Best OS / Config for a Firewall

[Nothinman]

That was quick =)

I agree with you, some others might agree with you, but not everyone does. It could make an interresting topic on its own though. Thanks for the information about SideWinder. Ive been interrested in it since I heard about it, but not enough to dig up information on it

Well it's not really opinion, as long as the maintainer of the open code is diligent in fixing problems =)

The SideWinder people were also really open to opinions on things, they kept asking us if we had any problems with the setup, look of the UI, etc. The GUI is all done in Python, so it wouldn't be hard to change. But for as much as it probably costs they should be helpfull =)

 

[me19562]

Hey if u want to secure that network u better start in the router. U can apply some ACL's and u r already running NAT. With the ACL's and NAT
u have a simple firewall design, after that u just need an SPF(Stateful Packet Filtering) to avoid some DoS attacks. U can put a linux box doing
the SPF or u can add to the router the IOS Firewall Feature Se t, but start applying the ACL's then u can test the security with some tools to verify
if it meet the requirements that u and the company wants. After that u can start the analysis of want need. I use a program called Cerberus Internet Scanner
and some sites like Shields UP! -- Internet Connection Security Analysis and DSLreports Portscan,
at least with these u r gonna get an idea of how is ur security. For help u a little bit more here is a list of some ACL's recommended for improve
security.



Good Luck



ACL's


NAT
access-list 101 permit ip XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX any
IP Network ID Wildcard Subnet Mask

Ethernet Interface Internal Network
access-list 102 permit tcp XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX any
access-list 102 permit udp XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX any
access-list 102 permit icmp XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX any

Serial Interface or Ethernet Interface External Network
access-list 112 permit tcp any host XXX.XXX.XXX.XXX eq smtp "Mail service"
access-list 112 permit tcp any host XXX.XXX.XXX.XXX eq www "Web service"
access-list 112 permit tcp any host XXX.XXX.XXX.XXX eq telnet "Telnet service
access-list 112 permit tcp any host XXX.XXX.XXX.XXX eq domain "DNS query"
access-list 112 permit udp any host XXX.XXX.XXX.XXX eq domain "DNS transfer zone"
access-list 112 permit tcp any host XXX.XXX.XXX.XXX gt 1023 "Applications" (This one if if needed)
access-list 112 permit icmp any XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX unreachable
access-list 112 permit icmp any XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX echo-reply
access-list 112 permit icmp any XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX packet-too-big
access-list 112 permit icmp any XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX time-exceeded
access-list 112 permit icmp any XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX traceroute
access-list 112 permit icmp any XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX administratively-prohibited
access-list 112 permit icmp any XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX echo
access-list 112 deny ip 127.0.0.0 0.255.255.255 any
access-list 112 deny ip any any

 

[lowtech1]

<< ?open source code r more susceptible to be hacked because the source code is in the net and the appliance r using in some way a propietary software? >>



Where have you been?
Almost all known exploits point at MS proprietor product, and not at Open Source.



<< ?Personaly i prefer the appliance because i avoid the holes of the OS's and normaly
r more cheaper. ? >>



If you mean hardware firewall vs. software firewall, then you are dead wrong. All firewall have to have some kind of OS to boot the software, and I think Cisco is a variant of OpenBSD and uses Ipsec (both OpenBSD & Ipsec are open source).

It is a hard find to get a Cisco or Checkpoint firewall for less than $1000.00, but you can built yourself a firewall out of an old 486/Pentium with Linux/OpenBSD that have more feature than both Cisco & Checkpoint put together.



<< ?yeah, the appliance have it but r much more difficult to find it? >>



Just a reminder?..Not many weeks ago both Nimda & Code Red Worm takedown many Cisco base network (including my ISP?we had irregular services for close to 2 weeks and was down for a day for 2 Canadian Provinces.)

On some of the newer kernel you can string the services together:
access0: ?from_any_host protocal syn_or_non-syn destination_xxx.xxx.xxx.xxx port_20:23_25_110_80_etc?
access1:""

 

[Nothinman]

and I think Cisco is a variant of OpenBSD and uses Ipsec (both OpenBSD & Ipsec are open source).

All Cisco real routers use IOS, which is their own concoction, some DSL routers have something else because they were acquired from some other company but will be converted to IOS (or similar) eventually.

 

[SR]

I think everyone here is forgetting the golden rule about setting up a firewall, use what you are comfortable with. If Darksamie is good with Windows products and has no experience with unix (all flavors) he should never try and setup a unix based firewall. How will he know if the config is correct? The *better* answer would be to use an ms friendly firewall like checkpoint NG or an appliance based firewall like pix, netscreen, or sonic that you can call for setup support. The *best* answer, I believe, is to hire an outside company to install/support and train you on a firewall that is in your budget and supports the features you want. If you go with an outside vendor, make sure more than one can support it.

 

[Nothinman]

I think everyone here is forgetting the golden rule about setting up a firewall, use what you are comfortable with. If Darksamie is good with Windows products and has no experience with unix (all flavors) he should never try and setup a unix based firewall.

There's also the fact that most of the people that are comfortable with Windows aren't good at setting it up, especially in such a security sensitive place.

 

[Saltin]

<< There's also the fact that most of the people that are comfortable with Windows aren't good at setting it up, especially in such a security sensitive place. >>



Always time for a pot shot eh Nothingman?

I would suggest to you the most people arent good at setting up OS's and the pertinent security features regardless of the OS.

 

[Nothinman]

Always time for a pot shot eh Nothingman?

Not really a pot shot, but it's true that there's a lot more Windows users that think they're admins than there is Windows users that are qualified to be admins.

I would suggest to you the most people arent good at setting up OS's and the pertinent security features regardless of the OS.

And I would agree, but you can't deny the fact that 9/10 of them are running Windows.

 

[me19562]

It is a hard find to get a Cisco or Checkpoint firewall for less than $1000.00, but you can built yourself a firewall out of an old 486/Pentium with Linux/OpenBSD that have more feature than both Cisco & Checkpoint put together.

Lowtech just tell me how many mid and large companys u know that r using a linux box instead a security appliance.
I can buy a security appliance with SPF for $289.00 and will perform too much better than any OS. In other hand for home, homeoffice
and small companys it's a very good choice if not the best.

 

[Nothinman]

Lowtech just tell me how many mid and large companys u know that r using a linux box instead a security appliance.
I can buy a security appliance with SPF for $289.00 and will perform too much better than any OS.

All those appliances have an OS too, some of them are even running off of Linux or BSD. All you really pay for with those is setup and support, which isn't a bad thing.

 

[RagManX]

<< but the thing is any of the open source code r more susceptible to be hacked because the source code is in the net >>


In theory, that seems reasonable. Of course, the other side of the argument is that with more people able to look at the code, bugs and vulnerabilities are more likely to be seen and fixed before they get to be a problem. And if you check out articles like this one at dwheeler, you'll see that in general, the opposite of your expectation is what we actually see. M$ based systems account for nearly 2/3 of the systems defaced, while Linux systems account for nearly 1/5 of the defacements. I can't dig up the estimated market shares of each OS right now, but my recollection is that M$ based systems are well less than 50%, and Linux systems are well over 20% of the market.

Just thought that little article was worth mentioning.

RagManX

 

[n0cmonkey]

<< It is a hard find to get a Cisco or Checkpoint firewall for less than $1000.00, but you can built yourself a firewall out of an old 486/Pentium with Linux/OpenBSD that have more feature than both Cisco & Checkpoint put together.Lowtech just tell me how many mid and large companys u know that r using a linux box instead a security appliance.I can buy a security appliance with SPF for $289.00 and will perform too much better than any OS. In other hand for home, homeoffice and small companys it's a very good choice if not the best. >>


More than you think. Checkpoint FW-1 runs on linux. Thats a *BIG* boost. Anytime you can get the biggest company in the field to support your OS you have a good thing.

 

[spidey07]

Yes, checkpoint runs on linux. It also runs on NT. I personally don't know many folks running it on NT or Linux. Most ISP installations i've run into slap it on a SunUltra5. Even then checkpoint installs its own HIGHLY modified kernal.

IMO, For DarkSamie's configuration any of the small soho devices would work great and are a perfect fit for this application. I like PIX and Sonicwall...why? They are just so easy to use and configure, powerful to boot. Plus you can stop a good deal of the snooping on the router.

And to the point of pix and IPsec - it works extremely well with other vendors. As far as PPTP support, why on earth would you want to use PPTP? The IPsec compatibility problems used to be very pronounced but nowadays they play pretty well together (notice I said pretty well, kindof, sortof, hopeso)

 

[me19562]

BTW Checkpoint have a performance chart where they point Firewall in linux thats is the one that better performance have.
Ragman i hope linux still going over M$ systems, that way linux going get more support and respect.
Nothinman that u said is very right, actually i was talking with a guy from a few months ago and he told that the IOS is
now base from linux. If anyone check all of this new networking devices like routers, switches, nas even printservers run on
a linux base OS and it's works pretty well

 

[Darksamie]

It seems that I have a lot of options open to me and none at all. At the moment, I have a win2k licence and a machine that is pretty quick to put it on, but not that much of an idea on the firewall side.

On the other hand there is Linux. While I am very confident at making a win2k box secure, and am quite sure that I don't fit into this category, "most of the people that are comfortable with Windows aren't good at setting it up, especially in such a security sensitive place" I don't think I know more than the intermediate levels of the Linux OS, with little knowledge about linux security.

This leaves me with only a few options, and most are highly priced. I am thinking however, of getting some books and going with BSD for this. Then put a simple firewall on it and also have a proxy. Probably not the best move, but one of the only avenues open to me after I just had the company spend over $3k on a server.

What are my chances? heh

 

[Nothinman]

The only thing you don't want to do is setup something as important as a firewall unless you're sure you did it right, even spending the cash on a pre-configured box will cost less than if you get broken into.

 

[me19562]

i agree with Nothinman, but at least start securing the router

 

[Garion]

Before you go that route, how about this - What are your requirements? For example, do you need to host a website (or something like Outlook Web Access) inside the network? What kind of data is behind the firewall - How harmful would it be if it was penetrated? Are there regulatory issues (Like the Graham Leech Bliley act that is nailing us banks) to consider? How much outbound traffic? Do people hit all kinds of sites outbound, or is there some commonality in their browsing where proxy caching would be an advantage? Is scanning for http-based viruses a concern (i.e. NIMDA)

If you're confident in your Windows abilities, try and find a demo of ISA server and give it a shot - You can probably find some good scanning testing tools to see how you did. Failing that, ask some of us who DO have those tools available. If ISA server doesn't match your needs, try for Linux. But it's going to take a LOT more time and be far more difficult.

- G

 

[RagManX]

Well, ultimately SR is correct - go with what you know. As much as I think Linux or OpenBSD would be a better choice, if you aren't very good with them and are good with Windoze, then Windoze is the way to go. Besides, most Windoze firewalls just replace the M$ IP stack with their own, and really don't use the OS for anything other than a management console gui front end.

I would agree with others however and suggest you bring in someone from the outside to set it up initially. Of course, the problem with that is you don't know how to evaluate an external vendor for something like this until you get to the point that you are qualified to do it yourself.

For your reading pleasure, you absolutely have to pick up Building Internet Firewalls. You also might want to check out Building Linux and OpenBSD Firewalls if you decide to try that route. It isn't easy, and there is plenty you can screw up. And having a poorly configured firewall is really worse than having no firewall at all, as at least when you have no firewall, you know you have a security problem, where with a poorly configured firewall, you think you have security, but you don't.

RagManX

 

[n0cmonkey]

Definitely go with someone from the outside. Id recommend some good companies, but I dont want to mention where I work or the competition

OpenBSD is my choice because I know it. For a small office, an appliance would not be a bad deal, especially if they offer training on how to use it.

And I know atleast 1 company that uses FW1 on Linux, but Nokia is the way to go there