Forgot your password?
typodupeerror
Networking Security Worms

What is the Best Firewall for Servers? 673

Posted by Cliff
from the hot-protection-for-heavy-iron dept.
Sushant Bhatia asks: "I maintain a bunch of servers (Win 2003/XP Pro) at our labs in the university. Of late, the number of attacks on the computers has been more noticeable. The university provides firewall software (Kerio) but that doesn't work with Win 2003 (works with XP). And so we keep getting hit by zombie machines taken over in the Education Department or from Liberal Arts :-). So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?"
This discussion has been archived. No new comments can be posted.

What is the Best Firewall for Servers?

Comments Filter:
  • OpenBSD, of course! (Score:5, Informative)

    by Anonymous Coward on Monday June 27, 2005 @05:46PM (#12925473)
    Ummm, OpenBSD of course! www.openbsd.org
    • by Krach42 (227798)
      I have to agree. I use OpenBSD for my firewall, then I poke holes through to my Linux server for HTTP, and SSH.

      This avoids the situation that I had previously when someone hacked into my machine. They hacked into my OpenBSD firewall, then opened it all up, and marked my /etc/pf.conf system-immutable (so I had to reboot into single user mode to fix it.)

      This way, if they hack my Linux server, they'd still have to hack into my OpenBSD box in order to open up the ports. I have plans to lock that up tight o
      • hahahaha (Score:3, Funny)

        by mnemonic_ (164550)
        that was me.
      • by leonmergen (807379) * <lmergen&gmail,com> on Monday June 27, 2005 @07:22PM (#12926590) Homepage

        So, why don't you make your OpenBSD a firewalled (and possibly ip-less) bridge ? That way, attackers have no way of knowing that there's a firewalled bridge between them and the HTTP server, and packets still get filtered... just disallow any outside connections to your bridge-server and you're safe.

        Make sure you set your webserver to only allow to respond to accepting connections, not initiate new connections.

    • by urlgrey (798089) * on Monday June 27, 2005 @06:00PM (#12925718) Homepage
      Kidding aside, OpenBSD [openbsd.org] is my choice, but any used PIII 'nix machine, be it:

      OpenBSD with PF [openbsd.org],

      FreeBSD with either PF IPFW [freebsd-howto.com],

      pretty much any Unix variant OS with IPFilter [anu.edu.au],

      Linux with IPTables [netfilter.org]

      will do the job swimmingly.

      • Look, the OS really doesn't matter. What does matter is getting your employers to not do stupid things, like run their laptops without security patches and insist on running NFS and file sharing from home and on every machine in your group, getting them to pick decent passwords, teaching people never to use .zip attachments for anything, never running passphraseless accounts and open access points, etc., etc., etc.

        Until you can get basic security steps like those in place, the world's best firewall is like
    • by Guspaz (556486) on Monday June 27, 2005 @06:42PM (#12926197)
      They seem to be referring to software to put on existing servers. It would be hard to build a decent OpenBSD machine for under $100 US.

      Of course if they DID want additional hardware, the absolute cheapest general-purpose linux box is the Linksys WRT54G. At least, it becomes a general purpose box as soon as you throw OpenWRT [openwrt.org] on it. Just set up the iptables rules however you like. You may want to disable the wireless functionality.

      I've seen the WRT54G selling for as little as $50 CDN, which is probably about $40 US. It doesn't get much cheaper than that for a linux box.

      Still, I think he meant more software-wise.
      • by squidfood (149212) on Monday June 27, 2005 @06:57PM (#12926372)
        They seem to be referring to software to put on existing servers. It would be hard to build a decent OpenBSD machine for under $100 US.

        It was $30+OpenBSD donation for me. That was the cost government surplus PIII-450s with enough RAM and HD space for moderate use. It would be a rare university that didn't have machines like that lying around.

    • by Shanep (68243) on Monday June 27, 2005 @08:33PM (#12927118) Homepage
      I also have to agree.

      * DMZ: Put your servers into appropriately configured DMZ's using a seperate OpenBSD host as the firewall. Lock it down so that only traffic which you specifically allow can get through.

      * PATCH: Keep your Windows servers patched.

      * FILTER: Doesn't Windows 2003 have a built in packet filter? If so, use it!

      * HARDEN the Windows servers. Remove every service which they don't *need* to be running.

      * REPLACE any Windows servers that you can, with more secure options.

      * BACKUPS: Keep good regular backups so that it will be less hassle for you to restore from them and patch, should they be compromised. The longer between backups, the harder your job will be to fix the problem because you might find the losses of restoring an old backup hurt more than the actual compromise itself. You'll be checking what is newer and working hard to make sure that the newer files are not infected with trojans, worms, viruses, etc.

      * DON'T DEPLOY: If you can get away with it, don't give people a solution if the only solution is an insecure one. You may find that you provide a solution which people suddenly "can't live without" but is either uneconomical to keep secure or impossible to keep secure. It is better to not give people a taste of that solution at all. Especially since they worked just fine without it up until now and *you* know that they don't *need* it.

      * SOE: Develop standard operating environment's for the desktops, lock them down and enforce IT usage policies. Do the desktops need to share data amongst themselves peer-to-peer? Having worked in edu for years, I would imagine not on the whole, so apply a firewall to the SOE itself which will fit within your network configuration. A smaller department server you will be able to take ownership of and control if they want to share amongst themselves and this takes the tinker factor away from the end users and removes their excuse for admin rights for that task. You can also make it so that any damage or network congestion they cause, can be limited to their department. You do it this way for them because "you can easily backup a central server" and upper management will agree with you on that from a risk point of view. If all your desktops, servers and network are as secure as you can make them and you have polices people must adhere to, then you will have much less problems.

      What you will also find is that you will get to a stage where instead of putting out fires all the time, you will be constantly improving your systems and making IT better instead of always trying to make IT work. You will also find that problems start to settle with the real problem staff and you will then be able to manage them and point to the polices.
  • by gik (256327) on Monday June 27, 2005 @05:46PM (#12925474) Homepage
    a linux box.
  • Smoothwall (Score:4, Informative)

    by Anonymous Coward on Monday June 27, 2005 @05:47PM (#12925479)
    • Also IPCOP (Score:5, Informative)

      by lord_rob the only on (859100) <shiva3003NO@SPAMgmail.com> on Monday June 27, 2005 @06:15PM (#12925941)

      I've used smoothwall for a while and I was very satisfied with it. But at some moment, it stopped working. The ADSL connection couldn't be established anymore.

      While I think it was rather a hard disk crash and not a direct smoothwall problem, it made me feel like replacing my smoothwall with ipcop, another firewall dedicated linux distro (forked from smoothwall).

      I'm very happy with ipcop at the moment, it's a bit more "customizable" than smoothwall. I know both are GPL'ed so they can both be customized to fit any purpose, but as ipcop is a 100% community-based distro, it is a bit more designed to be tweaked than smoothwall.

      Check out IPCOP site [ipcop.org]

      • Re:Also IPCOP (Score:4, Interesting)

        by crabpeople (720852) on Monday June 27, 2005 @07:04PM (#12926436) Journal
        "I've used smoothwall for a while and I was very satisfied with it. But at some moment, it stopped working. The ADSL connection couldn't be established anymore."

        Actually the same thing happened to me. Well sort of the same (my connection uses DHCP). My problem was that the webpage configuration never came up. I finaly figured out that this was because my 100mb /var/log was full!

        Clearing that out made the smoothy run fine again. It has since happened a few more times and everytime i just have to clear out all the logs. That said, while the disk was full, it was still routing traffic as expected for months before i discovered the issue.

        The one thing I would like to see would be a better way of tracking all the connections being setup and torn down by the machine, realtime, say logging to a console window. I used to have a dubbele NETBSD firewall ( http://firewall.dubbele.com/ [dubbele.com] ) that, becasue of the firewall package on there (vastly superior to iptables IMHO) i could run a simple command (ipmon -o N) and it would list everything going on. very cool. I know about IP contrak mod for smoothwall but on a webpage just doesnt have the same cool feel as realtime. Its nice to catch all those EA games you have calling home when you launch them :)

        Anyways the one story i love to tell about the netbsd machine was that the hard drive failed on it months before i found out. The machine was running flawlessly until i rebooted it for some reason and got a nice primary HDD fail in the bios. The last timestamp for a file on the HDD was like 8 months previous.
  • by Richard Steiner (1585) * <rsteiner@visi.com> on Monday June 27, 2005 @05:47PM (#12925489) Homepage Journal
    That way, platform compatibility is a nonissue.

    I use a dedicated PPro box running Coyote Linux myself, but there are far more robust solutions out there...
    • exactly my thoughts.

      from what it sounds like he just wants incoming ports blocked(being hit by zombies).

      30$ should buy an external fw/nat box with simple rules - a little more and you could get some similar router&on board firewall combos that run on top of linux too.. should fit the bill pretty well.

      well, blocking incoming ports should be doable with windows own built in fw too.. so maybe he just would want a free kerio or something - you know, with fancy menus and crappy threat detection and popup
    • With multiple boxes, having an external facing firewall only helps so much. If one of the "protected" boxes gets infected by student activity, it'll run all over the LAN. That's part of why so many places got hit hard by the last couple Windows worms - they had firewalls and let down their internal guard and got pounded by infected internal machines, particularly when users brought in laptops that had gotten infected at home.

      There's a few things to do to limit the problem:

      1. As you said, have an externa
  • by glrotate (300695)
    I'd say keep the firewall software off of your Server. Get a decent hardware one from Checkpoint.
    • I would have to agree with this as well. We have a small network with 5 Win2003 servers and 90 XP workstation. We use the Netscreen 5GT. It can be quite tricky to set-up, but having the firewall seperate from your domain is quite handy. Second choice, get a UNIX box to do the job.
  • Seriously, why put down $300 when the windows firewall will do?

    Or get a $50 router and block all uncessary ports to give yourself and additional layer of security.
    • Because in this case, the end result is something easier to deal with that solves the problem. If you want to maintain a "bunch" (however many that is) of installs of a windows firewall, on multiple OSs, then yea, absolutely.

      The thinking here is a separate machine will help maintainability (assuming of course that you know linux), ease of upgrades (one system vs a "bunch"). Of course, in this case a little router box would work just fine as well. The only thing with the router boxes is the ones sold to
    • It's generally considered a Good Thing to keep a firewall box separate from the actual server - that way, if your network is taking a beating, the firewall absorbs the impact, thusly not killing your server boxen.
  • by AEton (654737) on Monday June 27, 2005 @05:48PM (#12925495)
    You keep getting hit by zombie machines?

    Liberal Arts zombies? Are you sure they're not dogs [slashdot.org]?

    (And, as always, the best answer to your question may come from Google. Linux.com | A Linux firewall primer [linux.com].)
  • iptables (Score:2, Insightful)

    by Heidistein (593051)
    $subj, the only true firewall :)
  • Security (Score:2, Funny)

    by aardwolf64 (160070)
    I've found that for 99% security, the best solution is to unplug the ethernet cable on my server and just use it locally (kind of defeats the point, huh?)

    The missing 1% is for the ninja squirrels ... stupid squirrels...
  • by ltning (143862)
    We use FreeBSD with IPF, IPFW and some home-brewn tools in our main hosting centre. We have chosen name-brand hardware and free software - already having in-depth knowledge in-house, we had no need to buy a complete black-box solution.

    Of course - investing in "fresh" knowledge on FreeBSD or whichever other platform you wish to roll your own firewall/ids solution on top of - is going to be expensive. Thus this solution might not work for all...
  • Those education and liberal arts students are zombies.
  • by Suicyco (88284) on Monday June 27, 2005 @05:49PM (#12925511) Homepage
    Just use iptables on a cheap old pentium or something. Two network cards, one inside and one outside. Even a modest Pentium or Pentium II could keep up with good amounts of traffic.
    • by hawkbug (94280) <psx@noSpAm.fimble.com> on Monday June 27, 2005 @06:01PM (#12925741) Homepage
      I hear this argument a lot, and you're right - it would work... but here's the thing - If you put a pentium I computer with a 2 gig hd or something up in front of an entire lab for internet access, I would wonder about the reliability. What I mean is, at work here I was doing something similar - but when the non-rendundant power supply in the 1995 based computer died, my entire part of the office lost net access, which is bad.

      There is always something to be said about having a real server act as a firewall. For home use, sure, use an old computer running linux - but for anything that you would like to count on a reliable, get a real piece of hardware to put that linux distro on, and you'll be happier.
      • You always has OpenBSD [openbsd.org] that comes with pf [openbsd.org] (packet filter), CARP [openbsd.org] (redundancy) and pfsync [openbsd.org] (firewall synchronizing)

        You can find an example here [countersiege.com]

      • by owlstead (636356) on Monday June 27, 2005 @06:21PM (#12925995)
        Use a floppy or CD based installation. Leave that hard disk out. When that's on, there are no moving parts at work, except for the fan(s), which should be able to run for a few years. Otherwise, buy a cheap fanless VIA epia board with 2 ethernet connections and boot it up from a flash drive. Works like a charm, and 533 or 600 MHz is actually overkill. Great as a small web server/ssh access. And it's easy to setup with a printer or an external HDD to share stuff on your network.

        But it seems that the poster can get way with using a simple router box with multiple LAN ports as well (or 1 LAN and 1 WAN port might even work).
  • Two Words... (Score:3, Informative)

    by Jsutton1027w (757650) on Monday June 27, 2005 @05:49PM (#12925517) Homepage
    IP Cop. ;) http://www.ipcop.org/ [ipcop.org]
  • Win2k3 SP1 Firewall (Score:2, Informative)

    by chota (577760)
    The firewall bundled with the service pack upgrade to Server 2003 isn't too bad, but it only does incoming connections. You can exempt ports or executables.

    Also, it's free.*

    *Well, you know what I mean.
  • by dancedance (600701) on Monday June 27, 2005 @05:49PM (#12925529)
    Does it cost less than US$100? You can't be serious. Securing your machines is only worth $100? Is that how much it will cost to fix them once they are cracked? Give me a break. If you are serious about security you can invest more than $100.
    • If you are serious about security you can invest more than $100.

      While advisable to get a more expensive (read built and priced for the task), a PII box and cables can be picked up fot $70 on eBay and, with a minimal Linux firewall install (say, 1 hour to set up @ $30/hour) does cost $100/hour. Of course this assumes the tech expertise exists in the first place, which seems not to be the case in this 'Ask Slashdot'.
    • by MrResistor (120588) <peterahoffNO@SPAMgmail.com> on Monday June 27, 2005 @06:00PM (#12925715) Homepage
      Did you miss the part about how he works for a school? He has to get the money before it can be invested, and $100 might be the limit above which he has to get the approval of 3 PHBs and 6 beancounters.

      Or maybe you missed the part about how the attacks are coming from other departments, over which he has no authority, and who obviously don't place a high value on security?

      • Did you miss the part about how he works for a school? He has to get the money before it can be invested, and $100 might be the limit above which he has to get the approval of 3 PHBs and 6 beancounters.

        Or maybe you missed the part about how the attacks are coming from other departments, over which he has no authority, and who obviously don't place a high value on security?


        I work at a university, so I know the game.

        I would recharge the other department $50 for 'security services' each IP they fail to pro
    • by DNS-and-BIND (461968) on Monday June 27, 2005 @06:01PM (#12925749) Homepage
      There are these mystical things called "budgets". The "budget" will provide for some things and not others.

      This *is* at a university. Universities are well-known for being completely isolated from the rest of society, and as a result, they have some pretty weird ideas. One of which is not spending any money on computer security.

    • by riptide_dot (759229) * on Monday June 27, 2005 @06:02PM (#12925758)
      "You can't be serious. Securing your machines is only worth $100?

      Keep in mind that the OP works for a university, which probably doesn't have a budget outside of what they already spent on their software firewall. It doesn't mean that security isn't important to him, just that there's probably not an existing budget for it.

      The OP is looking for a cheap and innovative way to secure his university network's servers - and I can't think of a better place to ask the question than here.

      I say let the FOSS community answer his question and provide him a solution to his unique problem in the way that they know best and leave the "isn't this worth more than $XXX?" questions to the salesman.
  • maybe more than $100, maybe not. Depends on whether or not you have a free machine. Doesn't have to be fast or have a lot of memory.
  • Isolate your network, and secure it using a Linux-based firewall. Hopefully you have 1:1 mapping, so you won't need to NAT the resulting connection. Ether way, connections comming in one Ethernet port will hit the Linux box, but keep all outgoing traffic from the isolated network running safe.
  • by matth (22742)
    Why not try a hardware solution? perhaps a Cisco PIX? Worse case use monowall.. it is free and runs linux... put all the machines BEHIND a firewall.. don't run firewalls on each machine.. additionally an unpatched windows machines should be able to SAFELY be on the net.. if it isn't you aren't doing your job of securing it correctly... get that pink slip ready.
  • This is where IT admins get into the deep dip by investing in top-notch gear and THEN, buying up cheap firewall software, expecting it to do the duty of protecting his pride and joy.

    To protect the equipment, you will simply tell them to go hardware firewalls, preferably Cisco PIX 500s will do the trick. But be prepared to pay for the name, but the protection that this unit will provide will be worth every penny.
  • Wrong Approach (Score:5, Informative)

    by markom (220743) on Monday June 27, 2005 @05:50PM (#12925544) Homepage
    You are approaching the problem from a wrong direction.

    There are different types of firewalls and they can be divided into these types using different criteria. However, I will use the most simple one. There are host-based and network-based firewalls. Host-based firewalls, are not very cost-effective (or even effective at all) for protecting large, medium or even small server "farms". They work fine on single-server or home machines.

    The proper way to protect server farms in campus is to have secure network. Firewalls are like city walls. They offer protection, but if breached, you're doomed. Secure network consists of firewalls, segmented network (separate VLAN's, switching blocks, etc.). Excellent reference for secure network design is Cisco's SAFE Blueprint for Enterprise Networks. I would recommend reading it, even though you're not using Cisco gear.

    Marko.
    • You are approaching the problem from a wrong direction.
      Surely the bigger problem here is the zombied boxes! Maybe their security policies should be tightened first, and the servers shored up accordingly with a physically separate router.


  • Firewall sounds all dignified and techie, when you're really saying "TCP stack incontinence appliance'. Use the short form of this, 'network diaper', in coversations with management, and perhaps you'll get to use a real operating system.

    If you canna go bare, why you even gonna go there?

  • A cheap box (Score:3, Informative)

    by necrognome (236545) on Monday June 27, 2005 @05:51PM (#12925557) Homepage
    running OpenBSD and pf. Include another cheap box and CARP if you need redundancy/failover.
  • Use diferent security zones protected by dedicated firewalls computers.
  • $0 $100.

    i also use some assorted python scripts that watch the system logs for common attacks that portsentry does not pick up (e.g., repeated ssh login failures), and then dynamically block those IP / port combos as necessary.
  • IPCop (Score:5, Informative)

    by ZosX (517789) <zosxavius@gmailPASCAL.com minus language> on Monday June 27, 2005 @05:53PM (#12925593) Homepage
    It's free.

    Only port forward what ports you absolutely need and keep your servers out in the DMZ. IPcop will easily allow you to seperate your network into zones with multiple nics and will likely only take a 486 or Pentium class machine to keep up with your bandwith. Hey, you asked for cheap. Doesn't get much cheaper than that.

    You can also keep detailed logs and it also features a good SNORT setup for NIDS. It sets up convieniently with a web browser.

    There is also Smoothwall. Both are really Linux based software firewalls. The difference is that IPCop is totally free and supports a wide variety of features that you would likely have to pay for in Smoothwall. Updating NIDS signatures automatically comes to mind.

    I would personally avoid Windows software firewalls like the plague, as they run at escalated priveledges and can potentially put your system at even more risk as they add to the number of possible vulnerabilities, but that is just me.

    If you can't afford a PIX or something in hardware, FreeBSD and Linux software firewalls are always the best way to go IMHO.

    Happy hacking!
    • Re:IPCop (Score:3, Informative)

      I second IPCop. I use it for a group of about 50 users, and I've got an uptime of almost a year. The things I like about IPCop: - It works. Well. - Free! - Lean. It doesn't have a whole lot of nonsense that you don't need. - Comes with a nice web interface. - Handles aliasing fine. That way you can have more than one IP address per physical interface. - Has a healthy support community. - Runs on a lot of hardware. I've actually got two ipcop boxes, identically configured. That way if one ever dies, I
  • by NotFamous (827147) on Monday June 27, 2005 @05:53PM (#12925597) Homepage Journal
    Ceramic wafers with asbestos stuffing...
  • Depending on the box, I like putting a cheap router (those intended for DSL/Cable are fine for me since my backwards-university is still on 10Mbps & is talking about eventually going to 100MBps) or another box in front of the system. If it is another box, it is nice to make it a linux or BSD box which is configured to ONLY be a firewall. I like OpenBSD. You can use a LiveCD [jtan.com] or install it outright. Lots of tutorials out there.

    If you want only a software firewall for windows, I like Sygate. It does
  • by RedPhoenix (124662) on Monday June 27, 2005 @05:56PM (#12925642)
    For the linux machines, have a peek at firestarter (www.fs-security.com). It's easy to configure, has a nice GUI, and provides a reasonably simple method of configuring IPTables.

    If your requirements are a little more complex (eg: DMZs, VPNs, etc.), you might want to have a peek at firehol instead. Text-based configuration, but greatly simplifies the process of wrangling with iptables.

    I tend to recommend zonealarm for windows for most people, but that's more out of apathy (ie: I haven't reviewed the options lately) than anything else.

    Red.
  • by Arimus (198136) on Monday June 27, 2005 @05:56PM (#12925646)
    I'd suggest ditching a software firewall and investing in a proper hardware firewall such as Checkpoint FW1 and put all the servers behind that firewall.

    Put another firewall ideally of a different type (break one you've still got another to break) and use that to isolate all the departmental computers...

    Ensure the policies are locked down tight and that any changes are approved by someone who knows what they're about before being implemented.

  • This is by far the best firewall available:

    http://roseweb.de/caro/pages/security/v-one/cut-or ig.htm [roseweb.de]

    It costs well under $100, and unlike every other firewall it is guaranteed 100% secure.

    Best of all, it can be applied to those pesky zombie systems in addition to your own servers for the ultimate in protection.
  • Depending upon the workload the server sees, you could get away with something as simple and stupid as a Linksys/DLink/... firewall configured to port forward the server's ports inward. (cost ca. US$30)

    You might also dig up a junk machine and set up the Linux Router project (or a *BSD equivalent) on it.

    If the servers are big enough that a cheap hardware firewall won't do, then I'd say they are big enough to need a real router in front of them.

  • Kerio Firewall (Score:2, Informative)

    by Dr. Technical (862071)
    Kerio *does* make an excellent firewall product for Windows servers (Kerio Server Firewall). It is pricey, however, and for the same or less money you could install a Smoothwall box.
  • by DJStealth (103231) on Monday June 27, 2005 @05:59PM (#12925693)
    Download W2K3 Service Pack 1 from Microsoft, they have the same firewall as XPSP2 plus some bonus features.

    There's a "Security Configuration Wizard" that will help you config the firewall and services at a more advanced level than in XPSP2
  • Take One Old PC (Score:4, Informative)

    by sjvn (11568) <sjvn@vna[ ]om ['1.c' in gap]> on Monday June 27, 2005 @06:02PM (#12925765) Homepage
    Add wwo network cards
    Add free Linux 2.4 distribution or higher
    Activate netfilter and iptable
    See: ttp://www.netfilter.org/
    Deploy firewall using instructions in the netfilter how-tos:
    See: http://www.netfilter.org/documentation/ [netfilter.org]

    Or, if that's too much for you, just get the equipment and add one of the pre-configured firewall Linuxes like SmoothWall (http://www.smoothwall.org/ [smoothwall.org]), Devil-Linux (http://www.devil-linux.org/home/index.php [devil-linux.org]) or Coyote Linux (http://www.coyotelinux.com/ [coyotelinux.com]).

    No fuss, no muss.

    Steven

  • Preferentially? (Score:4, Informative)

    by CAIMLAS (41445) on Monday June 27, 2005 @06:41PM (#12926184) Homepage
    For Windows? A seamless, 3' thick rebar-reinforced cement vault is preferential. It's easiest to add the machine prior to pouring the cement, I've found.

    But with zombies in general, I prefer a more proactive approach: a 12 gauge shotgun loaded with 00 buck does nicely.

    Seriously though. Every Windows machine should be behind an entirely seperate firewall, protecting it from everything and everything from it. A Windows machine on a public network that isn't being agressively administered is about as safe as a polish handgun.

    By the description of your environment and problem, it sounds like you basically want to quarantine the humanities from the rest of campus so they don't wreak their plague of stupidity upon everyone else (this is good policy in general, I've found - humanities aren't fond of reasoned, concrete thought).

    Probably the best way to do that would be to set up an IDS gateway between their networks and the rest of campus. Something from CISCO would probably be best, but I'm fairly certain you could do it with linux/BSD or another COTS solution for decreased price. Have the IDS set up to basically drop all trafic from zombied machines. When they complain to you that "their" network isn't working and that it's your fault, give them the ISP treatment: fix your machine and we'll let you back on.

    Really, allowing humanities types to manage their own hardware is just a receipe for disaster. Would you let your accountant work on your car? It's not adviseable, and would likely cost you more than not having repair done at all and waiting for further problems.
  • by Kaedrin (709478) on Monday June 27, 2005 @07:17PM (#12926548)
    I can't speak for the linux side of things, but here's my comments for Windows.

    Note that while this is easier to manage with Group Policy via Active Directory, you can use the local group policy settings and migrate them across your lab. My thoughts on this are valid for XP and 2003.

    The internal firewall is your first defense, blocking all non permitted inbound random/unimportant information from reaching your machines. Tell the firewall the applications you will be using, and it will dynamically open required ports as the program needs them. This way you don't need to deal with local port management. You want this setup to prevent traffic from reaching IPsec, and for any logging purposes you may have. IPsec's current version doesn't really do packet logging, and is in no way a firewall (Although, I used it for years as a firewall with Windows 2000 and never had any ill-received problems, but they were not on critical systems either).

    Use IPsec in pure authentication mode without encryption (unless you have encryption offload cards). You can use it in several ways.

    All communication requires authentication:
    No computer can talk to yours that is not setup properly. Period.

    All inbound communication requires authentication:
    All inbound traffic must authenticate or be dropped.

    If you lock inbound, but not outbound, your clients can still access web resources and any other computer without issue, but you have completely prevented anyone else from initiating communication with your systems.

    IPsec works like this: Generic rules (require authentication from everyone) are over-ridden by a more explicit rule (do not require authentication from whatever.system.local). Generic all IP rules are over-ridden by port rules, port rules are over-ridden by explicit IP address rules or subnet rules. Etc.

    For your purpose, I would at least require all inbound traffic to require authentication by String, however this is not secure and anyone with administrator access can rip the password out of the registry. To do it securely, you need to do it by certificate or Kerberos. The kerberos implementation will require active directory, the certificate method will require a full IKE/PKI configured for your area. You do not need to buy a certificate from a place like verisign, you can do it all yourself through your own self-signed certificates. This entire process with IPsec can be automated through Active Directory, but if you don't have active directory, I believe any generic IKE/PKI server can generate valid certificates for your use. It's a lot less work on your part doing it through active directory.

    IPsec policies will work between Windows 2000, XP, and 2003, however your key strength is limited based on the oldest OS you use. 2000 will only function with low keys, XP with both low and medium, and 2003 with strong keys and the two weaker keys. Also, you can set it up from strongest key generation to weakest, so 2003 will always talk to 2003 in strong, 2003 to XP in medium, 2003 to 2000 in weak. It may be possible to make IPsec work side-by-side with Linux using Freeswan, or whatever project replaced it, however I never used that program.

    One last thing, if your systems are used by untrusted users, considers how possible it is to use the software restrictions built into Windows. Once that is activated and configured well, it becomes very difficult for a local user to run non-authorized software without sitting at the machine and taking it over first. Refer to rules regarding Software Restriction Policies for this.

    K.

    • by GC (19160)
      I've played with this, and found that when setting IPsec policy on a Domain which only has Win2k Domain controllers that the Win2k3 servers do not pick up the Group policy.

      Having said that, it works great. You can even import your certificates into group policy so that domain members can communicate normally automatically - this is useful if you utilise the other security group policy objects and enforce anti-virus, anti-spyware/malware on your domain systems.

      Non Domain systems can be configured and issue
  • FreeBSD... (Score:3, Insightful)

    by josepha48 (13953) on Monday June 27, 2005 @07:53PM (#12926829) Journal
    No seriously I use a FreeBSD box to secure my Linux, Windows, Mac, etc machines.

    Why? Because everyone is out trying to hack Linux and Windows machines, they seem to leave the FreeBSD machines alone, maybe because they don't know what to do with them. Or at least there seems to be less people hacking FreeBSD. Most likely its just less press about it. NetBSD or OpenBSD would also probably work as well.

    I run my firewall off a custom hacked FreeBSD CDROM. While this makes updates more difficult, it makes replaceing files near impossible. Hackers can't replace /bin/ls unless they mount /bin as a memory filesystem, in which cause they now have to replace df, mount and several other programs. You really only need /var and /tmp as memory filesystems, and maybe some parts of /etc or the whole /etc.

    It has no hard drive so if the power cycles, it just reboots and its all fine and dandy. I have a seperate machine that I can do builds on and updates. I have trimmed it down to a 64 Megs CD and that includes perl, sshd, apache, dhcpd, and bind9.

    You could do this with Linux as well. I haven't heard of anyone creating a Windows bootable CDROM firewall. Mac needs special hardware, and I'm not that familar with Mac, but you could probably create a Mac firewall on cd as well.

    If you think its been hacked, reboot and the hackers have to try again :-)

    There are also commercial hardware firewalls. Some are cheap, like the Netgear, dlink, and Linksys, but some of the better ones are in the $500 plus range.

    • Re:FreeBSD... (Score:3, Insightful)

      by sl3xd (111641) *
      I'm not going to argue with your points; they are fairly good ones. I'll not bother talking about the merits of a BSD based firewall vs. a Linux one, because such conversations generally degenerate into territorial pissings.

      If a user knows how to run and setup a Linux firewall, it's a better idea to stick with a Linux firewall; the 'superiority' of BSD over the Linux solution is arguable at best; however one thing that should be beyond argument is that if you know how to set up and use a Linux firewall, y
  • Cheap Old PC (Score:3, Insightful)

    by eno2001 (527078) on Monday June 27, 2005 @07:54PM (#12926841) Homepage Journal
    My firewall is a Pentium (non-MMX) 200 with 32 Megs of RAM and 1.2 Gigs of HD and two $5 NICs (remember, unless you're dealing with a really high bandwidth pipe, a 100 Mb/s NIC should be plenty). You could probably grab one of those from a local surplus dealer or eBay for less than $50. Then set up Linux (whatever distro you feel you could deal with except Linspire). I use Redhat myself. :) Do a minimal install but remember to keep devel tools on so you can compile all of your own custom stuff. Spend a few days removing all unneeded commands/services, recompiling the kernel for serial console (so you can ditch ssh and/or telnet), iptables support, etc... Set up your inside and outside interfaces. Put on Snort, Portsentry, what have you for security and auditing. Plug it inline and away you go. I've been running with the same exact config since 2001. The only thing I've had to do is rebuild the kernel a few times due to exploits. Also upgrading portsentry from time to time, or snort. So far no one has hacked my network and I'm aware of every packet that enters or exits it. There is nothing outside except for the one NIC on that box. Cheap, simple, efficient.
  • by cybergremlin (136962) on Monday June 27, 2005 @08:24PM (#12927061)
    Take a pair of bolt cutters to the network cable.
    ---
    Or the Aliens option: "Bug out, nuke the site from orbit. Only way to be sure"
  • by capsteve (4595) * on Monday June 27, 2005 @09:52PM (#12927636) Homepage Journal
    the price for shushant's solution doesn't have to be free, and when building a dedicated firewall based on monowall, it might make sense to use a a few new and inexpensive parts.

    my first monowall used the rhine and intel chipset with less than stellar performance, but when i changed the ethernet cards to identical asante etherfast with the tulip chipset, my performance increased dramatically(sorry for the lack of any tech details, but the difference was "subjectively" noticable).

    if you go the route of using a CF card, do yourself a favor and load monowall on a couple of cards, 16-32 mb cards are dirt cheap. this way you can always experiment with later versions of the firmware, just by swapping cards out. on the otherhand, if you go the CD route, you can run without a harddrive(use floppy for xml configs).

    lastly, use a PII or PIII. prolly overkill for your scene, but the last thing you want is a firewall struggling with an anemic cpu.

    m0n0wall is definitely the *nix based firewall for the NT admin ;-)

The most delightful day after the one on which you buy a cottage in the country is the one on which you resell it. -- J. Brecheux

Working...