Slashdot Mirror
What is the Best Firewall for Servers?
Sushant Bhatia asks: "I maintain a bunch of servers (Win 2003/XP Pro) at our labs in the university. Of late, the number of attacks on the computers has been more noticeable. The university provides firewall software (Kerio) but that doesn't work with Win 2003 (works with XP). And so we keep getting hit by zombie machines taken over in the Education Department or from Liberal Arts :-). So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?"
Ummm, OpenBSD of course! www.openbsd.org
a linux box.
ZERO
http://www.smoothwall.org/
But shouldn't a well-maintained server OS be able to stand on its own?
That way, platform compatibility is a nonissue.
I use a dedicated PPro box running Coyote Linux myself, but there are far more robust solutions out there...
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
I'd say keep the firewall software off of your Server. Get a decent hardware one from Checkpoint.
Seriously, why put down $300 when the windows firewall will do?
Or get a $50 router and block all uncessary ports to give yourself and additional layer of security.
-- Binary Finary
You keep getting hit by zombie machines?
Liberal Arts zombies? Are you sure they're not dogs?
(And, as always, the best answer to your question may come from Google. Linux.com | A Linux firewall primer.)
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
$subj, the only true firewall :)
I've found that for 99% security, the best solution is to unplug the ethernet cable on my server and just use it locally (kind of defeats the point, huh?)
... stupid squirrels...
The missing 1% is for the ninja squirrels
You might try filching a used/surplused office/enduser box, throwing in a second NIC card, loading up Linux and using the beast as a firewall router...
We use FreeBSD with IPF, IPFW and some home-brewn tools in our main hosting centre. We have chosen name-brand hardware and free software - already having in-depth knowledge in-house, we had no need to buy a complete black-box solution.
Of course - investing in "fresh" knowledge on FreeBSD or whichever other platform you wish to roll your own firewall/ids solution on top of - is going to be expensive. Thus this solution might not work for all...
Love over Gold.
Use OpenBSD for your firewall. It has an integrated Packet Filter that works better then most comercial products. The OS itself is secure by default, and it's free! Can't beat that!
Those education and liberal arts students are zombies.
Just use iptables on a cheap old pentium or something. Two network cards, one inside and one outside. Even a modest Pentium or Pentium II could keep up with good amounts of traffic.
get a pix
Wire cutters. $3.95, Radio Shack. 100% protection against any network based attack.
IP Cop. ;)
http://www.ipcop.org/
a *BSD box. preferably NetBSD.
"...we keep getting hit by zombie machines taken over in the Education Department..."
Sounds like they are practicing getting "sch0013d"
Basic, free download...
d ucts/znalm/freeDownload.jsp
http://www.zonelabs.com/store/content/company/pro
The firewall bundled with the service pack upgrade to Server 2003 isn't too bad, but it only does incoming connections. You can exempt ports or executables.
Also, it's free.*
*Well, you know what I mean.
Does it cost less than US$100? You can't be serious. Securing your machines is only worth $100? Is that how much it will cost to fix them once they are cracked? Give me a break. If you are serious about security you can invest more than $100.
maybe more than $100, maybe not. Depends on whether or not you have a free machine. Doesn't have to be fast or have a lot of memory.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Windows: Avoid windows. If unavoidable, then zone alarm.
Isolate your network, and secure it using a Linux-based firewall. Hopefully you have 1:1 mapping, so you won't need to NAT the resulting connection. Ether way, connections comming in one Ethernet port will hit the Linux box, but keep all outgoing traffic from the isolated network running safe.
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
Why not try a hardware solution? perhaps a Cisco PIX? Worse case use monowall.. it is free and runs linux... put all the machines BEHIND a firewall.. don't run firewalls on each machine.. additionally an unpatched windows machines should be able to SAFELY be on the net.. if it isn't you aren't doing your job of securing it correctly... get that pink slip ready.
I have used Injoy on both OS/2 and Windows. It works great and has a good interface for setup. There is a Linux version.
Disclaimer: I do NOT work for, nor am I affiliated with them.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
This is where IT admins get into the deep dip by investing in top-notch gear and THEN, buying up cheap firewall software, expecting it to do the duty of protecting his pride and joy.
To protect the equipment, you will simply tell them to go hardware firewalls, preferably Cisco PIX 500s will do the trick. But be prepared to pay for the name, but the protection that this unit will provide will be worth every penny.
First rule of holes; When in one, stop digging.
You are approaching the problem from a wrong direction.
There are different types of firewalls and they can be divided into these types using different criteria. However, I will use the most simple one. There are host-based and network-based firewalls. Host-based firewalls, are not very cost-effective (or even effective at all) for protecting large, medium or even small server "farms". They work fine on single-server or home machines.
The proper way to protect server farms in campus is to have secure network. Firewalls are like city walls. They offer protection, but if breached, you're doomed. Secure network consists of firewalls, segmented network (separate VLAN's, switching blocks, etc.). Excellent reference for secure network design is Cisco's SAFE Blueprint for Enterprise Networks. I would recommend reading it, even though you're not using Cisco gear.
Marko.
Firewall sounds all dignified and techie, when you're really saying "TCP stack incontinence appliance'. Use the short form of this, 'network diaper', in coversations with management, and perhaps you'll get to use a real operating system.
If you canna go bare, why you even gonna go there?
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
Many years ago I worked as a Microsoft-assisted Windows NT admin in a mostly-Windows datacentre. We were undertrained, young, and cheap. The strategy the management used for security was to occasionally pay a top-notch cisco guy to come in and beef up the firewall rules protecting each machine. It was an effective defence at the time, but practice may have moved on.
The Linux kernel can be compiled with stateful packet filtering. It gives complete (or near-complete) control over almost all aspects of firewalling, including limiting based on src/dst port or address, rate limiting, etc. I once built a dedicated firewall using the "bridging firewall" patch which totally owned. The box didn't have its own ip and was transparent to the machines on either side of the network. Was a pain to modify remotely though. :(
I used a $800 1U machine for this task and it was probably overkill. Though to protect company machines, I don't know if you'd want to rely on a $100 solution.
On Linux you want to look into iptables. On BSD I think the packet filtering is called netfilter.
rooooar
To protect a windows network system, use Smoothwall. It is a Linux Distro you can get for free and is easy to setup. They also have some really good doc's for support.
Since we run all of our servers with VMware, I just use a virtual coyote (www.coyotelinux.com) server as the firewall for each Windoze server.. really great stuff..
running OpenBSD and pf. Include another cheap box and CARP if you need redundancy/failover.
Let's get drunk and delete production data!
Use diferent security zones protected by dedicated firewalls computers.
Maybe the question we need to ask ourselves is: why isn't there a quality open source firewall implementation for Windows. Since there are a number of shareware and comercial firewalls, it can't be too hard to write. Why hasn't anyone started WinFire.sf.net project and created one. I'm sure it would blast all the crappy commercial ones away in no time while end users would benefit greatly.
Any takers?
I maintain a bunch of servers (Win 2003/XP Pro)
I'm sorry to hear it.
For
I don't think you'll get flamed too bad. Its what I was going to suggest. I run iptables as I'm sure many others here do. Its simple, there's lots of open source tools to make management of those rules easier, and a basic install of Linux will run on some pretty lightweight machines. Heck, there's always the distros on a CD to make things even more secure, and by putting the rules on a floppy set to read_only makes for relatively simple updates to the rules if/when needed.
Find an old box, put two eth cards in and install Smoothwall Express http://www.smoothwall.org/
My posts are definitive. Reality is frequently inaccurate.
IPCop combined with some modest hardware should take care of business. The DansGuardian add-on, Cop+ should handle your filtering needs as well...
OpenBSD. Yes, it costs less than $100. It is free.
$0 $100.
i also use some assorted python scripts that watch the system logs for common attacks that portsentry does not pick up (e.g., repeated ssh login failures), and then dynamically block those IP / port combos as necessary.
OpenBSD
You've still got to buy the box.
I use the hardware firewall in my router and the Windows Firewall on my home machine. Either one should be ok actually.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
It's free.
Only port forward what ports you absolutely need and keep your servers out in the DMZ. IPcop will easily allow you to seperate your network into zones with multiple nics and will likely only take a 486 or Pentium class machine to keep up with your bandwith. Hey, you asked for cheap. Doesn't get much cheaper than that.
You can also keep detailed logs and it also features a good SNORT setup for NIDS. It sets up convieniently with a web browser.
There is also Smoothwall. Both are really Linux based software firewalls. The difference is that IPCop is totally free and supports a wide variety of features that you would likely have to pay for in Smoothwall. Updating NIDS signatures automatically comes to mind.
I would personally avoid Windows software firewalls like the plague, as they run at escalated priveledges and can potentially put your system at even more risk as they add to the number of possible vulnerabilities, but that is just me.
If you can't afford a PIX or something in hardware, FreeBSD and Linux software firewalls are always the best way to go IMHO.
Happy hacking!
zosxavius photography
BSD! (Boooo! shouts the Linux fans)
No, wait,
Linux! (Kill the penguin lover! shouts the BSD fans)
Uh, well both are good. What was the question again?
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Ceramic wafers with asbestos stuffing...
Some settling may occur during posting.
Get a machine with two NICs and connect both as a bridge between your clusters of machines. Install Linux and use this as a guide. Add an additional NIC if you want to be able to login to the box remotely.
Install it on a older box like a 400-550Mhz machine and it will work very well, nice features also.
http://www.smoothwall.org/
My wife's box is a 2003 Server (Corporate) and it has Kerio.
i recomend looking into watchguard. It uses linux.
any firewall will do....just hope you dont have a pinto because they explode from the back!
Depending on the box, I like putting a cheap router (those intended for DSL/Cable are fine for me since my backwards-university is still on 10Mbps & is talking about eventually going to 100MBps) or another box in front of the system. If it is another box, it is nice to make it a linux or BSD box which is configured to ONLY be a firewall. I like OpenBSD. You can use a LiveCD or install it outright. Lots of tutorials out there.
If you want only a software firewall for windows, I like Sygate. It does everything I want EXCEPT support fast-user switching.
Solaris 10 :)
For the linux machines, have a peek at firestarter (www.fs-security.com). It's easy to configure, has a nice GUI, and provides a reasonably simple method of configuring IPTables.
If your requirements are a little more complex (eg: DMZs, VPNs, etc.), you might want to have a peek at firehol instead. Text-based configuration, but greatly simplifies the process of wrangling with iptables.
I tend to recommend zonealarm for windows for most people, but that's more out of apathy (ie: I haven't reviewed the options lately) than anything else.
Red.
I recommend suspending a voodoo doll above each server. In my experience, UFO-catchers like Skuld (Oh My Goddess!), Tux the Penguin (or Cozy Heart Penguin the Care Bear Cousin, in the absence of a genuine Tux), and/or the Mozilla dragon (or Firefoxy). Take as much care of the voodoo dolls as you do the servers, and hope no one tries taking over the servers by way of the Web browser client, media player client, instant messenger client, or any of the host of other clients installed on and unremovable from the servers. :)
It must be Windows. It needs half a gig of RAM and a hardware-accelerated graphics card just to run Solitaire.
I'd suggest ditching a software firewall and investing in a proper hardware firewall such as Checkpoint FW1 and put all the servers behind that firewall.
Put another firewall ideally of a different type (break one you've still got another to break) and use that to isolate all the departmental computers...
Ensure the policies are locked down tight and that any changes are approved by someone who knows what they're about before being implemented.
--- Users are like bacteria -> Each one causing a thousand tiny crises until the host finally gives up and dies.
Are you sure you are human?
This is by far the best firewall available:
r ig.htm
http://roseweb.de/caro/pages/security/v-one/cut-o
It costs well under $100, and unlike every other firewall it is guaranteed 100% secure.
Best of all, it can be applied to those pesky zombie systems in addition to your own servers for the ultimate in protection.
Depending upon the workload the server sees, you could get away with something as simple and stupid as a Linksys/DLink/... firewall configured to port forward the server's ports inward. (cost ca. US$30)
You might also dig up a junk machine and set up the Linux Router project (or a *BSD equivalent) on it.
If the servers are big enough that a cheap hardware firewall won't do, then I'd say they are big enough to need a real router in front of them.
www.eFax.com are spammers
When its liberal arts machines getting infected, I've found the BEST firewall to be a pair of wire cutters. NOTHING gets through after the skilled use of these babies.
Kerio *does* make an excellent firewall product for Windows servers (Kerio Server Firewall). It is pricey, however, and for the same or less money you could install a Smoothwall box.
Call Scooby-doo to get the zombies!
You've still got to buy the box.
A $25 surplus P-II should suffice. I've been running an OpenBSD/PF firewall at home for ages now and the system load has never gone above 0%.
tbh I dont like people who give answers of "get Linux" when he clearly is using windows so address the problem at hand since upgrading to linux is not exactly simple and thats if you even want it, but anyway. For my servers i used IPSEC, i am not sure how secure it is but it seams to work for me and i have had no problems. Needed to get used to it as at first i didn't know what to do, but was easy after that. This and using a router to allow only the ports you want would be a fairly good start. There are then software and hardwear firewalls, you could build a hardware firewall out of some old parts you have lying around and some free software of the internet to monitor you in/out goings
Visit My Blog at http://spaces.msn.com/members/chrisharries
What a coincidence!!! I use yours!
Unless you are planning to use a firewall that is capable of detecting malicious traffic, it will not protect a weak system. For example: If you are using a vulnerable version of IIS a FW will do little to nothing to protect you.
Patch and properly harden your system. There are plenty of sites out there to assist with both of these tasks.
I am not aware of any server firewalls that are capable of what you are looking for under $100 dollars, with support.
I'd go with this one, it's a little more than a firewall in that it can enforce rules on the filesystem as well (ex: foo.exe is only allowed to write to c:\text). It's highly configurable, and well worth a look.
BeauHD. Worst editor since kdawson.
Download W2K3 Service Pack 1 from Microsoft, they have the same firewall as XPSP2 plus some bonus features.
There's a "Security Configuration Wizard" that will help you config the firewall and services at a more advanced level than in XPSP2
During my career in network security, there has never been a software based firewall I couldn't compromise. I had the unfortunate task of reverse engineering the competition (firewalls).
There are so many problems in the basic network stack (in Windows) that a hardware firewall is your only realistic alternative. With hardware, you only have to worry about your open ports.
Anything basic will do. Investing in a Cisco PIX is usually a waste of money. I've tunneled a remote shell through port 80 using IIS, making an $80k PIX worthless. Exploits are generally simple, so fragment reconstruction is unnecessary.
With Windows, the mantra "good enough" rules. All of the packet filtering in the world won't save your server. The best thing you can do is attach a $50 LinkSys firewall and be done with it. Keep a copy of Ghost handy for when it gets compromised.
i've been using ipcop in various locations for a while and it's been working well. it's a linux distro that runs fine on my old Pentium I. AFAIK it only supports 3 to 4 networks (internal, external, DMZ, and one other), which may be a limitation for some. I haven't upgraded to the latest version yet, but even so it's proven robust and easy to manage for me. http://www.ipcop.org
try zone alarm search google.com for it
Life is like a bag of chips you never know whats next
Speel
If possible, put a firewall between your network and the rest of the networks. Whether it is a commercial firewall or homebrew, find something that you can manage and properly secure.
Whether or not a network firewall is possible, harden your systems.
If you are running a firewall that is not OpenBSD .. you are doing things half assed - with no valid excuse ...
... or die.
OpenBSD w/pf & carp
And on your Linux (iptables) based firewall... I would use fwbuilder to create your configuration script.
More secure but with a greater PITA factor would be to remove the hard drive, and run the whole shebang from the CD. The PITA factor comes from having to burn a new CD every time you want to twiddle the firewall rules.
Warning: This signature may offend some viewers.
If, for some reason, you can't use a separate firewall, try the Outpost firewall from Agnitum. Comes with some additional modules such as ad blocking, active content filter (can remove scripts, Java and ActiveX), email attachment filter (remove executables), and supports additional modules. All of those can be disabled if not needed.
Can someone explain why I always hear that a normal router is not a sufficient firewall? Assume that all boxes behind the router are clean and will remain clean. Isn't it enough to just let a router drop all incoming packets (i.e. just configure the router to to do no port forwarding)?
So, you have to do it like this:
LINK HERE
Sorry about that
zosxavius photography
Add wwo network cards
Add free Linux 2.4 distribution or higher
Activate netfilter and iptable
See: ttp://www.netfilter.org/
Deploy firewall using instructions in the netfilter how-tos:
See: http://www.netfilter.org/documentation/
Or, if that's too much for you, just get the equipment and add one of the pre-configured firewall Linuxes like SmoothWall (http://www.smoothwall.org/), Devil-Linux (http://www.devil-linux.org/home/index.php) or Coyote Linux (http://www.coyotelinux.com/).
No fuss, no muss.
Steven
Or if iptables give you the heebie-geebies, you might look at Firestarter: http://www.fs-security.com/. It gives you a nice GUI interface to the linux firewall. This on an old PC with two ethernet cards running redhat would work. Or get a Netgear FVS318 for less than $100; we have been using one of those for awhile now and it seems to offer resonable protection.
I Am My Own Worst Enemy
Cisco pix.
Get a el'cheapo boxen - put it between your servers and the rest of the idiots - and install iptables (or smoothwall, or any of 100 other linux based firewalls that are free).
Either that or see if you can find someone to donate a real product (not that there is anything wrong w/ Linux based solutions - you just need to know what your doing) like a PIX.
snowulf.com
i cant believe im even reading this question on slashdot. and i cant believe i wasted even more time reading the the useless PoS responses that were given.
* this is a school... you know they have a bigger budget then $100 to secure there server farm... come on.
* provided these are 'real' servers, which they do, stop using a software based firewall unless ur a complete newb.
* if your looking to get a REAL serious enterprise firewall go with a Cisco PIX or as noted above CheckPoint.
* if your looking for a cheap solution then setup a dedicated P4 with a few gig of ram running OpenBSD with pf, or linux w/ iptables.
* What school is this again? so i can make note to NEVER EVER EVER tell someone to take any class REMOTELY related to CIS/IT cause the faculty is full of a bunch of retards.
I went to a local used PC store, bought a small form factor DELL desktop GX110 i think (for $40), put an old cd-rom drive that i had lying around (for convenience only), and two 3com 3c905c ethernet ($10-$15 each) cards in it, (although i've installed it just fine on new/cheap netgear cards), which matched the onboard chipset, and installed OpenBSD on it.
There are numerous web pages on how to setup OpenBSD as a very good firewall, plus plenty of documentation on openbsd.org's FAQ: http://www.openbsd.org/faq/pf/index.html.
I first ran a firewall on FreeBSD 4.4, then decided to try out OpenBSD and pf, and was very pleasently surprised at the ease in setting up a powerful and easy to maintain firewall box.
OpenBSD transparent (bridged) firewall is the best, works like a champ, and once set up, there is no interface to *hack*...only a console cable...
and when I see the light turn red, meaning a packet with the evil bit set, I unplug the cable really quick. If that doesn't work, I get a young priest and an old priest.
"The power of Linux compels you! The power of Linux compels you!" That'll fix those zombies.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
The most effective firewall is the server's power switch in the off position. Nothing will get through with the server in that configuration.
Or you could just unplug the network cable if you want a temporary solutions. :P
For on the server itself, I'd use the included Windows firewall. Server 2003 does have it. If it's not flexable enough, Kerio makes a server version of their firewall that runs fine on it.
Now I generally advocate 2-layers (at least) of firewalls. Each system should have it's own software firewall as a measure of defense against other systems just in case, but a group of systems, like servers, should be behind their own part of a ahrdware firewall. Netscreen, now Juniper, and Cisco have nice little hardware boxes that will do what you need. Not cheap, but not too bad. If money is real tight, go and use a stripped OSS firewall solution like M0n0wall or Smoothwall. Don't use a normal Linux install as a firewall given that the less that's running, the less likely it is to get exploited. M0n0wall in particular will run on small, low power embedded devices like the WRAP so you can have an appliance-like solution like what the big boys offer.
Check with your network guys, theri routers may have all you need for a firewall for the servers. Get them setup with a reflexive access list, and then just allow in whatever ports are meant to be public. That + a software firewall on each system will let you say to nearly 100% confidence that no ports that aren't supposed to will be open to the public. Then it's just a matter of keeping the services on those ports up to date and secure.
Make one of your servers a gateway to a private IP subnet. Then use the built in RRAS (Routing and Remote Access Server) service. Or, if you're allowed to run SP2, then use the built in firewall (which of course is based on RRAS).
Keeps all the script kiddies and zombie puppies out of my garden.
Then most Universities in the world would not be a recommendation by you.
Seriously, if you're getting Zombie linux servers, you need to seriously re-think your deployment strategy.
Besides, you sound like one of these people who think "firewall" is a software program you run on your computer that keeps you safe from viruses.
I've been working since 1998 on network security and tested a lot of firewalls. My recomendation: Use hardware appliances like Juniper NetScreen (http://www.juniper.net/products/integrated/), Fortinet (http://www.fortinet.com/) or WatchGuard (http://www.watchguard.com/). All of them are >U$$100 but that may be the best deal comparing the price to the US$100 per machine you're asking.
Moment of terror is the beginning of life !!!
...and it's only $25 because of course, his time has zero value.
I'll create an amusing sig when I have something meaningful to post.
I'm somewhat bored right now, and am looking for nice exploitable .asp and .aspx scripts ;-)
How on earth is just naming an OS Insightful???
... sometimes I fly with the white swan to my Liffey home.
Use OpenBSD as a Bridging Firewall. The firewall has no IP number, you put in two etherenet cards "bridge" into the middle of an ethernet cable. No network routing configuration necessary, you can remove the firewall be merely moving one cable. This means console access only, network transparent and super secure. We've been using this setup for our network (hundreds of client site traffic) for years and have had zero problems with the firewall.
Fiskars makes the ultimate in firewall protection for Windows systems.
My second choice would be a quality Etherkiller.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
Maintain MAC address tables for the internal side, and if a machine's infected, cut it off until whoever owns it cleans it.
For the external, use a proxy - Squid or something, I'm not sure (I don't handle that at my office - we contract it out, and we use AIX boxes for that).
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
I have a laptop & wireless, you insensitive clod!
Your solution took 3 hours before it became effective!
I found a better solution. It cost a little more then the Adaptive Packet Destructive Filter, but it worked instantly. And there is no risk of electrocution, but I still suggest thick leather gloves, especially if you're heading to the datacenter.
And applying the solution felt really good-- I'm much more relaxed now.
"Can of worms? The can is open... the worms are everywhere."
I've been running an OpenBSD/PF firewall at home for ages now and the system load has never gone above 0%.
:)
Have you tried plugging it in?
Best firewall for any servers by Far Netscreen Firewalls.
I love the "smoothies" www.smoothwall.org A great little box that doesn't require a lot of deep technical knowledge.
They have a mindset that capital expenditures cost money, but human labor is free.
So to them, it'd be much cheaper to have this guy spend the next two years writing his own firewall software than for them to spend a couple grand buying a Nokia Checkpoint-1 appliance.
on my home network is use a router switch. It doesn't cost much and it provides NAT (Network Address Translation).
:-) I sleep pretty well at night.
My internal IP range is non-routable so there is no direct connection between the outside and any of the computers on my home network.
The second thing I do is run Linux boxes. My home is a Microsoft free zone.
The race isn't always to the swift... but that's the way to bet!
...is as we say in the Uk - the dogs bollocks - I've used it without issue for nearly 3 years, an awesome piece of software... not for n00b5 but if your an experienced user who thinks ZoneAlarm is a pile of poo then you can't go wrong here. It runs as a service and takes up about 900k of memory when running. Not bad huh?
Resident of Skara Brae since 1985
What is the meaning of life?
Where can I find the perfect women?
How many licks does it take to the center of a toosie pop?
Never could figure out why my girl liked my bitch tits, then I found out she was a lesbian.
everyone knows linux is for making 'old hardware useful' and reducing costs for IT labs by using junk from 1985 to run your global warming simulation
http://www.astaro.com/
http://www.m0n0.ch/wall/
http://www.clarkconnect.org/
those few and some unused hardware will get you going.
"God of Rock, thank you for this chance to kick ass. "
Seriously, this got posted? WTF? How many THOUSANDS of articles on "free firewall" or "open source firewall" are there on the web these days?
How many have we seen on Slashdot alone? I know that dupes happen but this is like the monkey running the "random Slashdot article" perl script fell asleep at the switch or something.
besides, if they want under $100, that cuts out pretty much all commercial offerings (they did say firewall, not SOHO router..) - given that price point, what's left?
Yup, you got it. "cheap PC with Linux/BSD." Smoothwall/Shorewall/ipfw/pf/iptables/etc.
There ya go. Next redundant article, please?
...they come with hot swappable hard drives and power supplies and lots of other fancy stuff. Once you figure out how to use MEM kernel directives to get around the memory hole(s) you're all set! :-)
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
i hate to be a grammar nazi, but ...
one more time:
there - a place that is not here
they're - they are
and the one you are looking for:
their - owned by them
Pull an old pentium box out of one of the skips at the university (in my day they were always ripe with 386s) and stick one of the million linux firewall distros on, or my personal favourite m0n0wall, which is FreeBSD based.
http://m0n0.ch/wall/
Your question is chillingly basic however. I'm a programmer rather than a sysadmin, and even I can select and set up a firewall without having to ask slashdot.
Perhaps you should request some training for yourself and the sysadmins in Liberal arts. Seriously, this would be a good first step to securing your network.
Never trust anyone with an id greater than 889388
Unfortunately, they don't have any control over outbound connections -- I just think of them as software NAT's, which I like, since it's quite easy to manage.
Besides, I'm of the camp that believes that if uncontrolled programs are making outbound connections, you're sunk already. That said, Windows 2K+ does have "IPtables like" abilities in it's "IPSec" features. It can filter outgoing connections, set rules by source IP, etc. Here's a link that I looked at very closely at one time link.
This doesn't do any "application" filtering. It's also not the easiest thing to configure. On the plus side, however, it works with MS domain stuff. So if you do it right once, all your servers can be told to pick up the settings.
If you can control the servers running on your computer (services, daemons, inetd, etc), then a firewall is a second layer of defense. Otherwise, it's your first layer of defense. A properly configured "no listeners running" *NIX box has comparable network security to a properly firewalled Windows box, even if you don't run any firewall software on the *NIX box.
It may be possible to lock down the Windows box by turning off all services that open TCP ports, but I have found it difficult to implement in practice.
These are my observations from working at different places (as a programmer, not sys admin). On the high end, lots of people use cisco pix, and checkpoint. Microsoft shops usually use ISA. I have personally used IPChains/IPTables on Linux. Regarding less than $100, you might as well use ICF built into windows if that's all you can spend. Also as an alternative, some network guys I know swear WatchGuard is comparable to cisco but that it's a good bargain.
There are a few OSS firewall distros out now that give you all the firewall features w/o all the by hand set up. I've been looking at IP Cop lately although I am still using a home grown Linux firewall.
http://www.ipcop.org/
You can find more firewall distros on distrowatch's web site.
http://distrowatch.com/
Zone Alarm doesnt run as a service.
Therefor you shouldn't run it on a server, as Zone Alarm wont run when noone is logged in. This isn't that much of an issue on a home computer where the user will log in immediatly. However, a server will run most of the time with noone logged in. And I want my firewall to be up then.
If you use a software firewall, make sure that it runs as a service.
I once choose Agnitum Outpost as a firewall (the PRO version, because the free one doesn't run as a service) and was pleased with it.
However, this was before there was an integrated firewall in Windows, now, I'd just use that.
And, as others already suggested, a dedicated, separated firewall, be it a BSD-Box or specialized hardware.
I have discovered a truly remarkable proof for my post which this sig is too small to contain.
I've used smoothwall for a while and I was very satisfied with it. But at some moment, it stopped working. The ADSL connection couldn't be established anymore.
While I think it was rather a hard disk crash and not a direct smoothwall problem, it made me feel like replacing my smoothwall with ipcop, another firewall dedicated linux distro (forked from smoothwall).
I'm very happy with ipcop at the moment, it's a bit more "customizable" than smoothwall. I know both are GPL'ed so they can both be customized to fit any purpose, but as ipcop is a 100% community-based distro, it is a bit more designed to be tweaked than smoothwall.
Check out IPCOP site
that was me.
The BEST firewall for any system is to not connect it to a network. If you can get to that box in any way, there's ALWAYS a chance someone will own you.
There's no such thing as a fool proof plan because fools are so ingenious.
My office has been taken over by iPod people.
I took some old parts I had taken out of my current PC during an upgrade, purchased a motherboard, case, and CPU fan (already had an old 40 gig hdd, an Athlon XP 2400+ (thorton core), 512mb PC2100 DDR DIMM, and a geforce 4 mx 440 (yeah I know the video card is overkill for a server). I spent about $80 total.
I then spent several days installing linux on it (mostly waiting, but a lot of learning), and set up iptables. Bam! Instant router (ok so not instant). I keep my iptables stored with the iptables save command, and also stored in a script file so I can easily edit my iptables and run the script to change my settings in a matter of seconds. The Gentoo linux box also functions as a web, ftp, dns, and shoutcast server. Oh, and while it doesn't actually serve as a VoIP router, my VoIP router does connect to it via a switch.
Yank the network connection.
Instant, unbreakable, firewall.
Pretty Pictures!
Well it's more than $100 but much less per host if you have more than one machine behind it (say 10 to 50). The Cisco PIX 501 is a nice, capable embedded firewall solution.
e &pn=PIX50150BUNK9
http://www.thenerds.net/index.php?page=productpag
If you want something simple and efective, go for IPCop.
Scientia est Potentia
with different uses.
a packet inspection firewall (statefull or otherwise) is usefull for sealing up things that can either be restricted to a limited number of clients or you wan't to turn off but can't or for hiding your box from the network but it is no use whatsoever for the services you actually wan't to run for the main userbase (be that the whole of your internal network or the whole internet or whatever).
there are also application level gateways for some protocols that can filter at a higher level but i'm not sure theese exist for smb.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Get an external router, Linksys technology is basically linux technology, you can download the source to most of their firmware.
I don't know what number you mean by "a bunch of servers". If you have 4 servers or a couple of switches lying around......Then a Linksys rv042 will work. Runs around 170 dollars which breaks your limit. If you really, really can't afford more than 100 dollars then get a BEFVP41.
If you have 5-8, then I'd suggest a Linksys RV082, which will break your -100 range, running about 300 dollars. If more than 8, then go for the RV016 which is 500 bucks. (Enterprise Security ain't cheap)
Personally, I'd at least get the rv042, it has features for egress/ingress filtering.
I've used Netgear, D-link, and SMC products, most of their stuff that is less than 100 dollars are just paperweight.
These routers are perfect because they remove the firewall software off your server machine to save more cpu cycles. Plus if you set up another box running smoothwall or something then you will consume more power, and that means a bigger powerbill.
These router units are small and consume much less power. I do agree running a BSD box or Linux box is probably your best solution, but if you already pay alot of money for electricity.....
Can you give me the name of your University, so I can recommend people not attend a University that lets loose people who don't know how to spell "their."
The firewalls built into XP and 2003 have all the functionality you'll need; simply configure them so your machines can talk to each other, but they deny any other incoming connections.
For extra points you can administer the firewalls on all the machines from a central server using Group Policy.
It took us about 15 minutes to configure on- and off-network policies on all of our 150 XP SP2 workstations and laptops using Windows Group Policy. And all of the firewall policies available in XP SP2 are also available in Win2003 Server SP1.
Yet, by posting the "best firewall configurations" to Slashdot, it's most likely that they will soon come to be "not-the-best". After all, isn't internet security more of a king of the hill paradigm -- where one minute you've got the "best hw/sw" but then subsequently become the most targeted?
And yes, it does impinge upon that darn ol' security-through-obscurity argument...
and now back to the fallout shelter...
Well, I'd say about three cords of dry lumber, two gallons of gasoline, one match. Works well, barbecued hackers can be served to stray animals.
Oh.
Not Linksys.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
If you want to block connections on each individual computer, I recommend the free Tiny Personal Firewall from Tiny Software. It allows you to block any connection, and view all open connections. It uses very little memory, and starts fast.
Yisdersomenimororsisasisdenderisorsis!?
I've had pretty decent luck using WIPFW as a host-based firewall on Windows systems. On the Linux/BSD side, I use whatever is native.
Seriously, that's what I do.
I have a firewall machine, with the linux boxen behind it on one subnet.
Recently we had to break down our no-Windows rule and get the wife a Windows box for her classwork (unrelated to IT). The college profs assumed Windows in the students' hands and with her classload we couldn't take the risk of slowing her down with Microsoft/Open incompatibilities.
So I put another ethernet card in the firewall and gave her her own subnet. Each subnet sees the other as 'outside'. (If machines on one subnet get infected the only advantage the malware gets over being on the general net is that machines on one subnet can address machines on either subnet by their own (globally-routable) IP numbers rather than going through the DSL feed's NAT. They still have to navigate the rest of the filtering mechanisms - which includes no incoming almost-anything.)
She installed the best anti-malware software packages she could get - upon initial activation before the network connection was plugged in - then was given only specific outbound connections to obtain updates before general (still firewalled) service was enabled.
She also powers it down when not actively using it.
She's had the machine for almost a year and hasn't had a detected malware infection so far. (But lots of "crunch" sounds from one of the packages as it claims successful attack-blocking. B-) ) While I've seen the firewall block lots of probes from outside I've seen nothing coming over from the other subnet.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Logic (one of the Trivium, or "Three Roads") and mathamatics (one of the Quadrivium, or "Four Roads") are, by definition, liberal arts.
Thus so it comuputer science.
The obvious solution is to dike off the NOC.
KFG
http://fwbuilder.org/ has a GUI interface similar to Checkpoint. You create objects (hosts, networks), services (IP, tcp, udp, etc), and groups then use those objects or groups to define rules.
fwbuilder then compiles an iptables, ipfilter, ipfw, or even pix script (pf costs $$$) to implement the ruleset.
fireHOL provides a very efficient and effective firewall, tuned specifically to your needs. Easy to read, easy to understand at a glimpse.
interface eth+ internet
protection all
server ssh accept with knock SSH
server http accept
--
Society has traditionally always tried to find scapegoats for its problems. Well, here I am.
If those liberal arts types weren't so damn promiscuous, they wouldn't get infected.
Oh, you said machines.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Sorry, I thought this was slashdot, not "remedial IP network education"
A previous post some years ago on this subject also mentioned a nightly ritual for the IT department of some company: walking through the staff areas and checking for modem connections people might have added.
Just a thought.
Playing pornographics games during the day is evil! Play at night!
This is precisely the correct answer. Not iptables/smoothwall/shorewall/other_*nix_box_inbet ween answer. Read the question folks, supply the simplest effective answer, preferrably using the tools that come with the operating system.
As you may have guessed from the posts, don't use software solutions. Use an independent hardware firewall between your servers and the internet.
After that, things get muddied by preferences...
I use IPCOP for mine and it's very nice, simple, and inexpensive (free, you just need a computer). Smoothwall is very similar and also has corporate support if you have the bling for it.
Products like these allow you to configure a reasonably complete network firewall solution in about an hour. Doing your own installation of things like OpenBSD, while excellent, are not as quickly realized.
Read the submission. He's looking for a solution that is below $100. I'm willing to bet his time does have zero value. I'm thinking student worker who is going to be getting hours even if he has nothing to do, so yeah, his time is basically of no value.
I hate grammar Nazi's.
We fire the person responsible for only purchasing a solution which covers a percentage of our machines and hire someone that we believe won't repeat the mistake. But we're not total bastards. If the percentage is 0.5, we simply give them an atomic wedgie.
If you know what you are doing, you don't need a firewall in front of a Linux machine. (ie: you start with everything turned off and turn on only what you want and watch the security lists for exploits on the things you are running) For Windows, a firewall is manditory. Windows firewall is fairly good but echoing much of the sentiment from other posts, get a hardware firewall. $100 is a little thin for a basic firewall with decent throughput but I think the basic FireBox is around that price. If you have a spare Linux box, build yourself a firewall. The best way to mitigate security risk is to first understand things well. Far too much money is spent by people trying to alay fears instead of fix a real problem. Don't get caught in that trap. Educate yourself and realize that you can never completely eliminate risk.
Huh?
I think he's suggesting Linux as a firewall in the "everyone in network administration does it this way" sense:
Internet Linux Firewall Windows Server
I don't mean that as everyone uses Linux for firewalls, I mean everyone in network administration uses separate box(|en) for their servers. He wasn't suggesting a change in OS.
In larger setups it is always a good idea to have a centralized firewall management system.
Check out FWBuilder!
my simple firewall solution involves an ancient pentium 200 with a couple network cards, some ram and a floppy disk running Coyote linux. It offers everything I need, saves the configuration to the floppy in case of a power failure, and didn't cost anything (the machine was gonna be junked anyway).
If you really are looking for $300 solution or so...look into the Linksys RV082 series; Not the most sophisticated pices of hardware ever, but includes a stateful packet inspection, load balancing, 50 VPN tunnels and a bunch of other features. Internally it runs some version of IPTables but harder to hack as it's hardware-based. Look on Toms hardware for an indepth review.
http://m0n0.ch/wall
FreeBSD based and runs from a CD and a floppy so you don't even have a hard drive to worry about. I think it's the best of the bunch out there other than for pay vendor items (PIX, IronPort, etc.)
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
Others have said I'm sure, but buying a broadband router with included firewall (without wireless) can be had for $20-40.
Plug one of those beasts into the wall between the machine and the network, and you can be almost guaranteed that the machines are going to survive the latest attacks.
Short Answer: No. Even a Linksys would set you back over $100 P&L (router $40, Installation ~1/2 hr, Test and config ~1 hr).
;).
Longer Answer:
- OpenBSD or Linux $0
- Written down P3 w/ scavenged memory and NICs $0
- Your time $99
Better answer:
- OpenBSD or Linux $0
- Written down P3... $150
- Your time $500
- Billing to Arts for "service and security improvements" CR$800.
completely seperate the servers by creating a seperate vlan, this will keep all layer 2 traffic away from them. then give them their own subnet and put them behind a pix. then you can filter whaterver traffic you want and only allow what you need. then you can customize what area's get access to what services with access lists
If you are only going to spend $100, might as well save your money and use the built-in firewall that comes with Routing and Remote Access, it works quite well.
A modern American university is only nominally the "employer" of the professors who work there. It's often a better model to view the professors as customers who rent space in the University's facilities, in return for access to students and post docs. Most of the research computers are actually only titulary university property, having been bought with grant funds for research purposes. If the professor whose grant provided them left, the professord leave, too. If your administrative rules become the reason said professor leaves (along with his grant, machines, and overhead payments), then...well, let's just say that you'll be leaving soon thereafter.
I use WIPFW on Windows machines, http://wipfw.sourceforge.net/
It allows me to re-run rules on a schedule for any IP changes that I may use for hosts. On Linux use IPTables.
Routers with 4 port switch are down under $50, and will do nat and port forwarding, with browser config.
Step 1: Trace the cord doohickey from the back of the computer to the wall. It should be one of those phone jack lookin thingies not the power one.
Step 2: If this is the only computer you have go to step 4.
Step 3: Find your wiring closet (the closet with all the wires in it). Trace where all the cords go in the walls (except for the power ones! HAHAHAHAHAHAHAHAHAHAHAHAHA!!!!1!!)
Step 4: Using a lighter or match, set the wall aflame.
There! You will no longer have to worry about zombies. Unless you're alread infected
1 HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAH!!!!!1!!!!!!!
Make sure the software-based firewall is turned on at every Windows XP machine--make sure everything's at WinXP SP2; the firewall isn't half bad.
Use the built-in Win2k3 firewall.
Install Astaro on an older PC as a _real_ firewall "appliance" - it is VERY good.
http://www.astaro.com/
First thing I think of is go buy a $40 linksys router. If you don't have complex routing needs, and mostly just need to firewall the majority of incoming connections and route a few ports, that's all you really need.
As much as I love making little linux boxes, a dedicated firewall device is sometimes better than a full machine. Less to be hacked into.
For a little more money, you can get some more complex routers, but the concept it the same. Keep it Simple.
Got Apathy?
For Windows? A seamless, 3' thick rebar-reinforced cement vault is preferential. It's easiest to add the machine prior to pouring the cement, I've found.
But with zombies in general, I prefer a more proactive approach: a 12 gauge shotgun loaded with 00 buck does nicely.
Seriously though. Every Windows machine should be behind an entirely seperate firewall, protecting it from everything and everything from it. A Windows machine on a public network that isn't being agressively administered is about as safe as a polish handgun.
By the description of your environment and problem, it sounds like you basically want to quarantine the humanities from the rest of campus so they don't wreak their plague of stupidity upon everyone else (this is good policy in general, I've found - humanities aren't fond of reasoned, concrete thought).
Probably the best way to do that would be to set up an IDS gateway between their networks and the rest of campus. Something from CISCO would probably be best, but I'm fairly certain you could do it with linux/BSD or another COTS solution for decreased price. Have the IDS set up to basically drop all trafic from zombied machines. When they complain to you that "their" network isn't working and that it's your fault, give them the ISP treatment: fix your machine and we'll let you back on.
Really, allowing humanities types to manage their own hardware is just a receipe for disaster. Would you let your accountant work on your car? It's not adviseable, and would likely cost you more than not having repair done at all and waiting for further problems.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I use pktfilter and good well configured software too secure Windows systems from 2000 and newer. See http://www.hsc.fr/ressources/outils/pktfilter/inde x.html.en
For Linux I use Iptables and good well configured software to secure the system.
And top of that if necessary I use gwateways to segment net and filter trafic, either per trafic type with source, destination, time (most are fine) and sometimes I use application proxies.
However I do not like firewalls at all, these are just needed since we can't properly configure our software with poor quality. Same arguments applies for ant-virus.
The thing with firewalls is not to block trafic securely, it is to pass trafic securely. And therefore we still need better configured software with better quality. 1000's of Cisco Pix firewall in a chain still can't secure a loousy public web server.
Joakim Nordberg
So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?"
It does need to cost much at all. PF and IPF are both good choices and run on Linux/BSD. Since many Microsoft viruses routinely turn off firewalls and virus scanners, put them behind a zoned BSD system running PF.
Here is the critical part, watch what goes out not just what is trying to get in. Only allow services to systems you trust are managed correctly to have any level of trust. If you are providing web services you can use Squid on the firewall systems as a reverse proxy that is between you and the others to filter out many known bad requests.
Total cost, only your time.
There is an even better Windows firewall, and it's free, too.
I call it the "Open Circuit" firewall. Easiest damned firewall in the world to set up, too.
HTH.
and when did this guy become an IT person when he doesn't understand networking/firewalls.
Take ONE of those servers, and make it the firewall.
you obviously have some hardware for it.
Having each box with it's own firewall is a waste of your time, and impossible to manage.
Which university is this? even the small college I went to, with 1100 students, had a real firewall. there has to be at least one smart kid around there who has a clue. I hope he's reading this!
Joking aside, I remember reading that pf's performance actually increases with stateful filtering vs. stateless filtering because looking up an entry in a state table is much faster than walking the ruleset for each packet. I also read that there is virtually no performance loss even with thousands of states.
Does anyone else remember the warez newbies crying that their off-the-shelf blackbox router crashes if their P2P app opens too many connections? Now you may laugh.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Anyone who uses one of several 'home router' type hardware (I'm talking specifically about the Linksys, but I'm sure others apply) are already using Linux firewalls. :)
--
telnet://sinep.gotdns.com -- TW2002 and LORD registered!
bork bork bork!
PS: that was the link I missed: http://kerneltrap.org/node/477
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
I'd suggest installing a Sonicwall firewall device (www.sonicwall.com) or a similar hardware firewall to physically segment your machines from the rest of the network. You can even do this in a way that's address-transparent (so that you're not NATing).
This way, you don't have to worry about a bug in your locally installed firewall allowing someone in anyhow (and then having to go patch multiple installations), nor will you have to worry about CPU overhead from processing an attack (your machine is still getting hammered even if it's not getting past the firewall program), nor will you have to worry what OS is supported or what hotfixes may break the FW.
I'm not a fan of locally-installed firewalls as an end-solution.
Not to mention, no licensing costs. One sonicwall capable of handling a couple dozen or so servers will set you back about $500. Norton Internet Security would be $129 a pop (and Norton as an example has been the target of worms that disable the firewall).
If you don't with a Sonicwall or such device (which have great support and an easy to use GUI, btw), at least put up something like OpenBSD between your servers and the network instead of trying to manage firewall rules and versions on a bunch of individual machines.
You can buy it for less than $50 and run 10mbps of traffic through it.
You, Sir, are a pathetic prostitute.
El Fuego
Marcus J. Ranum (who was certainly involved in invention and creation of firewalls) has the best advice, for the ultimate firewall:
The Ultimately Secure DEEP PACKET INSPECTION AND APPLICATION SECURITY SYSTEM
Well, you should definitely check out m0n0wall at http://www.m0n0.ch/wall/!! Based on FreeBSD, configured with a webserver and PHP and stores its complete configuration in a single XML-file. Very nice indeed.
Windows 2003 Sevice Pack 1 includes a decent software firewall. It's free.
I have used this for everything from my home network to a couple of biz's connected with T-1's. Even using a amd k6 speed was not an issue. It is just a great setup!
Why not m0n0wall? It works very well.
Right now I'm testing pfSense as it uses pf. pfSense is still aplpha code, but the critical parts work very well.
Check them out:
http://m0n0.ch/wall/
http://www.pfsense.com/
Normally If I want affordable and under $100 would get a linksys hardware firewall. It is affordable, being a hardware firewall it won't easily become disabled if a virus infects your system. But if you need something more advanced. You can set up a Linux (or OpenBSD firewall) on a separate box. If you don't have a separate box you may want to consider VMWare and install Linux on your box and install Windows 2003 in the VMWare. Then install a good Linux Firewall to protect both systems.
While a lot of slasdotters will go crazy about the performance hit that a little Linksys firewall will take you should actually figure out what the actual traffic is (Like average BPS over a week) many times you will be surprised on how small the traffic that 100 or so people can actually do on most services. I would say if your average peak time performance is less then 10 mbs over time you probably save strees and time with a linksys firewall.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
This one is great if you don't understand tcp/ip or if people that manage it for you have no idea what tcp/ip is. http://www.smoothwall.org//
Could any real admin answer this, please? What has Slashdot come to? I would know where to look, who to ask and what to do, but I don't have much experience in this field.
... Could someone that works in this field please take it from here or point this person to some document?
This question is like asking hey, I don't know which browser to take, IE came for free, but it the new versions don't run on our Windows 95 Computers. Could Slashdot please help me?
Though the answers suggest the Slashdot really has changed and that those questions should be asked here.
For starters:
Firewalls are just one part of network security including, but not limited to update policy, safe passwords, proper encyption, DMZs, educating users,
How about the Linux Howto Collection. IMHO they are a great read and a good place to start.
we keep getting hit by zombie machines taken over in the Education Department or from Liberal Arts :-).
/.ers push the praises of direct vocational school over the Liberal Arts, I guess I should offer the counter point.
:)
;-) See, I can laugh about it, too...but that doesn't mean it's true, just funny.
It's a joke, I know. And it's cute, I suppose, but since so many
The Liberal Arts, at its core, is the study of learning. Liberal Arts majors may not graduate with as many courses directed at a single field of study, but they do graduate with a better understanding of how to pick up whatever skills/knowledge may be needed to get where they need to go in life.
Unlike direct vocational schooling, the Liberal Arts are designed to teach a person how to think, how to solve problems, and how to adapt rather than how to perform in a particular field of study. People who've studied within the Liberal Arts tend to be successful and competant in my experience, regardless of the field of endeavor.
We, as a society, cannot afford to devalue the degree designed to promote learning for its own sake! Such an attutude just falsely confirms a misplaced fear that many working-class students and their parents have: college education is a waste of money, unless each day's lesson can be connected to something that will be needed on the job some day.
I am a programmer. A self-employed consultant, specifically. I have a Liberal Arts degree in Religious Studies (yes, a Liberal Arts student can and does have a major, in which they devote a great deal of time!). While many of my courses were on topic with my major, many were not. I wouldn't trade those off topic courses for the world. I was studying religion, yet the school believed I'd be a better person upon graduation if I had experienced study in other fields. I took classes in Physics, Anthropology, Psychology, Computer Science, and Theater to name a few. I loved em. My interest areas are broadened, my experiences less confined, and I can carry on an intelligent conversation with pretty much anyone in any field of study.
So, in short, if you have a problem with zombie computers from the Liberal Arts department, the answer is easier than a firewall. Go tell em what they are doing. They learn quickly and might impress you if you don't approach them with a condescending tone.
Thank God I don't care about karma, otherwise I'd be scared to hit "Submit".
P.S.
* A graduate with a science degree asks, "Why does it work?"
* A graduate with an engineering degree asks, "How does it work?"
* A graduate with an accounting degree asks, "How much does it cost?"
* A graduate with a liberal arts degree asks, "Do you want fries with that?"
-Tom
More specifically ISA 2004.
;)
Yes, probably not the most popular view on here, but if your Windows Server is running IIS/Exchange 2003 over SSL or RRAS - there are few firewalls that match ISA 2004 in terms of features.
For example:
- Application layer filtering
- VPN quarantine
- HTTP filtering
- SMTP screening
- Intrusion Detection & Protection
- User-level management
I could go on, but I'd hate to be flamed to oblivion
Yeah, but who wants to deal with lesbian sysadmins?
(I jest, I jest. Lesbian sysadmins are much easier to deal with than teenage-hormone-overloaded dorkguys.)
It is really easy and you end up with a dedicated firewall box with a DMZ
It is what we are using at work (and the boss can even use it).
http://www.fx.dk/
It's a truly great firewall, work in windows, linux and OS/2, very versatile, has all the features you could ever need, including IDS, VPN, IPSec, Remote GUI, etc. It's really very good, check it out.
shana
If you can't answer this question yourself, you have no business maintaining those servers. Quit and let someone qualified have the job.
I'm so sick of people at work who can't find a single answer themselves unless its taught in a 2 week conference. If someone at my work asked this question I'd seriously question their abilities since they can't even use google or compare firewalls for themselves. Use your brain and think for yourself- thats why you have the job and someone else doesn't.
It's what I run on my XP-powered laptop to keep it safe in hotels and at hotspots, because it's far more configurable than the built-in Windows firewall.
http://smb.sygate.com/buy/pspf_pricing.htm
Simple - he didn't name an OS.
He named a kernel.
But if it's not Linux based, it's WRONG. This is Slashdot, remember?
By the way, why the fuck is there a "What firewall should I use?" question on the front page? What kind nerd doesn't know about firewalls?
God, I fucking HATE Slashdot.
For about $100, you can already get a hardware firewall. It obviously will be a fairly basic model with less than stellar performance, but it may be good enough for your needs. Hardware firewalls tend to be simpler to set up and more robust than something you install under XP.
Get a hardware router or dedicated PC already. IPCop or Smoothwall are excellent PC based routers/firewalls that play nice with windows networks and they don't need much hardware. A 800Mhz P2 with 64 - 128MB ram will be plenty and you can remove the keyboard & screen once you're finished setting them up.
You need a new network.
You need someone to design the network to prevent this stuff as much as possible.
I've told my company flat out that any Windows server that provides a public or interdepartmental service has to be firewalled. Because they've had virus issues in the past which ended up being where I spent my first 2 months when I was brought on, this became rule number one.
Simply patching Windows servers is not enough anymore. While you sit there and have to test each MS patch on backup servers before moving into production, anything can happen. A good network design with some harware firewalling/packet filtering and a bit of Layer 2 sprinkled in here and there, will buy you the time you need to test the latest fix that Microsoft puts out.
You also need an admin who will configure the servers properly using the basic windows packet filter stuff as well. Disable unused services and other such common housecleaning tasks. Don't forget host-level security lest some silly jr. admin go in and fsck it all up.
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
You should use OS X. It has the best security record of ALL Unixes, it is easy to use and set up, it performs far faster than Linux or any BSD and it has the most advanced firewalling technology available today. In addition, since it is closed source, it has another level of security on it that puts the open sores unixes to shame: that being the guarantee that it is written and maintained by professional American programmers working for an American corporation. Unlike Lin-sux or BSD, no Chinese or Finnish hackers have inserted back doors into OS X.
So don't risk your infrastructure, switch to OS X today.
That's a very good point.
While it sounds like the poster's network is as bad as the open internet or worse, and in that situation anyone with a bunch of servers to protect would stick a hardware firewall in the way, I've got to ask how many remote attacks a fully updated W2K3 server would actually be vulnerable to.
Even without the firewall turned on, you still don't have to run every service that comes with 2003 just because you can.
Anyone aware if any of last month's remote exploits (such as the SMB one) actually in the wild before their announcement?
I would recommend a high performance firewall with a default deny policy between the server room network and the rest of the campus. Also, a cheap solution might be ACLs on the upstream switch, enterprise equipment can usually handle a high rate of traffic compared to most firewalls, especially if you have an internal issue. Look in to using both solutions, ACLs for the heavy filtering and the firewall box as the next line of defense.
Also, the servers shouldn't be getting infected if they are patched. A good precaution might be turning on the Windows firewall simply so programs can't automatically open ports, but it should never get to that on managed servers and you should know all of the services running on all of the servers.
Protecting segments of the network from internal threats is essential in an environment like that. I would recommend consolidating your security rather than patching holes here and there with host based firewalls, you will have a lot more control of the situation then. One plus to the windows firewall is that it can be managed through group policy which may or may not be a problem.
Removing all network connections? I agree entirely, that's a very safe solution for a server.
We should also remove all doors and windows from buildings to make them more secure.
I think zonealarm works with win2003, but I am not sure on that. I haven't bother to read all 100+ comments, so this may be redundant.
Viral software licensing is not freedom, it is in fact GNU/Socialism.
Logic is your friend. Do a simple requirements analysis.
Your time is valuable.
You are protecting a number of computers.
You are not concerned about the inherent value of the information that is contained on the systems.
Your main worry are related to extra work rebuilding systems and the use of the systems as a vector to other systems.
I would suspect that centralized management is a requirement.
You don't have the resources for an IDS (they are expensive to maintain see time above)
Your options come down to a centralised management platform for windows host based firewalls OR a perimeter security model.
If you go secure perimeter you can go linux using fwbuilder, simple easy to maintain
Do resouce TWO computers for your perimeter (one backup) security and maintain both when pushing rulesets. Your HA is to unplug your network from the failed device and plug it into the backup.
At a later date you can investigate load HA arrangements however they are more costly in terms of time and skill. (keepalived is a good choice)
If the information on the network is valuable seek goverment advices as they have simple howto's on classifying material and protective requirements.
If you think that you will need to prosecute or utilise the logs for a evidentary purpose go for a certified firewall. (What this means is that is a court you can say that I have logs showing that IP X sent traffic to IP Y and organization Z has verified that the logging of this devices is valid)
www.smoothwall.org has a free version which works great.
Just set your config directory to a write-protected floppy. As long as your config changes are infrequent, it works great.
I took an old P133 machine and installed Linux on it, then set up an iptables ruleset to handle the NAT and firewall. The router machine runs SMTP, a web server when I need it, torrents, etc.
Now for a university network, I don't know if a P133 could handle the load. But considering that it's hard to find a machine that low-end anywhere these days, I doubt this is a problem. Find a chucked out HP Pavillion (Athlon) machine and set it up this way.
I have an OpenBSD router here at work that I built, and I will vouch for it's performance. We have been hit by Drudge and /. a few times, and even though none of the websites or mail servers would work I was able to poke around in the firewall with no noticable lag. We had over 10,000 ACTIVE states in the table, and the performance of the server was pretty stable with no noticalbe lag on the console (couldn't ssh as the T1's were all maxed).
System specs are pretty normal, 1Ghz Athlon with 512MB RAM.
/* oops I accidentally made a comment, sorry */
If anyone cared about the cost of electricity, cheap hardware firewalls such as the NetScreen might seem like an advantage over that dusty 1997 Pentuim Pro.
Most computers burn $100/year in power, but fancy shmancy servers can burn $200/year. Add 50% if you have to pay for the air conditioning electric too.
Of course, I'd have to say, a Mac Mini at $500 might be able to do the work of a NetScreen and is only slightly larger, but it has a DVD Burner which would come in handy... However the OS varient would probably drive most admins crazy
Choices, Choices...
As for windows, it is a desktop OS. Not using it on a server is the best approach to firewalling it.
Just buy a cheap firewall appliance, FFS. There are plenty for under $100, and they will do you better than all the old Linux-ridden 486s in the world.
I can't speak for the linux side of things, but here's my comments for Windows.
Note that while this is easier to manage with Group Policy via Active Directory, you can use the local group policy settings and migrate them across your lab. My thoughts on this are valid for XP and 2003.
The internal firewall is your first defense, blocking all non permitted inbound random/unimportant information from reaching your machines. Tell the firewall the applications you will be using, and it will dynamically open required ports as the program needs them. This way you don't need to deal with local port management. You want this setup to prevent traffic from reaching IPsec, and for any logging purposes you may have. IPsec's current version doesn't really do packet logging, and is in no way a firewall (Although, I used it for years as a firewall with Windows 2000 and never had any ill-received problems, but they were not on critical systems either).
Use IPsec in pure authentication mode without encryption (unless you have encryption offload cards). You can use it in several ways.
All communication requires authentication:
No computer can talk to yours that is not setup properly. Period.
All inbound communication requires authentication:
All inbound traffic must authenticate or be dropped.
If you lock inbound, but not outbound, your clients can still access web resources and any other computer without issue, but you have completely prevented anyone else from initiating communication with your systems.
IPsec works like this: Generic rules (require authentication from everyone) are over-ridden by a more explicit rule (do not require authentication from whatever.system.local). Generic all IP rules are over-ridden by port rules, port rules are over-ridden by explicit IP address rules or subnet rules. Etc.
For your purpose, I would at least require all inbound traffic to require authentication by String, however this is not secure and anyone with administrator access can rip the password out of the registry. To do it securely, you need to do it by certificate or Kerberos. The kerberos implementation will require active directory, the certificate method will require a full IKE/PKI configured for your area. You do not need to buy a certificate from a place like verisign, you can do it all yourself through your own self-signed certificates. This entire process with IPsec can be automated through Active Directory, but if you don't have active directory, I believe any generic IKE/PKI server can generate valid certificates for your use. It's a lot less work on your part doing it through active directory.
IPsec policies will work between Windows 2000, XP, and 2003, however your key strength is limited based on the oldest OS you use. 2000 will only function with low keys, XP with both low and medium, and 2003 with strong keys and the two weaker keys. Also, you can set it up from strongest key generation to weakest, so 2003 will always talk to 2003 in strong, 2003 to XP in medium, 2003 to 2000 in weak. It may be possible to make IPsec work side-by-side with Linux using Freeswan, or whatever project replaced it, however I never used that program.
One last thing, if your systems are used by untrusted users, considers how possible it is to use the software restrictions built into Windows. Once that is activated and configured well, it becomes very difficult for a local user to run non-authorized software without sitting at the machine and taking it over first. Refer to rules regarding Software Restriction Policies for this.
K.
http://www.m0n0.ch/wall/index.php
OpenBSD is free. See www.openBSD.org and you can D/L boot media and install from the net.
This is an excellent f/w solution with several capabilities such as if you run dual redundant paths and one f/w dies then the other will smootly pick up the traffic.
I would suggest running windows servers on the net is a bit crasy. But then I suppose Microsoft would not agree with what I might say.
So, this guy has a $100 budget...
How much does Windows Server 2003 cost per CPU?
And no, this is not the precisely correct answer. It's only the correct answer if you're a complete fucking moron who cannot grasp networking concepts and don't mind using Fisher Price My First OS.
When its liberal arts machines getting infected, I've found the BEST firewall to be a pair of wire cutters. NOTHING gets through after the skilled use of these babies.
Unskilled use of wire cutters can lead to extreme pain below the abdomen.
"Works great" is too dependent upon the decreasing quality of floppies for my liking, but it would work fine for various definitions of fine.
Warning: This signature may offend some viewers.
Just look for the network connection cable at the back of each Windows machine, DISCONNECT and you are all set! haha
The next best thing is to have any free OS (linux, *bsd etc) with squid cache presintalled plus maybe antivirus etc?, 2 network interface cards on the server, start squid and turn OFF automatic net sharing/routing, all win clients should connect to squid
This is the very basic idea, that we are all talking about.
free OS, squid included plus brain.
30 buck old pc from ebay (no monitor needed) easilly controlled remotelly.
Since iptables are built into the kernel the OS is irrelevent.
... m0n0wall. Runs as a rock. Good support by the mailing lists, open source. Comes with a very nice webbased control panel. The catch?
There is no catch.
then any OS that is capable is fine... BSD, Linux, Solaris, it's all good... provided your comfortable managing the system.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Okay under $100. It's free
It has a nice php interface.
It is very tiny in size.
And you can run it just off the CD if you want to.
It's based on FreeBSD
http://www.m0n0.ch/wall/
Found nothing better than a dedicated low-end PC running a linux install like Smoothwall.
There are many versions of a linux firewall out there now and you can use an old PC or just purchased a cheapo used one. I've a PPro200 with 96MB of RAM and a 2GB HDD protecting me for four years now. Only thing that brings it down is a power failure (61 days since that happened). It protects 16 PCs now without much issue.
...and this only came out a couple days ago:
5
http://www.frsirt.com/english/advisories/2005/052
You don't need any fancy software. Just use Routing and Remote access which comes with Win2k/2k3 server to setup some good, strong packet filters and you're protected.
m0n0wall also does a good job if you want to use a dedicated box
He already has the Win 2K3 boxes. He wants a cheap firewall to protect them. The fastest and cheapest thing to do is go to Windows Update and install SP1 and the post SP1 security patches.
Of course he should probably also use some kind of hardware firewall (defense in depth,) but that may not be required in his situation. SP1 is definately at least part of the correct answer.
Nice troll though, you faggot ass cuntsmear.
...Is all you need. Rock solid specialized Linux distro built from LFS http://www.ipcop.org/. It has all the advantages of commercial hardware routers, it's easy to customize and you'll be online in 30 minutes. Just get yourself an old P3 500 w 256 Mo of RAM and a decent HD (if you intend to run snort and get quite a lot of traffic). I have 4 servers on my lan and run it on a P166 w 64 Mo of RAM. The TCO of this baby in my case has been roughly 4 hours of work + electricity for the last 3 years.
You don't even need more than one ethernet interface on the system. If you are attaching it directly to a switch you can make it listen on two different addresses and the switch will happily route the traffic accordingly. Of course having two interfaces can increase your throughput...
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Why? Because everyone is out trying to hack Linux and Windows machines, they seem to leave the FreeBSD machines alone, maybe because they don't know what to do with them. Or at least there seems to be less people hacking FreeBSD. Most likely its just less press about it. NetBSD or OpenBSD would also probably work as well.
I run my firewall off a custom hacked FreeBSD CDROM. While this makes updates more difficult, it makes replaceing files near impossible. Hackers can't replace /bin/ls unless they mount /bin as a memory filesystem, in which cause they now have to replace df, mount and several other programs. You really only need /var and /tmp as memory filesystems, and maybe some parts of /etc or the whole /etc.
It has no hard drive so if the power cycles, it just reboots and its all fine and dandy. I have a seperate machine that I can do builds on and updates. I have trimmed it down to a 64 Megs CD and that includes perl, sshd, apache, dhcpd, and bind9.
You could do this with Linux as well. I haven't heard of anyone creating a Windows bootable CDROM firewall. Mac needs special hardware, and I'm not that familar with Mac, but you could probably create a Mac firewall on cd as well.
If you think its been hacked, reboot and the hackers have to try again :-)
There are also commercial hardware firewalls. Some are cheap, like the Netgear, dlink, and Linksys, but some of the better ones are in the $500 plus range.
Only 'flamers' flame!
Does slashdot hate my posts?
Sushant Bhatia asks: "So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?"
You want a perfect firewall. You want to pay peanuts for it.
You could take over the university, set up an empire, and take 10 years and 800,000 people to build the Great Firewall. But then, the Mongols managed to get around the Great Wall without undue trouble. Why are you letting the Mongols stay?
The Mongols were eventually thrown out when the Manchus offered to help the Ming throw the Mongols out and in the process took control of China.
I suggest you offer to help the administration in all the departments to rid themselves of the problems (after having documented for them exactly what the problem is and where), and when they agree (or else going on record denying responsibility for the problems going on under them, which will serve the same purpose) set up a policy whereby you cut the miscreants' heads off. As a modern homage to this traditionally effective corrective action, you could pull the zombies' plugs and keep them that way until the owners fixed them and their administrators notified that the fix was in place.
You probably have a layer of IT between you and the top administration, as well as IT below them in the departments. They have jobs to do, and jobs they should be doing. They too should be held responsible for doing them, or not. Doing everything above the board and in public makes it hard for people to deny their responsibility.
"The skillful fighter puts himself into a position which makes defeat impossible, and does not miss the moment for defeating the enemy." -- Sun Tzu
On the other hand: "All analogies fail. There is nothing 'like' the net." -- Unit IV, SPUTUM. Fortunately few people realize this and live as though it's not true, and the use of analogy provides adequate direction against them.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
My firewall is a Pentium (non-MMX) 200 with 32 Megs of RAM and 1.2 Gigs of HD and two $5 NICs (remember, unless you're dealing with a really high bandwidth pipe, a 100 Mb/s NIC should be plenty). You could probably grab one of those from a local surplus dealer or eBay for less than $50. Then set up Linux (whatever distro you feel you could deal with except Linspire). I use Redhat myself. :) Do a minimal install but remember to keep devel tools on so you can compile all of your own custom stuff. Spend a few days removing all unneeded commands/services, recompiling the kernel for serial console (so you can ditch ssh and/or telnet), iptables support, etc... Set up your inside and outside interfaces. Put on Snort, Portsentry, what have you for security and auditing. Plug it inline and away you go. I've been running with the same exact config since 2001. The only thing I've had to do is rebuild the kernel a few times due to exploits. Also upgrading portsentry from time to time, or snort. So far no one has hacked my network and I'm aware of every packet that enters or exits it. There is nothing outside except for the one NIC on that box. Cheap, simple, efficient.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
You say you're looking for a firewall under $100? I don't understand this concept you speak of -- paying for software as vital as a firewall!
Seriously though, check out Firewall Builder at http://www.fwbuilder.org/. It looks like they now even have Win32 builds, although I would agree with others that the best approach is a separate, dedicated, Linux or FreeBSD box.
Firewall Builder isn't a firewall itself. It is simply a GUI tool to help you create firewall policy by defining objects which represent networks, hosts, policies, NAT rules, services, etc. Then you plug in a policy compiler for the platform you're targeting -- iptables, pf, etc.
I have used it for years and it works like a charm.
I maintain a bunch of servers (Win 2003/XP Pro) at our labs in the university.
How many is a bunch? It's all realative, and an exact number isn't the point, just that some poeple consider 6-12 a bunch and others think of 250-500 as a bunch. What's mostly important is that you thought to call them a bunch, so we'll consider them as such.
Does it cost less than US$100?
There's a lot more you could have added to your question, but you've essentially shown your hand with just this bit. There are a couple of reasons why you could be interested in such a cheap solution and didn't chose to further explain:
There's a lot more that could be tacked on here, but the point is that $100 for a firewall solution is pretty much a joke. Software firewalls in and of themselves are not the way to go in the first place. If you're in a true university setting managing any number of servers, there's no reason they should not be behind some kind of hardware firewall part. Even a PIX501 would be a start.
I had intentions of saying more, but I just found out I don't have to work as late as I thought tonight.
ADIDAS!
I'm against picketing, but I don't know how to show it.
Consider an older (PowerPC) Mac running IPNetRouterX...
The software is less than $100, and I'm presuming you can scrounge a Mac, although even older Macs tend to be useful...
dave
I appreciate that people want "geek advice" from the Slashdot crowd, but honestly, I can't understand why these "Help Me" stories are posted in a site dedicated to Geek NEWS.
/. post these stories? Aren't these questions better left to some relevant newsgroup or forum (where he'll probably get the same response anyway)?
Half the responses are the obligatory "Use Linux!" or "Use BSD" which are obviously not a possibility for this guy since he doesn't make the purchasing decision. And, don't y'all think he WANTS to use Linux or BSD... he is posting to Slashdot afterall!!!
The other half are smart alecs posting a Google search which the guy should just go and do himself anyway.
In light of the RTFM and "figure it out yourself" attitude of most Slashdotters, why does
You disgusting, abominable creature.
You'll do anything to get on CNN, won't you?
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
IPCOP is the best tool for under 100 bucks, cause it's free.
If you want something with tech support, you can get ClarkConnect which uses apt4rpm and costs 250 for their top of the line version. They support it for 5 years for that 250.
For what you want, IPCOP and a box for free(laying around) will get you what you want.
I have a DLink VPN router, cost around $80, highly configurable SPI firewall, works like a charm. I had a box dedicated to firewalling/NATing, but it's a lot more power and a lot more energy than a dedicated cheap piece of hardware.
I also recommend the service pack appraoch for your Win2003 machines, can probably patch some potential security holes as well. But if for some reason you don't want to apply the service pack, you might want to look into Sygate Personal Firewall. No nag screens and works with Win2003 Server. Downside is that it's quite striped down.
eg. when there is an incoming/outgoing connection, you can choose to always allow the receiving/initiating application, always deny or allow only that one time. But that's more or less all you can do aside from logging.
1) Firewall on Server = Bad!
2) Firewall may not solve the problem. (Think Anti-Virus = $$$$$)
Firstly: The post implies that the firewall should be on the server (and a windows server at that). This is the wrong approach. The firewall should not run on the server. Period. As many of the Firewall sites state: "If I can't convince you why running a firewall on a machine is a Bad Idea..."
While this can lead into a varied bit about firewalls, of which many have pointed to their favorites - or what just works... The Firewall may not solve the problem (Hell, he could just turn off all the ip ports but the services he offers smb, web, ftp, mail...). Many viruses will spread via network shares. I don't think that removing access to the network shares is desired here. What is called for is an anti-virus package. (or a real firewall with an anti-virus package built in perhaps..)
To Conclude: You should not be running a firewall on the server. Firewalls belong on dedicated machines (aka appliances that are really just dedicated computers. perhaps with vpn integrated.) In any case, unless you are going to say that the student labs should not be able to connect to the shares, viruses in the labs will connect to them. A better solution is anti-virus.
There's obviously a lot of evangelism going on here, I can't even get involved in discussions of using old PCs as firewalls to protect valuable network resources, other than to say I've worked for many corporations over the years and I haven't yet worked for one that ran a production network using old PCs as routers and firewalls.
Anyway, if one is asking what *I* use, at home it's the perfectly usable firewall capabilities built-in to my network router, plus I still run BlackIce on my systems. (Yes, I know, BlackIce is far from perfect, and it annoys me sometimes, but it does what a lot of other commercial software firewalls don't do, it *tells me* when it sees questionable activity.)
For work, if I really didn't trust my LAN, I'd probably do something similar, hardware router acting as a firewall protecting my systems collectively, with additional software firewalls on my critical servers for a little overkill. The one Microsoft offers now would probably be sufficient, and at least won't dent the $100 budget mentioned.
A good quality anti-virus software should always be running on any windows server too, of course. One configured to get updated a/v definitions at least once a day.
There is really no need for a firewall with Win2k and above.
With Win2k, turn off the services that you don't need and use the built in IPSEC to regulate what traffic can flow where.
With Win2k3, you can go the IPSEC route, or you can use the firewall that's built in.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Hi. I just bought this brand new Dodge Viper. I'd like to buy an alarm for it. What do you have that's less than $19.95?
If you're spending less than $100 in hardware to protect an important server - then it's really not all that important to you. Really.
If you want to spend less than $100, buy a Linksys firewall/router and put that in front of the server. If you take your servers a little more seriously than that, spend a little more money and build a decent firewall, or at the very least - a pair of cheap firewall boxes that use CARP for redundancy.
Anyway. To get back to your question - I prefer OpenBSD for firewall control - you can pretty much do anything with OpenBSD/pf (thanks for writing pf, Daniel!)
If a web-based control panel is more your thing, you might want to look into IPCop (a linux-based firewall based on SmoothWall). IPCop is pretty, free, and reasonably capable. PFSense is still building up, but it also has a web interface. PFSense is based on FreeBSD.
Hope it helps. -J
I was told that I could listen to the radio at a reasonable volume from nine to eleven...
One exception to this is Coyote Linux. Not only does it not have the usual services enabled by default, nearly all of them have been stripped out. It includes just the components (such as iptables) that serve the central function of safely connecting a LAN to the Internet. And because it's so minimal, it fits on a floppy and runs on a 386 with 12MB RAM. It's no substitute for a full-featured Cisco Pix (for that you'd have to look at Coyote's big brother Wolverine), but it's worked great for me for years, both at home and in a couple offices I've worked at.
http://alternatives.rzero.com/
A cheap/old PC with Astaro Secure Linux firewall, http://www.astaro.com./ You can even download and install it on a test box. There is an online excellent online demo so you can also evaluate it.
Trivium: logic, rhetoric, and grammar
Quadrivium: arithmetic, astronomy, geometry, and music.
So math has two of the liberal arts.
My answers to your original questions, in sequence: I use a Watchguard FireBox II hardware firewall/router combo box. If I were going to go through an actual purchase process, instead of ending up with the FireBox II as a gift, I would purchase either a Zyxel ZyWall 5 or one of Netgear's hardwired router/firewall combos.
Your second question: "Is it less than $100?" Only if you get REALLY lucky on the used equipment market. If you're at all serious about protecting your servers, your data, and your LAN, it's far more important to be paranoid than it is to try and be frugal.
In other words: The best possible computer and network security device is sitting right between your ears. Invest in a good solid firewall, yes, and expect to spend more than $100 for it, but also invest in good security policies and procedures for your users to follow. Use a combination of common sense, paranoia, and planning, and you will probably do pretty well.
Happy tweaking.
Bruce Lane, KC7GR,
Blue Feather Technologies
I can't say that my home network has stress tested it, but someone on their mail list (sustworks.com/site/detailed_search.htm) probably has. I've run it on OS 9 for months at a time, interruped only by #@%^&! power outages. Yep, time for an UPS.
Luke, help me take this mask off
So, the outside world is clobbering your lab machines, and there is one single point of access between that network as a whole and the internet. Now you want a firewall. If you want to harden this network boundary, you can install something on a processor AT the boundary, or let in the traffic and try to halt problems at each machine individually. Good suggestions have been made for the latter case. For the former case, you have a simple enough tradeoff. Software firewalls are more configurable, and tend toward free. Hardware firewalls are less easily configured, but can handle much higher volume of traffic, and even improve over small volumes with better response times. Entry-level hardware solutions are about $50. If you want to prevent your internal network machines from joining the liberal (arts) zombie hordes, THEN you should seek out something like Kerio personal edition. If the liberal arts department invested in this type of solution, there wouldn't BE a problem.
There's a small chance that Sushant does not know that. The persistent popups advertising the "upgrade" may have been disabled. But then he'd have had to have ignored the countless articles on configuring it that appear if you google "w2k firewall."
The more likely scenerios are that it does not work or that he can't apply it because it would break one of the programs the lab is supposed to provide.
Then you have the practical side of things. Do you really think Sushant wants to download and configure 10 or 20 service packs? That could take him weeks.
The easiest thing to do is set up a Smoothwall from someone's throw away. Universities are full of old computers just waiting for a second life like that. One CD, two network cards, 40 minutes and he's done. It would probably take less time than it would to fill out the paper work to buy a $40 "router."
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Take a pair of bolt cutters to the network cable.
---
Or the Aliens option: "Bug out, nuke the site from orbit. Only way to be sure"
For native on the server solutions, you might also want to look at the filtering in Routing & Remote Access, which is present in both W2K server and W2K3 servers without SP1. The XP/W2K3 SP1 firewall is much simpler, but SP1 isn't always an option.
MC
You can configure the network interface to filter ports: look up the commonly used IP ports and allow the ones you use only. (This is also in win2K, NT ...)
The issue is that the unsecured computers in the labs need to connect to the servers, and viruses will use the network drives as a infection vector.
1) Close all ports that are not going to be used with the included tools of Windows Server.
2) Get an anti-virus package for the servers and set them to check every hour for updates.
You should check out m0n0wall
All you need is an old pc with 2 network cards, a cd-rom drive, and a floppy drive.
After initial ip assignment, you use the web interface to configure everything.
Officially: "No comments"
A combination of things really, layered security is the idea:
.PAC file proxy filters in all web-browsers vs. adbanners & such.
.reg files which the first body of code in the HOSTS file I use is prepped for the .reg filedata for via a program I built in ObjectPascal delphi console mode ripping away the URL from the 127.0.0.1 loopbacks I equate adbanner servers to, etc. & then insert these here and into IPSecPols also).
:)
APK Online Security basics 17-points checklist:
1.) IP Security Policy in place for adbanner servers blocking.
2.) A custom adbanner blocking HOSTS file with 35,000++ entries in it with known banner ad servers in it (which have been shown in some cases even as bearing malicious javascript etc. in them as well as just plain slowing you down as you surf the web by calling out to DNS' servers for URL to IP resolution & loading their remote data).
3.) Tcp/IP filtering @ the IP Stack levels (UDP & TCP) allowing ONLY port 80.
4.) Using up to date AntiVirus & AntiSpyware.
5.) Using
6.) IE Restricted Zones (added to via
7.) Custom adbanner filtering Cascading Style Sheets in webbrowsers when possible (via Opera).
8.) ZoneAlarm Pro or Native Windows Firewall. ZA is the better overall, the Windows one works though.
9.) Disable Java-javascript &/or ActiveX-activescripting in your webbrowsers. Sorry webmasters, but too many holes popup here and ONLY IE gets that enabled here for Windows Update really only or sites that "demand" I use either.
10.) Making sure the Operating System is up-to-date/fully hotfix or service pack patched.
11.) Disabling uneeded services (especially remote oriented ones, e.g.-> Remote Registry) gaining not only memory & CPU cycles back, but also security:
Microsoft is even into this one now, evidenced by Windows Server 2003 Security Configuration Wizard run by the installation of SP #1 final onto it.
(I've been doing it for YEARS now, better than a decade since Windows NT 3.51 in fact: It WORKS!)
12.) Using restricted Registry &/or FileSystem ACL rights to disks/folders/files + Registry Hives.
13.) Amending secpol.msc & gpedit.msc security polices local to my system for better security.
14.) Using User-Rights & restricting them to my usual logged on user & the system entity SID itself only on most rights, denying all other groups.
15.) Applying registry hacks known to fortify the system BOTH remotely & locally per Microsoft guides for this on Windows Server 2003 for "OS Hardening" &/or "Tcp/IP Hardening".
16.) Being sure applications are up-to-date & patched current as well.
17.) Lastly here, by using a LinkSys BEFSX41 "NAT" & true CISCO technologies based stateful-packet-inspecting firewall router!
* Absolutely as safe as you can get online in terms of security online afaik! At least for a PERSONAL computer... for networks, I'd use a variation of the above, changing/amending what I had to in order to account for in-house app idiosyncracies, etc.
APK
P.S.=> (& I have not caught a virus online (other than on IRC once last year & it was MY fault for downloading a file from a guy) in 10 years prior to that doing pretty much those steps above... they all work, working in unison w/ one another, perfectly!)... apk
ADDITIONALLY:
RUNNING IE in a "runas limited user class" sandbox effect, is possible -
It is actually possible to run IE securely: just create a throwaway restricted user account for IE use alone. The restricted account user can't install software and can't access files of other users, so even if IE autoexecutes any nastiness, it can't do any damage.
Of course, it's a hassle to log in as a different user just to browse the web. So we'd want to use "runas" to run just IE as a different user.
Unfortunately, MS has made running
I use a router that does NAT (puts the PC into a private address space) and the default firewall in Fedora Core (with a little tweaking). I have asked colleagues (computer science/sysadmins) to break into my home PC (Fedora Core 3) and they haven't been able to do it. Yay for Linux!!!
I have been told that cracking a router is possible, requires a lot of knowledge and work, but with the high number of Windows machines available, crackers aren't going to waste their time on a router when Windows is so much easier and faster to crack.
Cost of Linux firewall = Free
Cost of Linux operating system = Free
Back in the day, when I worked in a public library--we're talking a network of a couple dozen machines, most continually being used to browse the web, etc.--I simply recycled an old PC with two NICs and used it as a Linux-based firewall. Something simple, as I recall, using ipchains or some such beast. One incoming NIC, one outgoing NIC, and Linux performing the pass-off in-between.
It worked fine for the two years until I quit the shithole. For all I know, it could still be working now, but I doubt it, seeing as my replacement convinced the trustees to throw several thousand dollars down the Win2k rathole.
It was a damned easy solution, and, since I had all the parts laying about anyhow, it was essentially free. I had never set up or used a firewall until then, and it surprised me how well it worked. It also gained me mucho points with the tech-mystified library administration.
Mmmmmm... Bold, yet refreshing!
Might not meet your price point, but this is what I use on all my low-end systems.
? V1=313036&PN=1&SP=10023&xid=26412&CID=0&DSP=&CUR=8 40&PGRP=0&CACHE_ID=0
www.iss.net - BlackIce for Servers
http://www.digitalriver.com/dr/v2/ec_MAIN.Entry10
Agreed. A hardware router and BlackIce is a good combination.
The only thing with BlackIce that you have to be careful of is automatic updates and the application protection system -- if you forget to disable the app protection prior to doing a system upgrade, you can render a box completely unbootable.
Firestarter gives you the same security as IPTables (netfilter) but it is point and click easy. Actually, it is really just a front-end for IPTables.
The fact that Firestarter also allows me to use the firewall as a gateway and DHCP server was all I needed to run it on my network.
http://www.fs-security.com/
Look, he's building a firewall for lab full of servers, not a dormroom experiment. Don't waste your time with "an old cheap pentium or something". Do it right.
Here's my recommendation:
Find two reliable, server-class machines. Take a look at this list and get two good gigabit NICs for each machine. (Why gbit NICs? Better performance, even on 100bT, due to better buffering).
Next, install OpenBSD 3.7 on both machines and finally, read this HOWTO and build yourself a redundant firewall with failover using pf, pfsync, and CARP.
Good luck!
Chris
You want to secure your servers for less than $100, can't you get a better budget to protect your production servers?
Ack, that Application Protection system is probably one of BlackIce's most annoying features, I always turn that off!
Thanks for the reminder.
Personally, I set up OpenBSD on a P75 w/ 32Meg of ram -- Overkill, I know. It's been running for YEARS -- and if I want redundancy, it's probably cheaper to get two 5-year-old boxes and set up an HA config than to buy a single server with redundant power supplies (and then have the disk drive go on me!).
Many years ago, they had a bunch of 386-33 PCs running as routers (not firewalls) at the University of British Columbia. They handled the 10Megabit networks we had there pretty well (and being Comp Sci and using NFS all over the place, we ran those networks prtty hard at times). I was told the only reason we were using 386-33s is that the vendor had stopped supplying 386-25s.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
You say that like it's a bad thing! Don't you think those Liberals WANT to suffer for their "Art"? And, it addresses future risks to the gene pool as well.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
I also work at a university. We use iptables for some machines and don't run firewalls on others. Your post didn't mention anything about keeping your systems patched, which should also be part of your security plan.
Umm, you can do what you suggest by doing what I suggested - getting a cheap pentium system. You know, they did used to make server class machines back in the day. You can get a never used pentium server machine for very cheap.
Your method of "doing it right" seems to just use gb nics and openbsd instead of linux which I suggested. Are you suggesting he buy a $1500 machine? When he asked for options under $100?
Now if those lesbian sysadmins were hot with large breasts and loved IT guys for 3 ways I'd be set. Oh yea, nevermind. The wife would never let me do something fun like that.
No, this is at the very least PART of the correct answer - the money has already been invested in the Windows servers. That money is already been spent and gone. He's trying to protect these boxes.
Now then, apart from firewalls, what is one of the other Best Practices one can do for protecting a system?
Survey says... PATCH YOUR SYSTEM. Gee, guess what SP1 does, genius? Apart from providing a fairly decent firewall it... PATCHES THE SYSTEM.
Those who don't understand systems shouldn't talk down to those whom they think don't understand networks.
Katana: Firewall & VPN client9 97.html?tag=lst-0-7
4 35_4-10392844.html?tag=lst-0-13
http://www.download.com/Katana/3000-10435_4-10402
OSsurance: Firewall
http://www.download.com/OSsurance-Desktop/3000-10
Well, I think I would try to implement this (Linux Halted Firewall) . I've never used one, but it seems like a good idea and I plan to build one of those as soon as I get a new hardrive for the Pentium 100mhz I have laying around
Isilrion.
> becaus his time has zero value.
Yeah.... So... Every time I do the following:
* PATCH: Keep your Windows servers [...]
* FILTER: Doesn't Windows 2003 have [...]
* HARDEN the Windows servers [...]
Microsoft pays me money?
Or, I could just:
* REPLACE any Windows servers with more secure options.
My time is *VALUABLE* to me not only becuase I make a lot of money on a per hour basis, but because some day, in the relatively near future, I will die.
This is the single most important reason that I don't use Microsoft products.
Using microsoft products is like having OCD. You do things over and over, you don't know exactly why you are compeled do them, but you *KNOW* that you would rather be free from having to do them (think the ending scene of the Aviator). There are better, easier, much more fun things to do in life and, unlike OCD, you *CAN* help yourself.
The best tool to deal with vulnerable Windoze servers is the "format" command.
Never, EVER allow a windoze box to be directly connected to the internet. Put something decent between windows and the world. I recommend smoothwall.
-- Will program for bandwidth
the price for shushant's solution doesn't have to be free, and when building a dedicated firewall based on monowall, it might make sense to use a a few new and inexpensive parts.
;-)
my first monowall used the rhine and intel chipset with less than stellar performance, but when i changed the ethernet cards to identical asante etherfast with the tulip chipset, my performance increased dramatically(sorry for the lack of any tech details, but the difference was "subjectively" noticable).
if you go the route of using a CF card, do yourself a favor and load monowall on a couple of cards, 16-32 mb cards are dirt cheap. this way you can always experiment with later versions of the firmware, just by swapping cards out. on the otherhand, if you go the CD route, you can run without a harddrive(use floppy for xml configs).
lastly, use a PII or PIII. prolly overkill for your scene, but the last thing you want is a firewall struggling with an anemic cpu.
m0n0wall is definitely the *nix based firewall for the NT admin
three can keep a secret, if two are dead - benjamin franklin
SmoothWall (Excellent firewall) and the Guardian Active Response Mod (Picks up and blocks just about every attack). Best part is the price, or lack thereof. Both from www.smoothwall.org Samuel
SmoothWall (Excellent firewall) and the Guardian Active Response Mod (detects and blocks just about all attacks). Best part is the price or lack thereof.
www.smoothwall.org
Samuel
...that is all.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Easy to configure, can run on low end hard ware, I've set it with a P75, 128mb ram, 1gb hard disk, 2 ethernet cards. Run two school labs off it at university. It's based off of FreeBSD. Check it out for yourself: http://www.m0n0.ch/wall/
3 things. 1 article.
1. leaf linux (or other small dedicated linux)
2. That old computer someone wants to throw away (you know the pI 233mhz with 16mb ram)
3. an extra nic.
Now surf to this article
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
IIRC it is free for non-commercial use, and based on Linux + IPTables. Inbuilt IDS using Snort. All with the added advantage of being almost painless to implement. Other than stupid logic mistakes, but that is another story..
You know, this isn't for babies or people who don't know what their doing ok?
You do realize all the horrible security problems out there today are precisely because of idiots using "easy" tools to set things up they do not understand?
Some people know what the fuck they are doing. Stop making that out to be a bad thing.
Prior to that I used ipnat & ipfilter and I can't say I've had any loss of functionality.
You can see the difference in the attitudes of graduates.
There are, of course, exceptions.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
No, I (and the BOFG) believe that would be highly skilled use of the wire cutters.
I prefer appliances for firewalls because they use less power and are quieter. It would also be more reliable than a recycled computer. My current favorite brand is Fortinet. They make a really nice all-in-wonder security box (firewall, ids, anti-virus, etc.), but it costs more than $100. The Fortigate 60 runs about $1000 when you include the annual maintenance & IPS/AV updates. You can certainly get a Linksys firewall for less than $100. The only question would be whether it could handle your bandwidth requirements.
I stumbled upon this firewall www.pfsense.org I'm actually going to pay one of the developers to write some features for it in the near future as well. Its based on monowall but uses freebsd instead of openbsd. AFAIAC it is the most professional F/OSS fw distribution I've ever seen. It supports syncing in an ACTIVE/INACTIVE configuration so if one goes down the other picks up without losing the state tables. VERY neat.
:)
I'm hoping to get them to create some basic round robin loadbalancing + health checks for my webservers. LVS was ported to freebsd and if it plays better with pf than it does with iptables that might be a better solution. God knows maybe it supports pfsync as well, that'd be neater than cat shit!
I run a decent sized network, roughly 1200 machines. Here is what we do and why...
I'm assuming you are as well an exposed class B subnet such as ourselves, with very litte if no natting.
on the perimeter, ACLs, we run Foundry BIMG8s using Virtual Router Redundancy Protocol-Extended (VRRP-E) ACLs lock all non server VLANs to nothing below 1056 getting in. This was debated because the OpenBSD solution below already does this, decided upon it cause it provides an extra fuzzy warm feeling
Next, OpenBSD CARP solutions, several of them for different departments, this is our stateful packet inspection, packet normalization(scrubbing), NAT, mail proxys (who exposes Exchange?), OpenBSD is a quite a treat for networks! We chose this for the CARP fault tolerance.
Next machine and server firewalls applied via Group Policy. People will just plug into my ports and spoof mac address to gain access to my bandwidth.... like I want them attacking from the inside! All windows traffic is firewalled to only the servers that need access for management. Servers only listen to internal addresses. Everything IPSec auth. We chose this is all the machine pretty much run windows.
From there its McAfee VirusScan 8i which has its own little built in firewall to prevent rogue ftp servers etc.... this is as well applied via ePolicy Orchestrator. This is provided to us through the University.
Then there is DeepFreeze from Faronics which keeps our lab machine in tip top shape, if you are not familiar with this product, you must investigate it. We paid $2 a seat.
Said and done, we run this network with 2 people.
ciao
That's what I said, cuntsmear.
why is a corporate firewall not considered? put all your servers behind this firewall in a DMZ. your first priority is a corporate firewall, server/pc-based firewall is secondary concern.
a corporate firewall is not necessary expensive, and you get to choose among brands like checkpoint, watchguard, cisco pix, etc, etc. of course, you can also use linux and build your own free one in an old box...
I am surprised at the sheer amount of outdated advice regarding firewalling and security design. The days of static firewall rules/ACLs are long over. It used to be sufficient to block the *duh* ports: telnet, SMB/CIFS, your basic LAN traffic that no one from the Internet should ever be connecting to. This is the approach you take with a router ACL, M$ IPSec client, IPtables, PF, etc. None of these technologies help much anymore. The vast majority of attacks are not at the firewall, or looking for open ports that shouldn't be open.
The vast majority of attacks are directed at the applications behind the firewalls. To defend against these types of attacks you need something that goes deeper than layer 3 and 4 (address, port). Modern firewalls are able to look into the payload and determine what type of traffic it is passing. Remember everyone allows port 80, and 443 to be open. Guess what ports the attackers are exploiting? That's right, the port that you leave open to access your web app. That's where they fire off buffer overflows, SQL/LDAP/Command injection, cross site scripting, etc. How is a Cisco ACL, Cisco reflexive ACL, IP Chains, PF, Smoothwall (read legacy) firewall going to protect your environment? It won't. You need something with more intelligence built into it: Deep packet inspection and IPS are the technologies. OSS falls pretty short when it comes to firewalling. The days of the sub $100 firewall doing anything useful are long over. People stop kidding yourselves.
AFA zombies, those are installed (unknowingly) by the end user. How do you address these? Two approaches: the endpoint, and the perimeter. From an endpoint you need to rely on anti-virus, and a personal firewall that capable of identifying malware on the host. The personal firewall needs to identify the malware and control the TCP/IP stack to the point that it does not allow that malware to 'phone home' with the user's acount information (username/password). I am not aware of an OSS project that can do this on the endpoint.
From a perimeter standpoint, the firewall has to (again) be able to identify the traffic in the payload: the good from the bad. You may have some luck with a product like SNORT which will be able to identify some forms of malware. If you want, you could even put something like this inline as an IPS. You are relying on signatures, but it is certainly better than a legacy firewall. There are several commercial firewall products that perform this function quite well, but they are fairly expensive (or are they when you consider the cost of a work/break-in/disaster?). IPtables, PF, Smoothwall, ACLs will do nothing to stop zombie traffic. They will simply allow it out with all of the other legitimate HTTP/DNS/HTTPS traffic. You hope is that the legacy firewall could be quickly (manually) reconfigured to block on src/dst/port. Remember though, these attacks are mostly automated now, and happen at the speed of light. You cannot react that fast.
Several people have mentioned looking at Cisco's designs. Give me a break. Cisco is a connectivity company, not a security company. Anyone in the security industry know what a complete joke the SAFE is. It isn't a security architecture, rather it is a scam to convince people to buy 6500s and utilize VLANs as a way to 'safely' segment their network. What the networkers failed to realize was that the segmentation was virtual, and defeatable. VLAN spoofing, MAC spoofing, VLAN hopping (etc) are very real exploits http://www.monkey.org/ For guaranteed segmentation, you need physical separation: different switches for each segment. SAFE is a series of commercials and ads whereby Cisco attempts to calm your VP or CIO by claiming their products are secure simply by including 'Cisco' and 'Secure' in the same breath. your management sees this enough and they start to believe it. Information security professionals do not use Cisco or Microsoft products: networkers and sysadmins do. Stop kidding yourself with the VLAN and ACL approa
This is the answer you'll love to hate. You can't just fix this with some software. Multiple idiots will no doubt get trojaned & wormed, and flood the network with trash packets.
There are plenty of good network design patterns that need to be applied. If your getting your network slammed then some of these haven't been implemented, and you might need to bite the bullet and hire in some contractors with chops. I am assuming you don't have any administrators with chops already, because this situation has occurred. You need to get your shit together, and it requires somebody with some experience. I noticed somebody recommended the Cisco book which is a good exposure to thinking about security and network design effectively.
You need to approach this with real techniques. For example, Segment the network and put firewalls between logical use areas. I would imagine that the local servers in the various departments have mostly local clients. So you shouldn't have a performance problem using proper vlans and doing real routing anf firewalling your networks from each other. Then have your system administrators document and figure what services are allowed to pass.
Anyone seen my low uid? last seen 10 years ago while panning the #@$# out of Taco's 'web based discussion system'
Your liberal arts department isn't running OSX???
Blasphemy!
I don't use Windows, so my recommendation is pretty much vapor when it comes to actual software experience, but Winsock Firewall is the only free software firewall I have been able to dig up.
Naturally, as free software, it isn't going to cost you anything. The people I have asked to try it out tell me it isn't quite as nice to use as some other non-free but no-cost (for personal use) solutions. But they tell me it is functional and would probably be suitable for a reasonably technical person.
Uhm, maybe use the obvious: the Windows Firewall built into 2003 SP1. It's easy to use and you can deploy firewall policies via AD and GPO's.
Sounds like its time for you to hit the books and bone up on your job a little?
Look, the OS really doesn't matter. What does matter is getting your employers to not do stupid things, like run their laptops without security patches and insist on running NFS and file sharing from home and on every machine in your group, getting them to pick decent passwords, teaching people never to use .zip attachments for anything, never running passphraseless accounts and open access points, etc., etc., etc.
Until you can get basic security steps like those in place, the world's best firewall is like a really big lock on a 3 foot high fence. Even the most casual crackers will simply step over it.
"Since iptables are built into the kernel"
No, it isn't. Ipfilter is. Iptables is high level tools to access ipfilter functionality.
I hate to go somewhat off-topic, but it may be that you don't really need a firewall as much as an IPS.
Guess what an OpenBSD firewall is going to do for you when the next IIS exploit comes out? Nothing. How about a nice IPTABLES box? Nothing. Why? Because you're passing the ports back.
If a services isn't necessary, turn it off. If it *is* necessary, then you're going to have to pass the ports back to it THROUGH the firewall. At that point, anything malicious coming down that connection might as well not be firewalled.
Back when I was an admin, I used to run BlackIce on my Windows servers. It sounds lame, I know, but it was a highly effective solution. Not only did it do some rudimentary firewalling for me, but it actually stopped malicious traffic that had to be allowed by any firewall -- since it was a server.
Remember, firewalls are good at blocking things, but that's not always an option -- especially when running servers. If you have an option to block something completely, just disable the service and be done with it. If you don't have that option, and you have to allow access to the service, look into an IPS.
Think of it this way -- if you pass a port through 15 non-proxying, non-application-based firewalls, you didn't gain anything. You might as well have had a wide open connection to the Internet on that port. That's where an IPS or other application-data viewing system comes in.
dmiessler.com -- grep understanding knowledge
Prepare for the 'mines best fest'.
Still, if it ends with an x, it must be best.
I've spent a whole whopping 5 minutes of time on my openbsd firewall in the last 2 years, and that's been adding an occasional port redirect. If you are spending hours, you are doing something wrong.
Have you actually looked into new low power x86 servers? A decent system based on an integrated VIA chipset can be fanless and sufficiently low power for most applications.
-- The act of censorship is always worse than whatever is being censored. Always.
OpenBSD comes with everything you need to setup redundant firewalls out of the box. CARP + pfsync works great.
I'm using something called FREESCO (http://www.freesco.org/)
It's linux with a firewall and many other features that runs off a floppy. I cobbled together some old parts to make a system to run it on and it works very well. Configuring the firewall is a command-line pain, but otherwise it's good. The support in their forums is excellent.
m0n0wall is a stripped down (6MB) version of FreeBSD design to run on embedded systems.
It will run on the following hardware:
*Soekris Engineering net45xx/net48xx boards.
*PC Engines WRAP board.
*Generic PC with a CompactFlash (ATA), IDE, or Zip Drive.
*Generic PC with a CD-ROM (bootable) + Floppy.
*VMware.
It supports more then 4 network interface cards, including wireless cards.
Its main features are:
* well designed web based admin interface (supports SSL)
* serial console and VGA interface for setup and recovery
* captive portal
* 802.1Q VLAN support
* stateful packet filtering
* NAT/PAT (including 1:1)
* DHCP client, PPPoE, PPTP and Telstra BigPond Cable support on the WAN interface
* IPsec VPN OpenVPN tunnels (IKE; with support for hardware crypto cards and mobile clients)
* PPTP VPN (with RADIUS server support)
* static routes
* DHCP server
* caching DNS forwarder
* DynDNS client
* DMZ * SNMP agent / syslog
* traffic shaper
* firmware upgrade through the web browser
* and many other features
Main website:
http://www.m0n0.ch/wall/
Download links:
http://www.m0n0.ch/wall/downloads.php
http://www.m0n0.ch/wall/beta.php
Install help:
http://www.m0n0.ch/wall/installation.php
http://www.m0n0.ch/wall/physdiskwrite.php
No reason for flaming that suggestion. It is fully capable as as the BSDs.
I wouldn't recommend using a full blown linux or BSD distro because they may have their own exploits. I would stick to one of the many distro's mentioned already that are designed for this application in mind. I currently use LEAF which I haven't seen mentioned. I've also used Coyote and plan to try M0n0wall. The basic setup is fine for simple home networks and they provide other packages for more complex situation.
While many say you can use any old 386, I recommend at least a 486 with more than one PCI slot. These are hard to find which is why I use a P100. This will allow you to use more modern network cards which are easier to find as well as easier to set up. Also, while some of them can run in 12 meg, give it 16 MB absolute minimum. M0n0wall requires 64. This will allow you more room to load packages and provide more room for logs. If you are getting hit quite a lot, you will want all that logging to help you identify problems within your network as well as block external problems. You can also set them up to send logs to a syslog server which may be a better solution for you.
The hardware I plan to use with m0n0wall is the WRAP from pcengines.ch. It's a little outside of your mentioned price range but very well suited to run off of a battery. With it's low power drain, it can run many hours off of a standard UPS battery or even longer off a car battery. And there is no loss or heat from the power inverter. I can attest to this from last year's hurricanes in Florida. I unforntunately didn't account for the cable node down the block losing power as I was prepared to stay connected the whole 7 days without service with 2 large and 2 smaller deep cycle batteries. This summer I'm prepared to go war driving to find a connection.
- Use GPOs to turn on the built in windows firewall and block everything possible.
- Roll out windows updates with SUS or a similar product. Your internet gateway should obviously be firewalled off as much as possible.
- Restrict local user permissions as much as possible as a lot of malware gets installed by ignorant users with local admin rights.
- Run virus/spyware scanning. If it detects anything, wipe the machine.
Remember that a firewall is not a magical solution. You need multiple layers of network and client level security. This is especially important in a lab where more than one person uses any given workstation. The ideal thing in that situation would be to use something like deepfreeze to wipe the machine before each person uses it in order to ensure the previous user left nothing malicious behind.
----
All of whose base are belong to the what-now?
Did you mean, "read the post"? 'Cause that's not what you said... thrice.
What you call a "stupid UNIX wish" could otherwise be referred to as a better solution to the real problem. Maybe the poster didn't realize that a separate firewall machine is unquestionably better than a software solution running on the Windows server itself.
With myopic vision like yours, you'd make great management material. Thanks for being a sackscrape, though.
Visnetic Firewall for win server from www.deerfield.com does IP/TCP/UDP rules. You can do remote configure also.
If you prefer application firewall, I recommend Mcafee Desktop Firewall. Easy to use.
I firewalled about 200 machines, on three private subnets with a single PII 233 using OpenBSD at my university lab manager job, 3 years ago. I just ripped 5 NICs out of some down machines to put into one. Even when we did Ghosting, the CPU on the machine would just barely register anything was even happening.
Nobody wants to use a PII machine anymore or the 8GB HD it had, but it made a great firewall. The only thing I did that wasn't part of building from scrap was the 80GB HD I put in for Snort/ACID and other misc traffic logs. I setup software RAID1 in case one of the old 8GB hard drives went bad, and let it sit under the patch panel.
I quit the job 2 years ago. When I went back to visit last month, they were still using the same OpenBSD machine with the same install of OpenBSD. The only open ports were 443 and 22 and they were only available on one NIC that was hard wired to the managers office CAT5 panel, so they really haven't had much reason to upgrade other than the worry about the aging power supply.
wow!
You got some stuff figured-out. You must publish some more detailed notes on this & post it to your site for the rest of us. This sounds like a truly great set-up.
Thanks.
Peace.
Cheers.
'nuff said.
/. crowd getting on Theo's mannerisms lately, nothing beats OpenBSD for setting up a secure device or box...perfect for a router or firewall where security is critical.
Even with all the
I remember several years ago an announcement in a usinversity departmental mailing list that "finally the beaurocrats have allowed us to get rid of some of the old computers and monitors in the computer lab. Anyone who wants to take any of them can do so. One suggested use I can think of is an anchor for a medium size boat...".
;-) )
If you are in a university, you can probably find someone who would love to get rid of an old PC but is not allowed to. Transfering to another department is perhaps something the beaurocrats would approve. You don't need much power to run a stripped down UNIX/LINUX based firewall. I have at home an old Pentium 1 running Smoothwall with 4 PCs behind it. For a computer lab with more computers you might need a bit more power, but not much more. You can probably find an abandoned Pentium 3 that some professor replaced with a shiny new machine bought with grant money (after all, something has to be done with the money to show it was needed
You're kidding, right?
For Linux, iptables is pretty ok and it comes with the system. It's a bit intimidating if you configure it the first time, but you can either get used to it or use one of the many GUI tools that make it easier.
For windows, put an OpenBSD box in front of it. I may be tainted because I work as a security guy, but I wouldn't trust any firewall that runs on windos. The familiar image of putting a steel door into a cardboard wall comes to mind.
Do use a seperate firewall machine if you can at all afford it. OpenBSD is great, free, and you can run pf in bridging mode, which makes the network configuration that much easier (and attacking it somewhat more difficult still). It does mean you need a seperate management LAN.
Assorted stuff I do sometimes: Lemuria.org
I had used demo version of Injoy firewall, it is an excellent option for win 2003, it also supports linux, give it a try you won't regret it. As you are running only a bunch of machines it won't cost you much.
www.fx.dk/firewall/
cheers,
Jayakamal
I just took a senior level Unix Admin class in my CS department. The general message seemed to be that messing around with some full *nix on an old computer was fine for learning, but was never as good of idea as throwing in a dedicated hardware firewall by Cisco or similar. If budget is a concern, why not use a cheapo Linksys or Netgear?
pf rules, iptables is teh suxx0r. Let the flamefest begin! :)
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
That's what I said, cuntsmear.
Initially I wasn't convinced by your technical knowledge, but this additional comment makes me feel much more confident.
I'm now certain that you're not a 14 year old trying to kill time before he can masturbate again (just a hint - if the stuff that comes out is red, you've overdone it again, see a doctor).
1. Don't Use IE
2. Don't Use Outlook ( Express )
3. Use a smoothwall firewall as the router
4. Don't run any of those pop-ups that come from porn sites.
5. Eliminate all noobs who use the machines!!!
try { println( SigString ); } catch( Exception e ) { println( 'Who cares?' ); }
Pardon my rant but frankly I think the whole thing is unsolvable, period. I don't care what hardware, additions to the OS, or add-on software you come up with, it won't fix this problem. It's an arms race and defense always lags offense. And if the id10t is self-intent on blowing him/herself with the weapon system at their control, you can't stop them from suicidal stupidity.
It's no wonder that I don't work on personal machines any more. I got tired of breaking 2x4's on people's heads.
"[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
So what does the Slashdot crowd use when they need to secure their Linux and Windows servers?
i hate those questions. It's like "What car do you recommend?" without going much into the details of the intended use. Well general questions ask for general answers:
I would use Check Point Firewall-1. There is a single server license available for 1.000 US$ (list price). But you still need a management station (about 20K for an unlimted number of managed firewalls). It's available for the major operating systems, very flexible and powerfull.
Regards, Martin
Probably the best software firewall for Windows: Agnitum Outpost Firewall Pro: http://agnitum.com/products/outpost/.
More configurable than its competitors, does well on security tests, too.
Check the Web for some independent tests.
You'd have to check whether it runs on 2003.
The small appliances are cheap, compared to most general-purpose low power x86 servers. It's hard to build a "decent" system for under $150-200, and it's generally going to include a graphics system and want a keyboard and mouse, while you can get a typical appliance for $29-59 including a 4-port or 8-port hub. It's not as flexible, so you probably wouldn't use it for your servers, but it's a good start for protecting client-side users.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Your wife or their wife? :)
I've got a set of rules for choosing a firewall...
First, it should be external. It's quite simple, really: with an internal (software) firewall, if the host OS's TCP/IP stack has a vulnerability, the firewall and the host OS can be compromised together in one action. With an external firewall, compromising the firewall and compromising the protected systems will always be two separate steps. This makes the attacker's life that much harder.
Second, it should preferably run on a different operating system from the protected systems. (If you are protecting a heterogenous network, choose a different OS from the most important protected system.) This means that the two steps (compromising the firewall and compromising the protected system) will be *different* in nature. This makes the attacker's life that much harder.
Third, the firewall should be based on technology that the systems administrator is familiar with. This makes it more manageable for you, and a better-managed firewall is a more effective firewall.
Finally, the firewall should, to the greatest extent possible, isolate the protected systems from *eachother*, as well as from the rest of the world. If you just throw everything together on one subnet behind the firewall, and then you expose one vulnerable service to the internet via a single forwarded port, your whole network (potentially) can be compromised. If the protected systems are isolated from one another, it limits the damage if one is compromised, because getting to the others doesn't get significantly easier as a result.
For protecting Windows servers, I would probably personally choose a Linux IP-Tables setup for the firewall, mainly because of my third rule, but if you are comfortable with BSD that would be an excellent choice too, possibly better. They also make hardware dedicated firewall boxes you can buy, and while the quality varies, one of these is almost certainly a better choice than a software firewall running on the servers themselves, because of rules 1 and 2.
Cut that out, or I will ship you to Norilsk in a box.
I like using ClarkConnect. This was the first time I had ever used anything Linux-based and I couldn't have been happier.
I have found that sygate personal firewall pro 5.5 works very well with server 2003.
It is able to be configured so that it will work with a Active directory and other protocol requirements without causing any serious connectivity problems with any client computers.
I assume like most academic institutions they run windows on all of the box's that are not servers at least. On the they apparently need internet access note, I reccommend a solution from Kaspersky Labs http://www.kaspersky.com/ called Kaspersky Anti-Hacker, its a great firewall out of the box, and they have corperate licenseing and other things which you would need. Its also great for the home user. ..Or any NAT should really stop the pcs from becomeing infected..
On the you dont really need internet to use painting programs note... I suggest wirecutters.. The Ultimate Windows Internet Security Solution.
Ignore these linux zealots, install Cisco gear and get it installed by a guru.
You can program the higher end stuff to allow your workstations to only see the servers, and then firewall your servers to suit.
I wont say which one, as the Cisco guru I work with set up our system, and I'm not sure whether it's the 3560's or the 3560's and the 2950's, but hell it makes my job easier!
"We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
I work for a college in Ohio. I'm a consultant for our engineering college computing department which is more or less separate from the rest of the campus. I can't speak for the IT people on campus, but we at engineering use Sun's SunFire servers and we've never had a problem that I'm aware of.
Hardware is the Best way to go.
.. All the work
Yes software works good, but then you are eating
up alot your resources on the 2k3 servers for
the software (And slows things done).
If you get a 'Hardware' fireware
is done on the Box, leaving all your resources
availible for REAL work.
Get a SONICWALL or a Cisco. Cisco is a little
more pricey, but worth it. I've used SONICWALLS,
and they are very easy to configure, and
are 'reasonable' priced. (And you can at VPN
clients for off-site work-Very Handy)
Is an Air gap between your system and the wall.
No, this is at the very least PART of the correct answer
Right, its called "defense in depth". So he really should use the builtin firewall on each of the Fisher Price OS servers and workstations.
On the other hand, anyone using a windows-based firewall as a perimeter defense is a complete moron. You either use some firewall-in-a-box, and for bigger networks, you use some *BSD or Linux.
"The more prohibitions there are, The poorer the people will be" -- Lao Tse
I use a Netgear FVS318 8-Port Firewall Router at home. What is the weekness vs a seperate PC Firewall running IPTables?
1) For protecting just Linux workstations?
2) For protecting a Linux Webserver (Tomcat on Debian or SuSE Linux).
Consider using Zorp for more control. http://www.balabit.com/ It has a GPL and a commercial version.
Have been using Shorewall to protect a medium municipal network for years. It's basically just a tool making iptables less cumbersome. Check it out from www.shorewall.net
Windows Server ?
JoloK
I never liked the idea of depending on firewall software on the machine it is supposed to protect. It pretty much tells you that all your other security has been bypassed. Sort of like the king finding out about an invasion because the Huns are knocking on his locked chambers door.
Assuming that you already have firewalls on the perimeters of your networks I would put Snort agents, or some other IDS, on each server and also one to sniff the network.
The network agent will detect the Huns at the moat and warn you.
Dont trust any crappy Windows firewalls they're more toys than tools.
I consider running Windows on a server to be totaly insane, plain stupid.
Switch to Linux and you will save money, get servers more secure and can use a real SPI firewall like iptables and higher performance.
You can also buy a hardware firewall to protect the network or route everything through a Linux/BSD box running a firewall.
Seriously, there is something simple that will easity add and cost less than $500. See http://www.promptus.com/Promptus_HotLink-IP.html The unit works great for protecting no longer supported Microsoft products like 2000 or NT server. The security appliance has a function called stealth mode which saves any IP setup to the machine and provides hardware IPSEC. Although more than $100, it only takes 5 min to install and you don't need to change or add hardware. They might be open to an education discount.
I agree. This is a good although risky choice as the major update may cause other problems. I personally would recommend the server edition of Black Ice if the W2K3 SP1 isn't an option.
It seems the author is looking for cheap, but if you want one of the best firewalls on the market then you have to get a Secure Computing Sidewinder G2. They may be a pain in the ass to configure, but once that is done they are awesome. Better than anything else on the market. But they do cost quite a bit.
m0n0wall http://www.m0n0.ch/wall/ and an old 486
It's not under $100 but maybe your school can get special pricing since they have the desktop firewall. It supports Win 2003 and will secure the systems against LAN, WAN and Internet attacks.
I've been using ipcop for years & have over 30 comercial installation.
Easy to admin (web browser)
Completely free with large comunity at http://www.ipcops.com/
it will run on almost any pc. It all depends on number of users behind. I like using old proliant servers with raid cofigs.
Wery easy to mod....
If you mean the best firewall software to protect servers from other (infected) machines on the internal network: try zonealarm. It is not only a pretty good firewall, but can block or enable network access by software internal to the machine. VERY handy if you need the server to remain functional while working on a plan and schedule for virus/trojan removal! Naturally, if you can segregate your server cluster from the rest of the internal network using an linux/unix server running firewall software (and optionally antivirus filtering) you add a significant additional layer of security. The FreeBSD and linux options others have suggested are mostly quite adequate. No single solution is foolproof. If it is an option, I recommend both network and software options. (Hey, MSWindows will need all the help you can give it!)
Light, Love, Happiness,
Right, its called "defense in depth". So he really should use the builtin firewall on each of the Fisher Price OS servers and workstations.
I'm sorry you feel that running an OS is some kind of machismo thing. Would you like some stubble glitter for Christmas? I despise OS bigots. They're unprofessional, bullheaded and usually wrong.
On the other hand, anyone using a windows-based firewall as a perimeter defense is a complete moron. You either use some firewall-in-a-box, and for bigger networks, you use some *BSD or Linux.
Nobody said to load Windows Firewall and let it sit. Remember the constraints this guy has- he needs to to work for $100 or less. So he gets a firewall for free that is application-aware. Cool. Now he has host based firewalls and he still has his $100. Hell, he could go to Best Buy, pick up a router for $40, and take his Significant Other out to dinner.
Use a router. PAT and NAT are good enough firewall for me, and not crackable like a soft firewall, or performance impacting.
Am I worried about a buffer overflow in CVS? Not on my firewall. You really don't need to patch things that you don't use (and in my case removed from the system, I am running on a 16MB flash).
Just out of curiosity -- where/how did you get your power consumption figures? I've been curious about this for a while, and haven't found any useful info. I was on the point of buying one of those in-line multimeters just to measure... TIA.
Read the best of all of Slash: seenonslash.com
www.astaro.com and you can do the online demo to see in gory detail what it offers.
Why does everyone recommend Linux distributions that are run by like one guy and updated every six months?
Wouldn't a normal Linux distribution like Debian be a much better choice?
1) Can use one OS on all machines, not one on the FW, one on the fileserver, one on the mythtv box, another on the desktop, etc. It's much easier to support "just another Debian box" that happens to have an elaborate iptables script.
2) Debian's got several hundred folks devoted to upgrading and bux fixing. Aren't most specialized fw distributions created and supported by about one person? I would think Debian would be much more secure, and much faster updating, on average, than any special purpose distribution could hope to be.
3) Same standardized software on all machines. The same syslog on them all, the same SNMP (for MRTG) the same Perl, the same awk, the same bash shell, etc.
4) Debian's packaged almost all free software that exists... If you need some obscure VPN client or some weird monitoring tool, you can rest easy that it's supported under Debian and can be quickly and correctly installed with a minimum of bugs.
I understand there are Linux distributions that install everything, and wide open too. But not all general purpose distributions are like that.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
I hide everything behind a 233mhz classic pentium, 64mb ram and a quiet, 10 gig laptop hard drive. Runs linux 2.4.* with routing and iptables support enabled. It has handled loads above 2% for days at a time while I shoved Q3 servers through it. I max my connection out long before that system will ever die. Samba on the clean side to give my Windows boxen some company and ssh on the dirty side so I can maintain it while I'm away. The only time it gets shut off is when my UPS runs out of juice. As far as cost goes...I saved it from the trash.Ask people if they have an ugly old beige box sitting around their pad that they would like taken away. Then spend 40-60 bucks and buy two high quality NICs.
one nice, but not free for commercial use, is Astaro
Grab the disk image, it'll install in about 15-20 minutes and you can try it out.
Home-use is free, too... which makes VPN to/from work a breeze.
http://slashdot.org/~tf23/journal
I have a computer that's a combination of server and router. For that, I use ipkungfu. It does the trick for me. Of course, my server is rather low key, but does serve as a leaf on an IRC network. It all depends on how heavily your server is used.
Rawr
This is incorrect. Zone Alarm does run as a service...vsmon.exe. When you log out, the GUI (zlclient.exe) shuts down but the service (and more importantly the driver) keep running.
sky
Hello, Very nice firewall http://www.shorewall.net/ and it has a GUI on webmin, http://www.webmin.com/ run it on any Linux Distro Ihave it since 2 years, and im so happy with, and the community beyond it is very active Good Luck Kind Regards Samer