Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is a firewall on the Internet access point enough? 3

Status
Not open for further replies.
flipineck

flipineck

Technical User
Dec 23, 2002
26
GB
Hi guys,
Can't wait to get to a point where I'm answering more questions than asking them. I work for a place where a few of the tutors have been assigned part time technical roles. We're okay with normal routine networking and computer duties but no way expert network/Internet techs.
We've just got our own Internet access, which we did through a 2000 server. Computers attached to hubs, hub attached to server and server attached to a BT box.
The original idea was to have Sygate Firewall Pro software on the Server and AntiVirus software on every machine, but we've been told we need more.
We were told that the firewall on the server would only protect the server and not the machines connected through it, for Sygate to be used, we would need every machine to have Firewall software on it. Apparently because a hacker go over/around the server directly to the connected machines.
The machines connected to the server use DHCP with the private addresses of 192.168.0.x

Is this is true, what kind of security solution would we be looking at. I don't mind spending hours and hours researching the issue but having a starting point would be great.
Also, where's the best place to learn Anti-hacking/Security issues, I want to learn to drive the car before opeining the bonnet.

Cheers all.
 
Sort by date Sort by votes
If your Firewall works similar a Proxy Server (Is there an other Way?) then this firewall on the Internet Entry Point should be enough.
But if your Server is connected to the Internet via the same Adapter like the local Network then you could get Problems.

hnd
hasso55@yahoo.com

 
Upvote 0 Downvote
Thanks for the prompt reply.
We've not yet configured the server to anything else but allowing Internet access, it was all a 'get it done in two weeks or we all die'. Our old ISP's contract cut off at the end of the year.
The systems safe at the minute, we turned it all off for the Christmas break, but we need to implement some kind of security for it's power up. I know no firewall is 100% proof, but we need something that will at least keep the kiddies out
The 2000 server has 2 nic cards in it, one to the network hubs and the other to the BT box. One nic card has a pernament IP address and the other has assigned itself 192.168x.y.
I know this is a huge area to cover, but any pointers would be most welcome.
I've loaded my printer up to full chuff with paper, and have candles waiting to burn.
Thanks again.
 
Upvote 0 Downvote
1. make sure all of your clients are going through the firewall (and not directly through the internet router)
-> check default gateway
2. a host based firewall may not be enough to protect your environment. You don't only want to check incoming traffic from the internet, but also traffic coming from your LAN, going to the internet;
so a dedicated firewall (either on the router or on a dedicated server) is the ideal solution --------------------------------------------------------------------
--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
 
Upvote 0 Downvote
Thanks peterve for the link,
I went through it and found a lot of info, I did get bogged down in the technical stuff though, maybe it was the amount of Christmas and new year booze I've consumed over the last few days.
All the clients will be going through the server to the internet, so their gateway IP is the server, but I didn't have to set that up, the 2000 server using DHCP did that itself. The hosts can connect to the Internet through the server using the BT Box. I do know how to set up the Gateway and the DNS IP addresses, but Win2000 did it itself using DHCP. It worked, so I left it to it's own devices.
My original thoughts was that the computers going in and out of the 2000 server to the Internet would be protected by the server 2000 Sygate Firewall, any new software requiring Internet access would flag up on the server firewall software, ie/ ask/allow/block.
My concerns were arose because somebody with more info than myself stated that only the server would be protected with a Sygate firewall, I don't know wether that's true or not, he was going to give us a full rundown in a few days but that was two weeks ago. Maybe he's full of the Christmas spirit as well.

The link provided did give a lot of detail, mainly for Unix/Linux users. I have used Mandrake Linux before but only in a small way.
I know network security is a big area, a very big area, but at the moment I would be gratefull for any tips for protectng this kind of network.

BT Hub->2000 Server->Hubs->Network

Cheers again.


 
Upvote 0 Downvote
Okay since your server is your internet gateway and is protected, any machines using the server as the gateway should be protected aswell (your current setup).

The best way I can think of (and I am no pro by far) would be to block a few outgoing ports (including 80) on the firewall software and then see if you can browse web-sites on your client machines. If you can then they are not protected by the firewall, if they cannot then they are protected.

Hope you have some success mate.
 
Upvote 0 Downvote
In regards to the firewall, as people have said before, if all users are proxing through this machine to get to the internet then the dedicated firewall will filter traffic. Make sure that the firewall is designed to block ALL traffic. Once that is set up, open only the ports that you need (80,21,25...)
Here is a list of all ports along with their respective service:

You should also take a look at this article, since the best firewall in the world can crumble if the OS it is sitting on is not secured.
________________________________________
Check out
 
Upvote 0 Downvote
Thanks all,

Excellent idea, block everything then slowly allow what you need. Although I've still got a shed full of stuff still to read, the answers becoming clearer. Cheers for the links and the help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
723
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
543
nnaarrnn
nnaarrnn
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
747
Shmid
Shmid
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
201
hairlessupportmonkey
hairlessupportmonkey
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
171
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top