Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Best security software setup

Status
Not open for further replies.
TSMJ

TSMJ

MIS
Nov 27, 2002
83
Hi
planning on implementing a new security setup some time in the future (in a month or two) and would like advice on the best route to take. I have attempted to use RedHat, Suse, FreeBSD and none have worked - so I am thoroughly pissed off with Linux at the moment, so a windows setup would be preferable. I want something not so easy anyone could do it but something easy for me to manage which is reliable and secure whilst still allowing the LAN use of Kazaa, FTP etc.

Talking about Linux though, I have seen a release called SmoothWall which seems ideal but I dont want to get all excited , try it and find that it won't work. Windows 2000 can use IPSec rules and NAT to firewall my LAN (I'm running a webserver aswell) and that would be more up my street, but I havent tried it before and am not sure how it measures up to other solutions.

Thanks in advance
 
Sort by date Sort by votes
First off, if you are running Kazaa, you might as well not worry about attempting to secure your network, you have just opened it up the biggest trojan currently available.

But I run a smoothwall linux appliance, and it is OK. I personally prefer Astaro, but there is a good thread (or two) in this forum somewhere dedicated to the Linux firewall products.

In my view, the Linux firewalls are much easier to configure than their Windows counterparts, but I am partial to Linux. Windows systems come up and configure easily, but they are a pain in the rear to secure. Linux is easier to secure, but more difficult to set up. I guess you just have to choose your poison.


pansophic
 
Upvote 0 Downvote
I'm pretty much a newbie to Linux and would want to know which version (smoothwall or astaro) would be the best solution for me. I have a hardware router already, behind which is my windows webserver which also shares the internet connection to the LAN side. The only thing is, because I want a secure webserver I need to close down loads of ports and services on the webserver, stopping the use of Kazaa, FTP etc. on the LAN side.

What I was hoping for was a setup whereby the webserver (which I could completely seal up because there would be nothing on the LAN side any more) and another router/gateway machine (for the LAN) would take an internet connection straight from the router. This LAN gateway could run a version of Linux (like astaro or smoothwall) or Windows 2000 server and have more ports open so that the LAN was secure but users can still get the most out of the net by having access to Kazaa FTP sites etc. etc.

Just hoping someone can give me some advice on this, as I have never properly tried any version of Linux really and don't know whether smoothwall or astaro could provide a secure but functional solution, as opposed to a 100% windows setup.
 
Upvote 0 Downvote
Ok....here we go....

Running Astaro or smoothwall is a great way to go. These apps run on a dedicated machine. That machine being your firewall. Simply insert CD, boot computer, and the app installs itself.
Read up on Astaro here: IMO Astaro>Smoothwall
There's a big post about why Astaro is great, but its easier just to DL it and install it. Its free for home users (up to 10 IP addresses anyway)
Oh, and you don't need to know linux to run astaro or smoothwall. If you want to micro-manage it you do, but 99.9% of configuration can be done from a windows machine using a web interface.

Now the firewall would act as your LAN's gateway. You would create rules to allow LAN users to access services. You could then put the webserver in a DMZ, and apply different rules to that. Thus locking it down a bit more than your LAN.

I'll see your DMCA and raise you a First Amendment.
 
Upvote 0 Downvote
Sounds good
I think i know the answer to this already, but does astaro need any tweaking after installation to close security holes up (like windows does?). Nope, didn't think so :)

Assuming that this doesn't screw up when i post this, does this look like what you were talking about:

ROUTER
/ / ASTARO WEBSERVER
FIREWALL
/
LAN

Does anyone know how to set up astaro to serve clients FTP access (as there is no mention of a FTP proxy) or do I have to port forward to the clients? That would be fiddly and insecure wouldn't it?
 
Upvote 0 Downvote
You don't have to set up client access to ftp (as I recall), because outbound connections of all types and to all ports will be allowed (by default, I believe). You may wish to configure the outbound HTTP proxy, but that can be done as a transparent proxy, so you don't have to make any changes to your clients.

Also, your drawing is incorrect. What you want to is have the firewall as the only device connected to your external router. You will have at least three NICs installed on your firewall, one for the external router (unprotected), one for your internal clients (protected), and one for your webserver (DMZ).

The Astaro interface is web-based, so you shouldn't have too much difficulty configuring the rulesets.


pansophic
 
Upvote 0 Downvote
I suppose with the webserver in the DMZ the only internet traffic astaro forwards to the DMZ is intended for the webserver, and so I keep all the firewalls etc. installed on the win2k webserver in the DMZ. Astro then provides the firewall for the LAN only?

It seems like a nice and secure setup... still not sure whether I want to leave 2 machines on 24/7 though... is the idea I suggested not possible then or what?
 
Upvote 0 Downvote
Actually, you only forward web (80 and possibly 443) to your DMZ. The firewall on the Win2K webserver is optional (it won't provide any additional protection). A firewall doesn't block all incoming traffic, it filters that traffic down to only the essential.

Normally, you do not allow ANY inbound connections to your protected network, except from the DMZ. And that is limited to stuff like Database and audit logging (and only if required).

The DMZ network will allow inbound connections from the Internet or the protected network for only the services that you specify. And you can limit those down to whatever is essential.

For instance, if you allow IMAP connections to your mailserver, but only from the protected network, then you can create a rule for that. Allow port 143 from protected net to DMZ, block all others.

You'll probably have to allow SMTP to the DMZ from everywhere.

You can put up an "intranet" web server on a different port (like 8000), and only allow connections from the protected network to the DMZ on 8000.

Etc., etc., etc.


pansophic
 
Upvote 0 Downvote
So is the DMZ firewalled by astaro, but the difference between that and the secure network that the DMZ accepts incoming connetions?
 
Upvote 0 Downvote
Yeah, you'll have three NICs in your firewall. One to the router, one to the LAN, and one to the DMZ.

Routing will be handled by the firewall, as long as you set up appropriate rules.

--------
|Router|
--------
|
-------- -----------
|Astaro| - |Webserver|
-------- -----------
|
--------
| LAN |
--------

Like that see? [thumbsup2]

I'll see your DMCA and raise you a First Amendment.
 
Upvote 0 Downvote
That setup looks great. Cheers guys - you've convinced me to go Linux again, quite a hard task I can assure you![thumbsup2]
 
Upvote 0 Downvote
The router would supply efficient amount of protection alone.

--Sapient2003 - sapient@sapient2003.com
"The worst insecurity is believing you are too secure."
 
Upvote 0 Downvote
Routers can use stateful packet inspection, depending on the router, the IOS version, etc. Routers do an excellent job at protecting networks as long as you know how do it. For an example, just read up on ACLs.

--Sapient2003 - sapient@sapient2003.com
"The worst insecurity is believing you are too secure."
 
Upvote 0 Downvote
IPcop should also be mentioned as a great firewall/router product.

One product whick I am very impressed with is En Gaurde Secure Linux, This is a direct competitor with Astaro Linux and IMHO just as good or possibly better. There is a free "Community" supported version as well.
 
Upvote 0 Downvote
Aaaah! Too many choices! What should I use?
Astaro and guardian digital look the best to me... I have read posts from people who have experienced technical "help" from the creator of Smoothwall and I no longer trust their product to protect my LAN - neither would I use something with such a tacky appearance which has a name like Mallard. I get a feeling IPCop is somehow a bit happy and naive. Whats IMHO though?
 
Upvote 0 Downvote
Whoah nelly, don't go judging applications by appearances and Names.

Try Astaro out as recommended above [;)]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Ailuin
  • Locked
  • Question
Best Residential proxy provider.
Replies
1
Views
288
AvivBes
AvivBes
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
75
gbayi_omo
gbayi_omo
abhi21
  • Locked
  • Question
Interesting article on Cyber Security
Replies
0
Views
70
abhi21
abhi21
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
110
hairlessupportmonkey
hairlessupportmonkey
jfp23
  • Locked
  • Question
Site to Site VPN Security
Replies
2
Views
94
PScottC
PScottC

Part and Inventory Search

Sponsor

Back
Top