Hi list, I have just been appointed net admin at the company I work for. Although I have some experience with Suse Linux and networks I have not yet delt with firewall configuration etc. The problem: We are considering installing an ADSL connection (newly available in Greece) and I were discussing whether to use a PC as the firewall/router or a Cisco router. The problem is mainly a security one as having a static IP enables someone on the Internet to attack us. Also is there any reason for the firewall and router software to run on separate machines? Is there any set-up anyone would propose for the network? There won't be any web server at least for a couple of months or more. The only computers needing access to the Internet will be our mail server (?) and about 5 PCs. If this is of topic for the list can somebody please point me to any other? Socrates Alichanides (MIEE) Engineer
This is slightly off topic. It would probably be better suited to the netfilter mailing list (http://www.netfilter.org/). Use one PC as router/firewall/proxy/gateway ... we do this for 4 networks on a single PC with 128MB RAM, a lot cheaper than a Cisco 1610 or above ... Ray On Fri, 2003-07-11 at 10:53, Socrates Alichanides wrote:
Hi list,
I have just been appointed net admin at the company I work for. Although I have some experience with Suse Linux and networks I have not yet delt with firewall configuration etc. The problem: We are considering installing an ADSL connection (newly available in Greece) and I were discussing whether to use a PC as the firewall/router or a Cisco router. The problem is mainly a security one as having a static IP enables someone on the Internet to attack us. Also is there any reason for the firewall and router software to run on separate machines? Is there any set-up anyone would propose for the network? There won't be any web server at least for a couple of months or more. The only computers needing access to the Internet will be our mail server (?) and about 5 PCs.
If this is of topic for the list can somebody please point me to any other?
Socrates Alichanides (MIEE) Engineer
--
--
Raymond Leach
On Fri, 2003-07-11 at 05:09, Ray Leach wrote:
This is slightly off topic. It would probably be better suited to the netfilter mailing list (http://www.netfilter.org/).
Use one PC as router/firewall/proxy/gateway ... we do this for 4 networks on a single PC with 128MB RAM, a lot cheaper than a Cisco 1610 or above ...
Ray
This is great if you have a small office on a tight budget. But how do you place a price on the security of your network and proprietary data? In the case of security I always buy the "best" product for the job and find it better to use seperate boxes for the router and firewall to help make it harder to break into the network. Ken
On Fri, 2003-07-11 at 10:53, Socrates Alichanides wrote:
Hi list,
I have just been appointed net admin at the company I work for. Although I have some experience with Suse Linux and networks I have not yet delt with firewall configuration etc. The problem: We are considering installing an ADSL connection (newly available in Greece) and I were discussing whether to use a PC as the firewall/router or a Cisco router. The problem is mainly a security one as having a static IP enables someone on the Internet to attack us. Also is there any reason for the firewall and router software to run on separate machines? Is there any set-up anyone would propose for the network? There won't be any web server at least for a couple of months or more. The only computers needing access to the Internet will be our mail server (?) and about 5 PCs.
If this is of topic for the list can somebody please point me to any other?
Socrates Alichanides (MIEE) Engineer
On Fri, 2003-07-11 at 13:01, Ken Schneider wrote:
On Fri, 2003-07-11 at 05:09, Ray Leach wrote:
This is slightly off topic. It would probably be better suited to the netfilter mailing list (http://www.netfilter.org/).
Use one PC as router/firewall/proxy/gateway ... we do this for 4 networks on a single PC with 128MB RAM, a lot cheaper than a Cisco 1610 or above ...
Ray
This is great if you have a small office on a tight budget. But how do you place a price on the security of your network and proprietary data? In the case of security I always buy the "best" product for the job and find it better to use seperate boxes for the router and firewall to help make it harder to break into the network.
Ken
Yes, maybe I should qualify that.
We have one machine that performs as above, the we have a Cisco 2501
(kind of overkill) that gets hooked up to the ISDN line.
The router/firewall/proxy/dns/etc Linux all-in-wonder box is for the
internal network and zones.
--
--
Raymond Leach
Ken Schneider wrote:
On Fri, 2003-07-11 at 05:09, Ray Leach wrote:
This is slightly off topic. It would probably be better suited to the netfilter mailing list (http://www.netfilter.org/).
Use one PC as router/firewall/proxy/gateway ... we do this for 4 networks on a single PC with 128MB RAM, a lot cheaper than a Cisco 1610 or above ...
Ray
This is great if you have a small office on a tight budget. But how do you place a price on the security of your network and proprietary data? In the case of security I always buy the "best" product for the job and find it better to use seperate boxes for the router and firewall to help make it harder to break into the network.
We've deployed lots of Linux firewalls, and that's all they do. Keep services, and therefore potential weaknesses, to an absolute minimum. Put the proxy, routing etc. on a separate box. Cheers, Laurie. -- -------------------------------------------------------------------- Laurie Brown laurie@brownowl.com --------------------------------------------------------------------
We are considering installing an ADSL connection (newly available in Greece) and I were discussing whether to use a PC as the firewall/router or a Cisco router. The problem is mainly a security one as having a static IP enables someone on the Internet to attack us.
There are cheaper solutions for a adsl router/firewall on hardwarebasis (there is always a kind of linux behind it). If you use a hardwaresolution look, if it has nat and not ipchains with masquerading! NAT with iptables supports more protocols, than ipchains with masquerading.
Also is there any reason for the firewall and router software to run on separate machines? Is there any set-up anyone would propose for the network?
This depends on the level of security you want to have. For small business companies on machine would be enough. If you want to have own servers and for better security you can setup a adsl router/firewall before your network with a internal and dmz network after it. The first firewall itself does only need to have routing functionality and ssh from internal to be configured. The first server routes to external and the second one routes internal to external networks. If you want extra security you use a proxy or a filterproxy (e.g. dansguardian). Notice, that a proxy needs much ram and an own harddrive (we had to replace our proxy hdd because of high usage it went broken).
There won't be any web server at least for a couple of months or more.
I would suggest to use a server from an isp for the mail and webservices, since adsl only works with dyndns for a hostname. Solutions for about 50-150 mailaccounts and 150MB webspace cost about ? 15,- per month and the security on this servers is the problem of the isp's.
The only computers needing access to the Internet will be our mail server (?) and about 5 PCs.
Would be a nice job for a proxy, if you like to only allow a limited number of PC's to access the internet. I would use an external mailserver and on your server a getmail config for each user. If you like to run your own mailserver you need dyndns, depending on the provider you can get problems, because the ip is often not synced fast enough - your server then sometimes will be not available from external. If you use david xl for linux the dyndns service is done by tobit (www.tobit.de / mail+sms+isdn+fax). I will not make here any ads for anybody, but it's a nice thing in "redmond" networks.
If this is of topic for the list can somebody please point me to any other?
I think so you are right here. Philippe
On Friday 11 July 2003 17:53, Philippe Vogel wrote: <snip>
I would suggest to use a server from an isp for the mail and webservices, since adsl only works with dyndns for a hostname.
Not so. I've got static IP for my home ADSL connection after switching from another ISP that used dynamic IPs for it's customers. Sigfred
Not so. I've got static IP for my home ADSL connection after switching from another ISP that used dynamic IPs for it's customers.
Fine, but many adsl users don't have static IP's! Here in germany all providers mostly give dynamic IP's for adsl. Philippe
I forgot to post some stuff in the last mail: The firewall depends on the securitiy the machine has from internal. So you have to build a secure distribution, like debian or gentoo linux or manipulate SuSE linux that it is secure (minial installation +secumod +compardment +security level setup +services you need). If time is money here are some firewall solutions that you can install in ~1/2 hour: SuSEfirewall on CD http://www.suse.de/de/business/products/suse_business/firewall/index.html transtec firewall hardware http://www.suse.de/de/business/products/suse_business/firewall_hardware/inde... Astaro Security linux / Mailserver, firewall, proxy, virus protected content, each module costs a bit :-( www.astaro.com The last one I tested and I was impressed of the features (intrusiondetection, live logview, portscan checks, proxy, webconfiguration, rulesets ...). The config can be copied to a disk. If your server gets intruded you format the disk, reinstall it and copy your configuration back. The webinterface is very intuitive and userfriendly, but you must have knownledge of iptables and rulesets. Philippe
On Friday 11 July 2003 18:03, Philippe Vogel wrote:
I forgot to post some stuff in the last mail:
The firewall depends on the securitiy the machine has from internal.
So you have to build a secure distribution, like debian or gentoo linux or manipulate SuSE linux that it is secure (minial installation +secumod +compardment +security level setup +services you need).
If time is money here are some firewall solutions that you can install in ~1/2 hour:
SuSEfirewall on CD
http://www.suse.de/de/business/products/suse_business/firewall/index. html
transtec firewall hardware
http://www.suse.de/de/business/products/suse_business/firewall_hardwa re/index.html
Astaro Security linux / Mailserver, firewall, proxy, virus protected content, each module costs a bit :-(
www.astaro.com
The last one I tested and I was impressed of the features (intrusiondetection, live logview, portscan checks, proxy, webconfiguration, rulesets ...). The config can be copied to a disk. If your server gets intruded you format the disk, reinstall it and copy your configuration back. The webinterface is very intuitive and userfriendly, but you must have knownledge of iptables and rulesets.
Philippe
To add to the above list : From Mandrake you may download (an ISO about 256MB) MandrakeSecurity Multi Network Firewall. It has a web interface for configuration/maintenance, in addition to use SSH. http://www.mandrakelinux.com/en/ftp.php3#security for downloading http://www.mandrakesoft.com/products/mnf for more info about it OpenBSD is also a very good choice for a firewall/router/server. It has a very easy install, and easier to install/configure than a minimal SuSE install (if you want it minimal), at least for me. This is what I use at home as server, even though I use SuSE on my desktop. You'll use console or SSH to administrate it. The packet filter pf is integrated with a load balancer, which may be quite handy. http://www.openbsd.org http://www.openbsd.org/faq/pf/index.html Sigfred
I have just been appointed net admin at the company I work for. Although I have some experience with Suse Linux and networks I have not yet delt with firewall configuration etc.
The problem: We are considering installing an ADSL connection (newly available in Greece) and I were discussing whether to use a PC as the firewall/router or a Cisco router. The problem is mainly a security one as having a static IP enables someone on the Internet to attack us.
Well either one is good, obviously linux+iptables firewall is cheaper.
Also is there any reason for the firewall and router software to run on separate machines? Is there any set-up anyone would propose for the network?
No, Both machines can be the same it really comes down to the expertice of the admin. Where I work our linux firewall handles routing, VPN, and firewalling services.
server at least for a couple of months or more. The only computers needing access to the Internet will be our mail server (?) and about 5 PCs.
Depending on your experience SuSE has a built in firewall that though simple seems fairly strudy and easy to configure. E-mail me if you have additional questions.
participants (7)
-
Ken Schneider
-
Laurie Brown
-
Philippe Vogel
-
Ray Leach
-
Sigfred Håversen
-
Socrates Alichanides
-
studio3arc.com Admin