Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Dedicated firewall PC?

Status
Not open for further replies.

kev01

IS-IT--Management
May 13, 2003
78
GB
Hi,

I have currently have 2PCs directly connected to a Netgear Firewall Broadband router (at home). It works now.

But, I would like to have a dedicated firewall/Proxy PC.

I am thinking of the below architecture:

Internet----cable Modem---Netgear hardware firewall router---dedicated Firewall PC-----HUB----LAN (2PCs)


What would be the main advantages of having a dedicated firewall PC considering I already have a router with firewall capabilities.

Which firewall/proxy software could I install?


Thanks in advance,
Kev
 
Only if Your Hardware router's features reallly really suck,The Software FW gives You some flexibility and resilence if Your router dies; other than the experience You get by playing around.
 
I would leave the firewall router..Only large corporationgs have two or three firewalls. and thats only because they host web or ftp or other server inbetween the firewalls. I personnal at home have a netgear as my router. I have the option to install ISA server but the netgears serves it purpose just fine. If you telnet into it there are more options u can configure on your netgears. such as port filtering

Thanks, PAUL

 
Your Netgear will work just fine. The only real reason for running two or more firewalls would be as mentioned ealier to protect your systems from being easily hacked from the internet. The netgear already provides that level of security, if you think somone will hack your servers from the inside of your network you could put up dual firewalls as you mention.... I currently run two firewalls because I host Lan parties in which I already know most of these people are hackers and script kiddies so I keep them out of my domain, and keep my game servers from being hacked from the Internet (the game players wont mess with the game servers beacuse that stops their lan Party activites)
[tt]

Internet
|
cable modem
|
Harware F/W
|
Switches ---------------
/ \ Game Servers Lan Parties Software F/W
|
Switches
|
my Domain
[/tt]

This is refered to as a DMZ you can search the web on more information about DMZs What you are showing in your diagram will only afford you a little more security incase someone hacks through your first line of defense (your Netgear F/W)and may complicate your network to the point you don't want (could cause DNS issues, search on 'split brain DNS' aswell). Also concider if the protection merits the added cost of equipment and software.
 

So, the only advantage (if i understood u correctly) of having a dedicated firewall PC in addition to a F/W router is to add only a little more security..

Which firewall/proxy software would be a good idea to install in this kind of environment,

Thanks,
Kev
 
Zone alarm has a free solution which I've heard is pretty good, they also have a Pro (paid for) version. I personally haven't used either one but am told they work good. Another free solution you might think about is a Linux solution. Most hackers (or rather script kiddies) stick with one OS and so will be stopped by the change in Operating System. Of course that may not be a viable option if your not familiar with Linux or Unix.
 
does anyone know if i can install 'smoothwall' on a windows OS?

thanks in advance,
kev
 
Smoothwall includes it's own OS (Linux). You can install it on a machine that currently has Windows on it, but the Windows install will be trashed.
 
In addition to these points, the Netgear DSL router / firewall is not going to provide proxy services. (Which may be a good or bad thing

If Kev runs a proxy-based firewall he will be able to specify what data to receive at an application level. The Netgear unit will most certainly be working at the protocol level.

Of course, if he intends to keep the Netgear in place, there is no point putting a proxy up, because the firewall will block everything before it hits the proxy. He will also see a hit on performance as the proxy will be requesting information (web sites etc) on behalf of his clients. (Unless he caches pages on the proxy, in which case those will be much quicker!)

I can't see any benefit here Kev... what are you trying to achieve? If it is simply increased security you are probably better off selling the PC you were going to use as the proxy and buying another different firewall! (A Watchguard Soho 6tc will be around £300)

Whatever you choose, good luck!

Dave

Dave Bennett
 
Thanks for your message Dave!

But I don't really know what to think now..coz some people say that having a dedicated proxy server (in addition to a harware firewall) increase security while others think that there are no real benefits...

Is there a benefit or not?? :)


looking forward to hear from u all!
thanks so much,
kev
 
LOL guys you guys are to funny. why don't u just install a watchgaurd firebox? it only runs at 700-1500 dollars. or you can get a windows 2000 server with ISA install ...which is a cache and proxy server? that will run u at aroune 2000? see you all the people that are suggesting these things need to anylaze the situation a little better. if you read his first post it say 2 pc (FOR HOME) this isn't a a big company guys. i have a netgear R0-318 and i can assure you that hackers that usaully do port scans can spoof attack or DOS attack me and even get past my router. on top of that it emails me if anyone is trying to attack the router. so if u look closer at the scenario. your netgear router will server you fine. plus your configuration doesn't make since. is your router only 1 port? if so then you would go

router ---HUB---PC's...

Paul
MCSE

Thanks, PAUL

 
Hi Paul,

my router has 4 ports..

cheers,
kev
 
Then do this

Router - ALL PC's

if you telnet into your router there are more options to play with then the web interface. you can block certian ports if you'd like. but by default netgear blocks port 135-139 tcp and icmp requests. so people can't ping your or see whos logged in or any network information on your computer.

Thanks, PAUL

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top