Re: better network setup security wise

Tom Forsmo wrote:
I have another question

I am reconfiguring my network, so as to make the internet connection I have at home available to all machines without a single point of failure. The current setup is

Internet --> adsl router --> FW machine --> local network

the FW machine also works as a ad hoc machine, including as a game machine. This setup forces the fw machine to be up all the time. But the reason I chose this setup is that I trust the linux firewall much much more than the typical firewalls you find on any router. For example I can see in my FW logs that even though the adsl routers firewall is turned on, lots of requests from internet scanners reach the firewall machine, which they really should not.

Even so, I would not recommend you use an everyday-use machine for critical functions like network routing and firewalling.

If you have any spare hardware lying around, from a Pentium-100 on up, you could do yourself an enormous favour by installing a dedicated *nix firewalling solution - there are at least half a dozen of those.

My personal favourite is ipcop, not in the least because it has:

- support for up to 5 interfaces: dial-up, WAN, LAN, DMZ and WiFi.
- very tight security by default
- easy web administration
- extensive logging and monitoring capabilities
- SNORT intrusion detection, fully configurable
- Squid caching http proxy
- support for multiple IPsec VPN tunnels

And a few dozen 3rd party plugins available to add even more functionality.

It will run on any system, 100MHz and up w/64MB or more.

www.ipcop.org to find out all about it.

Additionally, the second network interface on the FW machine runs some services I need at home, such as samba. I don't want any internet scanners to find and access these services, because I don't want to spend time adding a lot of extra security to these services.

So my question is, are router firewalls safe to use? I assume that the firewalls would need some reconfiguring from the factory/isp default to make them safer, but would that be safe enough?

TRhat depends a lot on the exact make and model of the device; there is as much difference between their security as there is between their prices, boxes, and features.

Some of them have absolutely no clue at all what network security is.

I realise that it is difficult to answer that question and that it depends on the level of the default isp configuration. But my suspicion is that generally router firewall are of mediocre quality and easy to bypass in contrast to the linux firewall. Actually more generally, that any commercial security product is at best of mediocre quality. Tests I have read about it, indicated that.

I would amend that to read "any *consumer* commercial product".
I don't think our Cisco firewalls are inherently insecure :)

J.
.