Where can I find a good article on tightening my hardware firewall? Also, is a hardware sufficient or should I still have a back up in place?
Printable View
Where can I find a good article on tightening my hardware firewall? Also, is a hardware sufficient or should I still have a back up in place?
What platform is it running on (Solaris, Linux, Windoze...)
Also, what are you planning to use it for?
(On a side note, what the hell happened to the edit function????)
My organization is using a linux based firewall running on an old P 133 that is dual-homed. The firewall runs entirely in memory, so the box needs no hard drive. If you are interested in this project, drop me a line.
interesting firewall setup. how many stations is it linked to??
What firewall that you used ???
and what the reason that you used for ???
What was the config?
Most importantly were nerwork penetrations reduced or eliminated?
I would also like some information on this, and am also curious how many connections it can support. How much memory does it require?Quote:
Originally posted here by David Anasco
My organization is using a linux based firewall running on an old P 133 that is dual-homed. The firewall runs entirely in memory, so the box needs no hard drive. If you are interested in this project, drop me a line.
Just a quick question: Is a linux box running ipchains or whatever considered an hardware firewall? I thought a hardware firewall would be stuff from cisco or Nokia. Dedicated hardware that can run nothing else. A PC running linux+ipchains or Windows NT+Checkpoint would be a software firewall. Am I right or did I miss something?
And as to how to secure it. It all depends on your policy and there are 2 ways to go about it.
a) allow everything and only block what you really don't want.
This will make it easy to configure (allow any any), users can do almost everything. If you want to do something new, nothing needs to change and it will probably run on the first try. But you need to keep an eye on new vulnerabilities because everything is basicly allowed.
b) allow nothing and only open what you need.
This is also easy to configure at first (block any any) but needs changes if you want something new to go through the firewall. This can be very tricky to setup if you need to run all sorts of stuff through the firewall.
Both have their pros and cons so it all depends on your policy. Same thing with the backup. If your policy dictates the firewall must be up for 99.999% of the time, you will definitely need something like a hot-standby or some load balancing (make sure 1 firewall can handle all your traffic if you go for the load balancing).
In short make a policy and configure your firewall based on this policy.
"I thought a hardware firewall would be stuff from cisco or Nokia. Dedicated hardware that can run nothing else."
Hmmm, I would tend to agree. However , I don't want to be picky but you can use Nokia's for anything (mail servers, routers, IDS, web servers, etc and of course firewalls)
Watchguard, pix, raptor, netscreen, nokia, etc are considered hardware firewalls.
Checkpoint, ipchains, etc are considered software firewalls.
However as you can see the waters are muddied somewhat as checkpoint can run on nokia, and watchguards are basically a gui frontend for ipchains.
All the above are considered enterprise firewalls, debatable with watchguards, tho'.
If I could figure out how to get DAIP working on CheckPoint, I would use that at home. But at the moment I use IPCop (www.ipcop.org).
Handles dynamically allocated IP's for cable and dsl. And supports a single DMZ with NAT.
Again this is based on ipchains.
In the workplace I would recommend CheckPoint on Nokia or Cisco PIX.
Steer clear of running any firewall on a windows machine.
This use to be true but as more apliences are running Linux/ipchanies people are noteing that the distinction is a false one.Take note that Cisco and Nokia firewalls both run Unix underneath so they are basicly a cheap PC running IPchains with a new front end (ok a prepritory version of IPchains but the functionality is the same). If you get a cheap PC slap linux on it and remove all other serivices besides what is absolutly needed for IPchains you have a PIX at 1/10 of the cost.Quote:
Originally posted here by SirDice
Just a quick question: Is a linux box running ipchains or whatever considered an hardware firewall? I thought a hardware firewall would be stuff from cisco or Nokia. Dedicated hardware that can run nothing else. A PC running linux+ipchains or Windows NT+Checkpoint would be a software firewall. Am I right or did I miss something?
.
Go hereQuote:
Originally posted here by iNViCTuS
I would also like some information on this, and am also curious how many connections it can support. How much memory does it require?
http://www.freesco.org/
We use these firewalls in a public library setting. Each library branch has a different amount of users connected through it. All of our public access workstations are behind this firewall. The main library has over 60 computers connected to it, and we have had no problems. HTH
A PIX is not a Unix based firewall. It is a proprietary device that has a command set that is not even remotely close to a unix box. Now sure, you could make the argument that some ideas for the PIX may have originally been based on concepts of Unix, because what OS doesn't have some Unix characteristics, but again...it is NOT Unix, and especially NOT IPChains.Quote:
Originally posted here by bballad
Take note that Cisco and Nokia firewalls both run Unix underneath so they are basicly a cheap PC running IPchains with a new front end (ok a prepritory version of IPchains but the functionality is the same). If you get a cheap PC slap linux on it and remove all other serivices besides what is absolutly needed for IPchains you have a PIX at 1/10 of the cost.
You are a little more accurate on the Checkpoint statement, because yes, Nokia devices are Unix based. Keep in mind however that Checkpoint can also run on Windows (for those dumb enough to do it).
This looks to me like a router, not a firewall???Quote:
Originally posted here by David Anasco
Go here
http://www.freesco.org/
We use these firewalls in a public library setting. Each library branch has a different amount of users connected through it. All of our public access workstations are behind this firewall. The main library has over 60 computers connected to it, and we have had no problems. HTH
quote:
Originally posted here by bballad
Take note that Cisco and Nokia firewalls both run Unix underneath so they are basicly a cheap PC running IPchains with a new front end (ok a prepritory version of IPchains but the functionality is the same). If you get a cheap PC slap linux on it and remove all other serivices besides what is absolutly needed for IPchains you have a PIX at 1/10 of the cost.
The Nokia OS is a proprietary one developed by Ipsolon Systems but loosely based on BSD Unix.
Nokia's are not an ipchains based firewall, they are merely a hardware appliance that amongst other things has CheckPoint FireWall installed on it.
CheckPoint is and always has been a stateful inspection firewall and as far as I know, until later versions, ipchains is not .
Cisco PIX does not run Unix underneath. As iNViCTuS says, there are similarities with Unix, but then what OS does not. Even DOS.
PIX's don't even run the same IOS as their range of switches and routers, as they were developed by another company (which I think Cisco bought).
At the end of the day, most enterprise firewalls are very similar. There is only so much reinventing you can do.
Just stay away from anything created by 2wire.
I downloaded one from www.linxorbit.net, smoothwall. set it up on and old Compaq deskpro 4000 w/ p-133/128mb ram 2 gig HD and built in compaq NIC and a Intel 10/100 pro . Re built the machine in an hour. Download and burned the smooth wall in 30min and installed and configured it. Connected it to a broad band router . Running it head less for the past 3 months. Easy to use and configure. have 3 Linux machines behinds it and some time a windoze XP . works very well. I've done this 4 different times with Compaq deskpro 4000's. Easy to do and works very well.