Re: Which Firewall
From: Bluto (arf-arf_at_doubleclick.net)
Date: 03/16/04
- Next message: Bluto: "Re: URL Filtering by User or IP or MAC"
- Previous message: Drew Cutter: "Re: Comments of firewalls"
- In reply to: Adam: "Which Firewall"
- Next in thread: Leythos: "Re: Which Firewall"
- Reply:(deleted message) Leythos: "Re: Which Firewall"
- Reply:(deleted message) Leythos: "Re: Which Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Mar 2004 09:26:41 -0500
Adam wrote:
> Hi im looking at implementing a Firewall into my company.
>
> Does anyone have any comments about the best one?
> It will protect about 200 users on a 2 MB link to the net
>
> Any advice appreciated
I realize that this is a pretty MS-centric NG. And, I realize
that if no one you know has Linux skills, using Linux tools
can be pretty intimidating.
But, it might be worth looking into. Two Linux boxes, with
512Mb RAM and any AMD or Intel currently being sold, plus
2 80 GIG drives and 3 NICs can be had for less than $1,200
each. (MUCH less, if you build them yourself!)
In a lot of areas, you could easily hire someone to create
iptables based firewalls on a pair of boxes running Debian
or Slackware. Both could be securely administered remotely
via ip-address restricted SSH. If you enable DNS (Bind),
mail (PostFix) and proxying (Squid) on the inside firewall,
you can often deny access to Internet IP space to ALL local
workstations, while still allowing them to do everything
they need. PostFix can, natively, drop executable attachments
from incoming email and so forth, and can forward email
on to an Exchange server, if you have one. And, using Bind,
you can do nifty things like declaring yourself the 'master'
for all "doubleclick.net" addresses, and then point them
to a dummy zone, thus instantly dropping about 1/2 of the
ads and pop-ups on the Internet!
Even if you had to pay someone $4,000 to set up and configure
the boxes, that would be less than many of the hardware
appliances appropriate for a network the size of yours.
And, a pair of Linux firewall/gateways would be FAR more
functional. Even if no-one onsite knows anything about Linux,
a decent Linux tech can setup the iptables shell scripts
to allow the local admin to 'toggle' various capabilities on
and off as needed. A cheap NAT'g router would provide temporary
fall back protection and limited access if the Linux boxes
were momentarily down. It also would not be hard to
set up both boxes with identical capabilites, and then
'toggle' their actual function with shell scripts, so that
could each alternately function as a standalone firewall,
an 'inside' gateway or an 'outside' firewall. By doing so,
they could serve as functional backups for each other.
And, if you find a *real* Linux guru, he may be able to
configure the outside firewall as an invisible, and
almost unhackable, 'bridgewall'. Configured this way,
you have full firewalling capability, but the firewall
is completely invisible, not incrementing TCP TTL counts,
not appearing in 'traceroutes', and not scannable. This
capability has existed, but is far easier with the
2.6+ kernels. One of the interesting capabilities of
bridgewalls is that, because they are invisible, they
are utterly transparent, and can be simply 'dropped
in' an existing network, without any modification of
the network.
- Next message: Bluto: "Re: URL Filtering by User or IP or MAC"
- Previous message: Drew Cutter: "Re: Comments of firewalls"
- In reply to: Adam: "Which Firewall"
- Next in thread: Leythos: "Re: Which Firewall"
- Reply:(deleted message) Leythos: "Re: Which Firewall"
- Reply:(deleted message) Leythos: "Re: Which Firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
