Best OS / Config for a Firewall

[Darksamie]

I am setting up a firewall for a company which has a Cisco 827 DSL router running NAT. There are around 30 PCs behind the router and 2 servers - one running Exchange 2000 and requiring IIS too.

I am wondering what would be the best config for this firewall. If possible, I would rather do it with Win2k as I have a spare license for it. However, this is open to debate.

If any of you work with a similar kind of config, I would love to know how you have tackled the problem.

Thanks

 

[Valhalla1]

linux is great for this, freebsd or openbsd even better.. but if i recall last time I tried to setup ipchains and stuff it was a lot of damn headache.. just curious, doesnt the cicso router act as a firewall already using NAT? or does it just let everything through?

ps there are specialized linux distro's like freesco and others that are easy to setup, run off nothing but a floppy or minimal hdd space and are great firewalls

 

[andri]

haha, windows as a firewall... this must be a joke, right?


seriously, the free unices like linux, freebsd or openbsd do it way better and much more. Linux 2.4 + CBQ can do wonderful tricks for example.

 

[Garion]

In my experience, the best OS for a firewall is NO OS at all. You're far better off with an appliance-based firewall. They don't have any inherent security holes of the OS to start out with and the overhead is much less. There's some appliance-based firewalls that will perform at 2Gb/s. The fastest OS-based system maxes out at about 300Mb/s. There's just too much extra junk if you're running an OS and THEN a firewall.

For that size network, a Cisco PIX 501 would be a good deal - Less than $1K, good security, great company. I've installed a lot of other PIXes for customers (And I've got 30+ at my current company) and really like them. NOT intuitive, however, so if you've never done this before it could be daunting. SonicWall makes some great stuff, too, and it's a bit more end-user friendly. Check out there TELE3 firewall All in all, it's way cheaper than buying a server, an OS, and then a firewall.

If you INSIST on using Windows, I'd definitely go with Microsoft's ISA Server. It offers caching in addition to firewall services, so that's a nice plus.

- G

 

[Darksamie]

I suppose Windows isn't a must for this project, however I do have a spare machine already (P550 with 512MB RAM and 20G HDD) with a spare Win2k pro licence. I was going to use it if I could.

I use Linux at home and quite like it, however I think it would be above me to lock it down enough to be a firewall that offers good protection. That is the main problem.

If I were to install some kind of firewall, I would rather know its entire workings because it would be the most important point. Therefore trying to get this up and running with Win2k is the better option for me. All the server would be doing is acting as a firewall, the rest of the services are behind it.

 

[lowtech1]

I wouldn't go with Cisco PIX system, because it only uses the old 1.5 IPsec kernel that is nogo with PPTP. Check out them free Linux firewall and build one for yourself out of an old 486 or pentium that can move between 2~4 megabits/second on IPsec 1.9 kernel that work perfectly with PPTP

 

[Garion]

When you use a vendor's firewall and want to do VPN, it's generally best to use their VPN client, if only for support and compatibility reasons. Cisco has one of the best, IMHO, that works nicely with their PIXes. I certainly wouldn't rule out a product since it doesn't meet a need that might or might not be real. I've never been a big fan of PPTP, preferring IPSec. Just a personal opinion, however.

- G

 

[Iron Woode]

I think running a linux box for this makes the most sense. I have done this myself and I used PMfirewall with my redhat 6.1. The routing and firewalling were excellent. For fun I even ran apache webserver with this setup.

Linux gets 2 thumbs up.

 

[Darksamie]

How much configuring is involved in configuring a linux firewall though? I am sure it isn't as easy as just installing red hat with the basic config and then a firewall package. There must be a list of things to do right?

 

[lowtech1]

Some free pre-built Linux firewalls are quite intuitive, such as FreeSCO or SmoothWall.

FreeSCO ? Free Cisco is a nice firewall that run on a floppy.

SmoothWall ? is a beautiful crafted firewall that have built in browser managing & monitoring, but need to have a 50 megs hdd.

 

[Iron Woode]

Yes it is. PMfirewall makes it a snap.

I knew nothing of linux up to about 6 months ago. Even I found it simple to set up.

The only thing is that each networked pc must be setup with its own static ip. Not that hard, unless your current network uses dhcp.

The instructions that come with it are easy to understand. It automatically sets up a daemon so it starts up when the pc starts up. It is easily customised. The only draw back is it doesn't like iptables found in the newest kernels (2.4). It prefers ipchains. That is why I used an older version of redhat.

check it out at www.pointman.org

Normally I recommend freesco but it lacks the fun factor of a full OS. Unless you just want it up and running, then freesco is the way to go.

 

[n0cmonkey]

I disagree with Garion. There will be holes discovered in *EVERY* firewalling system. Many of the drop in and turn on appliances are not as configurable as a full fledged firewall. OpenBSD would be a good solution, as would Linux. Yes, they both have security issues (at some point in their life anyhow), but so have PIX firewalls, so have those little LInksys dsl routers, and so will everything at one point or another. So make sure you keep up on patches and whatnot for whatever you end up using.

I personally use OpenBSD + IPF. Its tested, and I know it. I have faith in the combination of my skills and the skills of the coders of those two projects. For a work environment I would go with one of the following:

CheckPoint Firewall 1: Its not the best, its expensive, it can be gotten around if you know what you are doing. But they are a big name. Management seems to like that. High availability isnt hard to do either. It can run on Linux, Solaris, WinNT, and Nokia's version of FreeBSD.

Raptor: This seems to be a *NICE* firewall, but until their latest releases the interface was lacking. It also does some proxying. I believe this runs on WinNT and Solaris. With a little work and the right admin it can easily be gotten out through. I used to do bad things at a tech support job that used Raptor

SideWinder: This is a firewall I dont have any personal experience, but some of the features sounds *VERY* interresting. Ive also had several people recommend this to me. I believe it runs on WinNT. Probably Solaris too, but I cant be sure. I didnt look at those requirements when I read up on it. This firewall does some proxying, and one of the neat features is that it loads 1 driver and 1 tcp/ip stack per network card. There has to be some extra over-head routing information between the different tcp/ip stacks (not to mention the proxying), but it seems to be worth it.

Microsoft ISA server: Yes, I am recommending a Microsoft product. I am recommending it on a recommendation from someone I know and the fact the original poster wants to try and stick with Windows. From what I am told it is pretty good, does some nice proxy caching, but the logs/reporting is horrible. Also, it is a Microsoft product so make sure you keep up on patches!

 

[Darksamie]

Do any of these Linux based firewall programs allow for blocking of access to certain web sites?

 

[n0cmonkey]

<< Do any of these Linux based firewall programs allow for blocking of access to certain web sites? >>



Yes, and no. You could specifically block the ip addresses, but this would get VERY cumbersome. Your best bet would be to add something like squid and do proxy-caching. There is probably an add-on to it or something that would allow you to block pr0n and whatever else you are looking to block.

 

[me19562]

OK, this is a very extensive topic, but from my point of view and i'm not against linux and any of the unix system, but the thing is any of the open source
code r more susceptible to be hacked because the source code is in the net and the appliance r using in some way a propietary software. Another thing
u need is to know what u want that the firewall can make or support. Personaly i prefer the appliance because i avoid the holes of the OS's and normaly
r more cheaper. If i'm not mistaken the MS ISA runs under W2K server and not in W2K Pro and that's the spare licence u have. Anyway if the company
don't want to spend much more money then goes with linux, but if they want u can check for the Cisco IOS Firewall Feature Set for that router.
The Firewall Feature Set is Stateful Inspection Firewall and if u want to see the features check it here IOS Firewall Feature Set and Cisco 827
and here Cisco 827 Documentation.




Good Luck

 

[n0cmonkey]

And when people say that hardware appliances dont have the holes that an OS would have, they mean that they dont have the same holes. They have other holes.

 

[me19562]

yeah, the appliance have it but r much more difficult to find it

 

[n0cmonkey]

<< yeah, the appliance have it but r much more difficult to find it >>



Possibly. Not the best place for an Open Source vs. Closed Source security aspects debate. Itll get ugly

As long as we all realize that nothing is perfect and to keep up with patches and updates

 

[me19562]

u r very right, as i said i don't anything against linux or unix. I start in this with HP-UX and slackware 96 and i love linux

 

[Darksamie]

It looks like my only choice is to go with Linux at this point in time. The ISA server does require that I get another Win2k Server licence, which is something that is quite costly, considering that I am going to be upgrading one of the servers already.

When I do a fresh install of Windows 2k Pro/Server I first install the OS and then the service packs/security fixes. I then plug all the obvious holes with registry tweaks.

My question is this: Is installing Linux a similar operation? Are there security holes (obvious ones) that have to be plugged straight away before I start to configure the firewall/proxies etc?

Thankyou to everyone who has given me advice on this. I have checked through all the information you have given me and found it to be very useful.

 

[n0cmonkey]

<< It looks like my only choice is to go with Linux at this point in time. The ISA server does require that I get another Win2k Server licence, which is something that is quite costly, considering that I am going to be upgrading one of the servers already.

When I do a fresh install of Windows 2k Pro/Server I first install the OS and then the service packs/security fixes. I then plug all the obvious holes with registry tweaks.

My question is this: Is installing Linux a similar operation? Are there security holes (obvious ones) that have to be plugged straight away before I start to configure the firewall/proxies etc?

Thankyou to everyone who has given me advice on this. I have checked through all the information you have given me and found it to be very useful. >>



Securing linux takes a lot of work (sorry), if you want to get away with as little work as possible, pick up one of the appliances. If money says NO, check out linuxdoc.org for information on linux. When you have gone through that, drop by the OS forum with more specific questions and we will try to help.

 

[me19562]

that's depend on the distribution, but at least u can check for the latest kernel.

 

[n0cmonkey]

<< that's depend on the distribution, but at least u can check for the latest kernel. >>



Ok, my way of securing a linux distribution takes a lot of work

 

[Nothinman]

For the record, the SideWinder that n0c mentioned are very nice systems, we use one at work and I got to take a class on one (actually they brought the class to us). It's it's own distribution of BSD unix and has nice GUI tools as well as the command line stuff, so it looks good to suits and you can actually use it =) If you don't want to use Linux or FreeBSD because you're not quite ready for setting up everything yourself, check the HCL and seriously consider this.

but the thing is any of the open source code r more susceptible to be hacked because the source code is in the net

I don't want to turn this into a flame war either, but that statement's just plain dumb.

 

[n0cmonkey]

<< For the record, the SideWinder that n0c mentioned are very nice systems, we use one at work and I got to take a class on one (actually they brought the class to us). It's it's own distribution of BSD unix and has nice GUI tools as well as the command line stuff, so it looks good to suits and you can actually use it =) If you don't want to use Linux or FreeBSD because you're not quite ready for setting up everything yourself, check the HCL and seriously consider this.

but the thing is any of the open source code r more susceptible to be hacked because the source code is in the net

I don't want to turn this into a flame war either, but that statement's just plain dumb. >>



I agree with you, some others might agree with you, but not everyone does. It could make an interresting topic on its own though. Thanks for the information about SideWinder. Ive been interrested in it since I heard about it, but not enough to dig up information on it