Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cheap firewall solution?

Status
Not open for further replies.
mhenley

mhenley

IS-IT--Management
Aug 25, 2000
27
US
Hello

I work for a small startup company that is getting ready to move our site from the developers office to our office. I want to set up some sort of security to the site but I'm new to the firewall world and need some advice...

Here's our setup: A full T1, Cisco 2620 Router, and Win2k servers. As we are a very new company, we don't have much $ left for security. I had suggested we buy a hardware firewall (maybe the SonicWall Pro) but budget constraints pretty much shut that down. So, in the interim, I need to find something cheap (<$500). I have disabled Guest, renamed Administrator, and other obvious 2k security issues, but I think I should at least be blocking ports 136 & 137 (UDP). I am seriously considering getting a cheap PC and loading ZoneAlarm or something similar and setting it between our Router and the network. Has anyone tried this approach on a Web site that (hopefully) will get a lot of traffic? Would a faster PC be better? Dual NIC's? Am I an idiot for even considering a software solution?

Thanks in advance for any help with this...

Matt.

 
Sort by date Sort by votes
You may be making a mistake by rushing into this without the budget to provide adequate protection. What was that line from The Texas Chainsaw Massacre? &quot;Never skimp on the meat!&quot;

Make sure you do your research before you decide that cheaper is better or that it will work at all.

Here are some links you might want to take a look at before you commit risks to your fledgling company:


Good luck!
VCA.gif

Alt255@Vorpalcom.Intranets.com
 
Upvote 0 Downvote
You could add basic packet filtering right on the Cisco. Not a complete solution, but adequate to stop specific types of traffic.
 
Upvote 0 Downvote
Most of the attacks that i know of involve either telnet or ftp. Some of the other ones include Netbios which win2000 uses. A firewall would block these atacks effectively, but it may be easier and less costly, to simply not use telnet,ftp or netbios and maintain the webserver not using any type of remote control.....

good luck

ackka
ackka@mad.scientist.com
duke_wave.gif
Java is the Future
 
Upvote 0 Downvote
Perhaps you may think of installation a proxy server which has some advantages and firewall functions.

There are cheap solutions for personal use even free.

hnd
hasso55@yahoo.com

 
Upvote 0 Downvote
In the past, we've used GNATbox on an old '486 from the junkpile. But with rather more work, you could implement complete Network Address Translation, port blocking, and DMZ/Private security zones using such a modest bax and FreeBSD unix.

I'm not particularly a Unix partisan, just that the system demands are much less, so that an effective solution may be had from petty cash...
 
Upvote 0 Downvote
It would probably add to your latency, but have you looked at one of the broadband sharing devices? The NetGear (which I use at home) and the LinkSys units use NAT and have basic firewall capabilities. I've tested mine against Steve Gibson's site ( and the NetBIOS was totally hidden. Cost is about $150 at BestBuy/CompUSA.

Chip H.
 
Upvote 0 Downvote
Forgot to add, I haven't been able to get the NetGear to work with our VPN, but a systems guy here at work has been able to get his Linksys to work with it. (if VPN is important to you).

Chip H.
 
Upvote 0 Downvote
UPDATE: We decided on the 3Com OfficeConnect 25 (got it for $545). So far no problems. Unit is very similar in many ways to the LinkSys unit that chiph talks about. We have a LinkSys here that we use with our cable modem connection for NAT, DHCP on our internal network (Web and DB servers are on their own subnet).

If I have any problems with the 3Com (knock on wood) in the future I will post them here in case anybody is interested...
 
Upvote 0 Downvote
I know that I have pushed this product on the forum to much already, though I am sold on the inexpensive, highly secure firewall software offered at Network ICE. Consider using BlackICE Defender, it has grate support at its site, it has been tested against high dollar firewall systems and came out #1. It is also configurable, and has automatic settings as well. For product information try this link and for product documentation view this file:
 
Upvote 0 Downvote
James,
I read that as well. They mention Steve Gibson's site in there. Gibson Research has a rating chart up on how various products stack up against his Leak Test tool. ZoneAlarm seems to be the tightest. Everyone can check it out here: Jeff
masterracker@hotmail.com

If everything seems to be going well: you don't have enough information.......
 
Upvote 0 Downvote
If you are familiar with Unix, or know someone who is, there is probably no better low-cost firewall solution than one of the free *BSDs, such as FreeBSD or OpenBSD, using IP Filter and natd.

Even a low-end Pentium 90 with 32 MB of RAM (which you can probably find for free), will do an awesome job, and as long as the hardware stands up, these things can run for months or years without a reboot. I am convinced that OpenBSD and FreeBSD are much more secure than a standard Linux distribution, (just browse the vulnerability reports).

All you need is a small hard drive and two NICs, one for the outside IP, and one for the internal network, and then you can control who and what has access in and out of your network.

Check out
Also see thread619-41784
 
Upvote 0 Downvote
I've got a few small business LANs that I help maintain. I'm not entirely comfortable with my currently recommended security solutions, so I've got some questions.
But first, the facts: These are very small businesses with <5 workstations. All are peer-to-peer. Depending on the user's preferences, I've got Black Ice, ZA, or Norton's personal firewalls on all machines. I've started installing the small NAT routers (I use the Barricade, but I see Linksys mentioned a lot) to replace hubs.
1: How can I tell if the router is under attack?
2: What settings should I use for the router, other than default? I'm not enabling any ports unless I plan to use them.
3: I've seen comments about increased latency when using routers as I have. I've experienced difficulty in using the internet on my home LAN with the above setup. It seems like sometimes I just can't get certain connections to work anymore. Then, at other times they'll work fine. Could have something to do with peak hours. Could have something to do with increased latency. What do you think?
4: Can the router itself be used to &quot;bounce&quot; an attack? I would hope it is too &quot;dumb&quot; to do that, but I'd guess they are making these things smarter and more accessible for the home user.
5: Am I asking the right questions?

I'm trying to learn more, so comments are appreciated.
 
Upvote 0 Downvote
I would suggest IPChains set up on a Linux box or a free version of BSD. IPChains is very configurable,while BSD is more secure than Linux for an OS. The commercial version of BSD is much more secure then the free versions but cost quite abit more. IPChains will provide the same type of security that BSD can as a firewall.

I would look at both BSD and IPChains on Linux.

All software has issues, we must weight the Pros and Cons.
I suggest you research it for your self before you decide.

 
Upvote 0 Downvote
I would question the statement that the commercial BSD is more secure than the free ones, at least for OpenBSD. The tagline on the website ( is &quot;Three years without a remote hole in the default install!&quot;. That's pretty impressive, and beats just about any commercial OS hands down.

I think that in the right hands, any *BSD can be made secure, but OpenBSD has made that their forté.
 
Upvote 0 Downvote
you could use ISA form microsoft, if you are a partner.
or get a cheap box and load up IPchains, linux firewall software. easy to configure and easy to maintain
 
Upvote 0 Downvote
I have done a lot of looking into personal firewalls, and some research into industry-strength ones. Here's my 2 cents worth:

Personal firewall:
- Hardware NAT (LinkSys available at Amazon for $99: + software firewall (ZoneAlarm $40 for commercial use: (also could consider Norton: ZoneLabs passes GRC's LeakTest, and I think Norton does, too (test it). *Don't* recommend BlackIce defender, as it does *not* pass that test, and also caused several boot problems on my system. I now use ZoneAlarm.

Industry-strength firewall:
- Borderware Firewall Server (comes with its own hardened OS) (cost: $2K+) ( or Cisco Secure Pix (
BTW: Solaris 8 is the only modern OS to receive EAL4 (NT has EAL3).

Common Criteria home page:
 
Upvote 0 Downvote
Cisco Secure Pix

Used one of these at my last job. Very nice. But not cheap.

We'd look at the logs and see someone doing an IP address scan a couple of times each week. Got to be annoying, looking up their ISP and sending a &quot;Stop this guy&quot; email. It might be nice to automate that in some way.

Chip H.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
111
hairlessupportmonkey
hairlessupportmonkey
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
80
hall5942
hall5942
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
75
hall5942
hall5942
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
76
ChrisHirst
ChrisHirst
DataCenter23
  • Locked
  • Question
Cisco Firewall Help!
Replies
1
Views
62
imbadatthis
imbadatthis

Part and Inventory Search

Sponsor

Back
Top