Re: [fw-wiz] Firewall Solution - 50 Users on SDSL Connection

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 10/05/03

  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Real World PIX 535 Performance" 
    To: firewall-wizards@honor.icsalabs.com
Date: Sun, 5 Oct 2003 19:29:46 +0530

    On 03/10/03 09:39 -0400, Dan Harp wrote:
    > We have about 50 IP devices (workstations, servers, etc.) on a
    > 100Mbps CAT5 network internally, and our connection to the 'Net
    > is SDSL.
    >
    > We are looking for a relatively inexpensive (or open source)
    > firewall device that does the following:
    (I don't like the idea of a firewall "device", which conveys to me a
    plug and forget concept, rather than something which has to be watched
    regularly, to monitor compliance with security policy).

    How competent are you with unix systems? If you are fairly competent,
    any Linux/BSD distribution would do for you to start with and then
    harden. If you aren't too familiar with unix, but can handle a command
    line, then I would suggest OpenBSD.
    If you want a GUI for configuring your firewall, you can go with a Linux
    distribution like IPCop or Smoothwall.
    Webmin (www.webmin.org) also has a firewall rules module.

    > Inbound filtering:
    > -ICMP, Ports (135, etc.), "default deny"
    Pretty easy to do with a packet filter.

    > -What about file extension filtering?
    If you are trying to filter files by extension, you will want
    application layer proxies as well.
    A simple proxy would be squid for http traffic.
    If you want a mail proxy as well, I would suggest Postfix with
    amavisd-new, clamav and SpamAssassin.

    DJBDNS/BIND should make an acceptable DNS proxy as well (though I would
    want to keep BIND very up to date).

    I have heard good things about PIX firewalls as packet filters, but
    mostly bad things about their SMTP filtering.

    Devdas Bhagat
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Real World PIX 535 Performance"

    Relevant Pages

    • Re: software/hardware Firewall tradeoff
      ... just there are two options (Firewall: ... ZA is not a FW it's just a machine level packet filter. ... The NAT router for home usage is not a FW either. ... If the other program needs ports open on the router, ...
      (comp.security.firewalls)
    • Re: Firewall etc
      ... I look at the log on a FW or personal packet filter to view unsolicited inbound packets that have been blocked and outbound packets being send out due to a solicitation or no solicitation. ... company's firewall offers me better protection and an opportunity to ... I can do the same thing with the Vista packet filter, that is, to create filtering rules for inbound or outbound packets, based on port, protocol, IP or subnet. ... so they can benefit from the higher forms of protections these ...
      (microsoft.public.windows.vista.security)
    • Re: [fw-wiz] Proxy advantage
      ... If you start with the premise that the only thing that's a firewall is a packet filter, especially with deep packet inspection being optionsl, then you are going to be in rather bad shape. ... Even for user desktops you can do it, but you need to get a good proxy, not just install squid and think that you've gained a lot. ... protocols, so it can stop some attacks on that level. ...
      (Firewall-Wizards)
    • Re: Hosting Proxy on Linux Firewall?
      ... > firewall on a RH 7.2 box and I have read on previous ... RH 7.2 means normally kernel 2.4.7, might be a bit old, consider ... > occassions where you should run your Proxy server (in my case it will ... Some people run the same machine as packet filter and as a proxy. ...
      (comp.security.firewalls)
    • Re: software/hardware Firewall tradeoff
      ... just there are two options (Firewall: ... ZA is not a FW it's just a machine level packet filter. ... The NAT router for home usage is not a FW either. ... If the other program needs ports open on the router, ...
      (comp.security.firewalls)