Firewalling 2

[ghana123]

I just want to help a friend to make a small network. He bought a D-Link router.

A single computer will work as a server. I will install both Windows 2003 server and Solaris on the server oomputer. I think I will use VmWare.

The other 3 computers are clients. One is purely Linux and the other two will be Windows Vista.

The router has a built in firewall; this is generally the case.
Is it necessary to have a firewall for the server computer?
How about the client computers? Do they need firewalls?

The next question is on anti-virus program. I think if you install an anti-virus on the server, it is not necessary to install anti-virus programs on 3 clients.

Please do comment on this. I don't much about those aspects.

 

[burtsbees]

The DLink router has a 4 or 5 port switch module---5 computers can connect. This usually means that the DLink serves as the authentication device for the PPPoE session to the ISP, with ADSL. This means that all computers are connected to the DLink, and go out to the internet thru the DLink. It is the gateway. When this has the firewall features set on it, it filters packets thru it, so it will be in place for all computers. The strongest "firewall" feature those things have is to block ICMP echo replies, so your computers cannot be "pinged" on the internet, and also NAT so your IP addresses are hidden from the outside world. In this case, it would be best practice to have firewall software on all computers, unless the server will be a web server and can "push" firewall software and antivirus software out. This answers your second question. Also, you could dual boot between Solaris (I am assuming 10 for x86) and Windows 2003, but you will only get full benefits of Solaris from a true SPARC system architecture.

Burt

 

[burtsbees]

Oh yeah---if Vista won't jive well with the rest of the network, then you won't be able to push antivirus to them. Also, if you are installing Solaris solely to communicate with the Linux boxes, don't forget Linux has Samba stuff...

Burt

 

[ghana123]

Thanks for the replies.
The computer which I am going to install Windows 2003 server and Solaris will work as a server.

I downloaded Solaris. It is free now.

He could access the Internet either by using Solaris or Windows 2003 server. I know it is possible to switch between Windows 2003 server and Solaris using GRUB. I know GRUB is built onto Solaris.

However, I prefer to use VmWare.

Is it impossible to make a Solris server this way? I think the latest Solaris you download from Sun's website is ideal for servers too.

However, there is no SPARC computers involved. I will use 64bit computers. They have AMD processors. I know those processors are not meant for servers. Intel Xeon stuff are for servers.
Why do you think Sun's SPARC gives the best performance?
In this case just home computing.
I would like to hear from you all again.

 

[ghana123]

He has a cable modem; I mean his ISP has only cable Internet connections. He has 25MB per second data transfer rate. It is pretty fast as far as I am concerned.
Very soon they will offer him 100MB per second. Towards the end of this year, he will get 100MB per second.

 

[burtsbees]

Sun SPARC architecture involves more direct buses---you'll see better and faster performance from a 500MHz SPARC processor than you will from a 2.4GHz Intel processor.
Your best bet as far as firewalling on a small budget would be to use Zone Alarm on all clients and for antivirus use Norton---if all clients must go through the server, then the Corporate version of antivirus will work. The only reason you would use a DLink (if it goes to the cable modem) is to interconnect more computers and do NAT. The cable modem should do all this, including PPPoA (A is for ATM, which cable internet uses). If the cable modem does all that is necessary for internet connection, then the way you could interconnect all workstations and servers is with a small workgroup switch.
I have Solaris 10 loaded on an X86 system myself, and I use it mostly for anonymous FTP server.

Burt

 

[CiscoGuy33]

ghana123,

Not sure what your friend is setting up on his network and how much protection he needs but ........

Since you seem to know your way around Linux, you also might want to look into a hardware firewall with something like IPCop or mOnOwall, both use older PCs with a couple of NICs and are FREE!

http://ipcop.org/

http://m0n0.ch/wall/

I am running IPCop with some add ons and it does a very nice job on an old Dell P3 500 with 512 mgs RAM and a 10 gig HD.

My network is -

--DMZ-Switch--server
FIOS--DLink Router--IPCop Firewall-<
--LAN-switch--computers

He will need/ should have anti virus on each Windows machine

E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[ghana123]

The computer now I am writing runs on Fedoara Core 5. I have been working with open source for almost 10 years.
Usually, the software packages of Linux include a firewall. So you don't have to bother about firewall. I used Mandriva before. It has a built in firewall.

I am not sure about Solaris. Has it got a built in firewall?

There are cracked programs. Similarly there are cracked anti-virus programs too. He got a couple of cracked anti-virus programs. I know they work same as authentic programs.
I have some friends using cracked anti-virus programs. Those people use Windows.
It updates automatically. It deceives the server on the other side and updates. It works year after year; never makes a payment. There are ways of deceiving the servers of anti-virus program producers. I don't know how they do it.

I don't use anti-virus program for this Fedora. I never used anti-virus for Linux.
I know the existence of anti-virus program for Linux.They are not cheap.

So-called Corporate version of Norton anti-virus program is ideal if you work only with Windows.

Burstbees uses Solaris. Has it a built in firewall? Do you have a anti-virus program for Solaris?

 

[CiscoGuy33]

ghana123,

I see you have a limited understanding of what a firewall is or what it should be doing on your network - most networks have a hardware firewall so that the hackers are stopped BEFORE they get to your server

Network security is normally setup in layers D-Link is first layer, hardware firewall is next layer, software firewall on the server is the 3rd layer etc.

Also hardware firewall can be used to setup a DMZ - where any servers you want to reach from the outside really should be - but that is what network security is all about.

I will not even go into the pirated software he is using - glad he is able to take advantage of the R&D that the rest of us are paying for :-(



E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[ghana123]

CiscoGuy33 wrote the following:

I see you have a limited understanding of what a firewall is or what it should be doing on your network - most networks have a hardware firewall so that the hackers are stopped BEFORE they get to your server.
--------------------------------------------------------------------------------
I believe what you are mentioning here is the firewall built in to the router.
The D-Link router my friend bought has a firewall.
For the best of my knowledge those cheap Netgear or D-Link routers have built in firewalls.

Even if you buy an expensive Cisco router, it has a built in firewall. Those expensive routers are for companies; not for home users. They are very expensive.
If you use a Cisco router, you have a hardware firewall.
Please tell me if I understood wrongly.


The bottom line is that a router has a hardware firewall when it comes to networking. You don't need another piece of hardware as a firewall when you have a router.

 

[burtsbees]

That is where you need to understand firewalls...
Software firewalls such as Zone Alarm can stop scripts from running on the machines. If you use Internet Explorer rather than Firefox, for example, you must have Active X installed to be able to actively use pull down menus in websites. This is one of the favorite programs hackers use to exploit Windows boxes.
There are really no viruses a Linux box can catch...or are there? The operating system, no...but the browsers can be a means of planting trojans.
The hardware firewall of your friend's DLinks, as I have mentioned, only NATs and filters IP addresses, and also blocks pings. The blocking pings is "old school"---hardly anyone really uses scanners that can acquire network shares via IP address...or do they???
The firewall I mentioned, cracked or not cracked, can do things such as ecrypt social security numbers, bank account info, etc in a one-way, uncrackable MD5 hash algorithym so that only the intended party can authenticate. Can your DLink do that? Nope.
Hardware firewall technology these days is far inferior to that of what a Cisco 2620XM with adventerprise 12.4 IOS can do. This is one hell of an image that actually looks for trends in TCP connections, otherwise known as CBAC, as well as IPS/IDS. In summary...
You can do what you want, but your firewall plan you have for now is nothing, in light of how you are building the network, I.E. going through the trouble of have one or two client pc's authenticating through a Windows or Solaris server. CiscoGuy33 and I have advised you on what best practices are...
Also, you can build a firewall in Solaris or any Linux distro that is as good or better than that which DLink provides. By the way, FC5 has a good firewall built in as well...it does give you the option to load all the firewall and a bunch of server packages during install. Good luck.

Burt

 

[CiscoGuy33]

ghana123,

You said - "The bottom line is that a router has a hardware firewall when it comes to networking. You don't need another piece of hardware as a firewall when you have a router."

YES, you are 100% safe behind your DLink router, in fact most large companies are replacing Cisco PIXs & ASAs, Check Points, Junipers, WatchGuard Fireboxs and SonicWalls with $45 DLinks

That is why I started off saying "Not sure what your friend is setting up on his network and how much protection he needs but ........"

When you said the ISP connection was 25mg and going up to 100mg and that he is running a Solaris server and several work stations it sounded more then just a "home" network.

Burt and I both have a lot more then just 1 DLink protecting our home networks so it all depends on what you are trying to protect. Just a little bit of difference between a DLink router and a Cisco 2620XM router with adventerprise 12.4 IOS on it. But it all comes down to what you want to protect

We both are trying to give you some information so that you can both protect your friends network as well as have a little bit of an understanding what network security is!

If you have nothing to protect or lose then go with the DLink and no anti-virus and you will be just fine!

E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[burtsbees]

By the way, I am curious how your friend plans to have 100MBps internet service...I mean, that's like close to OC3, which is 100 T1's, or 155MBps. The price of this sort of line costs anywhere between $20,000 and $50,000 a MONTH, depending on where you are. Is your friend AT&T or something???

Burt

 

[ghana123]

Thanks for the replies.

 

[CiscoGuy33]

ghana123,

Yes, I am in sunny Florida

You said - "You have passed CCNA. I want to sit for the examinations. The problem is nobody is going to pay for it. All my friends who passed CCNA were supported by the employer."

Sorry :-( no one will pay for you .... but it is not that expensive for a few books, several routers, a sim and the Cisco exam

I have been a CCNA for 6 years now so I have taken the CCNA exam 2 times, I have paid it all myself! As well as bought my books, sims and practice routers and switches!

I have also taken (and paid for myself) the CCDA exam, 1 CCNP exam (advanced routing) and my Net + - that is about $800 in exam fees.

This does not include other network/security/design books and a very extensive home Cisco lab that I have been using for CCNA, CCNP and security study - all that I have paid for - NOT my employer :-(

I have also gone to 5 Cisco Networkers conventions in Orlando, Chicago, San Diego, Orlando and New Orleans of which I paid ALL of the cost except for a small part that my employer paid in the first 2.

My point - if it is important to YOU, you do not worry if your boss pays for it or not - it all comes down to what YOU think that YOU need to help YOU become a better IT or network person.

Some are lucky enough to to have it all paid for and others like me are not. I would not change a thing because it has helped me a TON in what I do!!!

As NIKE says - Just DO IT !!! If you want it - DO IT !!! Do not make excuses why you can not do it - find a way and just DO IT !!!

And please do not feel I am poking fun at you - I am not - YOU need to determine what is good for YOU - If CCNA will help YOU - JUST DO IT !!!


E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[burtsbees]

By the way, CiscoGuy33, thank you for the star.
Ghana123, you have one employer that has no idea of the value of CCNA...he is not the only employer in the world. Also, being a UNIX dude, why don't you get a job as a UNIX admin? In the USA, people are always looking for them. Do you have any UNIX certs?

Burt