured)
:)
Theres no reason that cant work before another firewall - I have seen lots of setups like this and I totally understand not wanting to reconfigure all the content restrictions etc
maybe BAFP can clarify the exact setup (what the transparent proxy is and how it is configured)
:)
true. i just find have redundant firewalls can cause unwanted issues
ASKER
Hi All
Thanks for your input.
Richy92 you are right - i have a software firewall - kerio winroute firewall running on windows server 2003. It has all my definitions, traffic rules, port forwarding and content blocking etc..
The transparent proxy works to enable the content blocking and thats all.
The only reason i need a hardware firewall is so that i can get IPSEC vpn tunnels created so that i can get tele-works to connect to the lan and use VOIP (the VOIP needs IPSEC VPN Tunnels).
Ideally i would connect the hardware firewall and the software firewall would go behind that.
I will try out your suggestions and post my results here!
Thanks for all your help!
Thanks for your input.
Richy92 you are right - i have a software firewall - kerio winroute firewall running on windows server 2003. It has all my definitions, traffic rules, port forwarding and content blocking etc..
The transparent proxy works to enable the content blocking and thats all.
The only reason i need a hardware firewall is so that i can get IPSEC vpn tunnels created so that i can get tele-works to connect to the lan and use VOIP (the VOIP needs IPSEC VPN Tunnels).
Ideally i would connect the hardware firewall and the software firewall would go behind that.
I will try out your suggestions and post my results here!
Thanks for all your help!
You can definately set it up like that if you wish - if you get stuck I will try and help
client > software firewall > hardware firewall - make sure any NAT / PAT / EXternal IP's are all on the hardware firewall - leave the software one to do the contant filtering /proxy
:)
client > software firewall > hardware firewall - make sure any NAT / PAT / EXternal IP's are all on the hardware firewall - leave the software one to do the contant filtering /proxy
:)
ASKER
Hi Richy
I have tried it out now. The problem i have as both the NICS are on the same network so to speak the firewall doesnt understand or know which request to use where. i.e. send a web request to the LAN or the WAN.
Any ideas?
I have tried it out now. The problem i have as both the NICS are on the same network so to speak the firewall doesnt understand or know which request to use where. i.e. send a web request to the LAN or the WAN.
Any ideas?
ASKER
sorry i click submit before i managed to finish what i wanted to say.
If i kept the firewall IP as 192.168.1.20
IP address of the NIC (on the software firewall) connecting to the firewall as 192.168.1.21
IP address of the NIC (on the Software Firewall) connecting to the LAN as 192.168.0.5
it all works fine.
The question now is - how do i get the VON Clients to see the LAN as i presume when they come in their IP will be 192.168.1.xxx
If i kept the firewall IP as 192.168.1.20
IP address of the NIC (on the software firewall) connecting to the firewall as 192.168.1.21
IP address of the NIC (on the Software Firewall) connecting to the LAN as 192.168.0.5
it all works fine.
The question now is - how do i get the VON Clients to see the LAN as i presume when they come in their IP will be 192.168.1.xxx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Richy92
Thanks for all your help - i got it working finally!
Thanks for all your help - i got it working finally!
Remember that any incomming port forwarding rules (from outside to inside) will need to be setup on the firewall that connects to the internet - content filtering and transparent proxy should work fine on the other firewall - but I would probably make sure there is no NAT on the firewall closest to the clients. Do your NAT (Hide nat) and port forward on the one connected to the internet.
Tell me a bit more about the setup and I will try to help.