Firewall - Hardware or Software?

Discussion in 'Backup and Security' started by mgookin, Jun 30, 2013.

  1. To those who do enterprise IT:

    I want a good firewall on my network where I can see what's happening from the outside in; I'm not concerned about internal traffic.

    I have Comcast Commercial (I think it's 50mbps) coming from their modem to my switch (24 port LinkSys) via a Cat6. I'd like a firewall where I can see what's going on, hit the brakes if necessary, lock it out when we're away from workstations temporarily, etc...

    Can I put a pc between the modem & the switch?
    If yes:
    1) Will this limit our bandwidth? And if yes to this question, what parameter in that pc would be the limiting factor?
    2) What hardware & software will that pc need?
    3) Could I also make that a file server where the parent directories are not accessible over the internet? Or should I use a separate box for this to be safe?
    If no:
    What should I do?

  2. Just so you know - what you're asking, security professionals spend years learning...

    What do you mean by "see what's happening from the outside in.."?

    My guess is that your "network" is experiencing a lot of script-kiddies rattling your door-knob in search of low-hanging fruit - unsecured networks they can easily penetrate. This is common on retail networks like Comcast/Time Warner/ATT (residential *and* business-class - no difference)...

    If you want to "look" and see what's going on, you'll want a machine capable of analyzing your traffic. On Unix systems, the command is tcpdump. On Windows systems, it's called windump ( Stick it between your modem and switch to see what the traffic is.

    From a professional standpoint, most security architectures embrace the onion model:

    - the network is designed in layers

    - firewalls are placed between each layer

    - the least secure/most accessible (like web, dns, and mail servers) are on the outside, either in front or immediately behind the front firewall

    - most secure is in the least accessible layer, behind all the firewalls. Machines in this layer (like databases housing customer and transaction data) are indirectly accessible from the front, through agent machines - traffic hops layer-by-layer basis. Never directly.

    If you value your data or your machine, your file server shouldn't be a firewall. And there should be no firewall rules allowing access to the fileserver from any layer above it.

    Yes, your fileserver can have a host-based firewall to prevent access to just that machine. But don't dangle it out there. Because if it's Windows-based, it will be broken into. Not if, but when (within 3 hours is my guess).

    Any non-ASIC based machine that acts as a router or firewall will reduce your bandwidth. However, on a home network, this is negligible, as your bandwidth is pretty low compared to enterprise networks. Retail "business-class" bandwidth is still pretty low - the 50Mbps is the burst rate, not the guaranteed rate. And cable is shared - the more people active on a shared line, the slower your bandwidth will be.

    You can build a firewall out of anything these days. You can build software-based firewalls with Windows (it'll suck) or any Unix/Unix-like system.

    If you aren't experienced, it might be best to buy a ready-made, hardware-based firewall/router like a Linksys/Netgear or whatever. They're kind of lame, but user-friendly.

    Just know that the more you spend, the better the network performance. The next step up would be Cisco/Juniper-based systems.

    But higher priced doesn't mean better security. It just means better network performance.

    Whether you choose hardware or software-based, you should bone up on firewall/security principles so you don't end up with a configuration resembling cheesecloth with a big whole cut out of the middle (i.e what's the point?)

    You should understand the following:

    Default security stance - default deny and default allow
    Traffic flow:
    - know the diff between traffic entering an interface and leaving an interface.
    - know your protocols - tcp, udp, icmp
    - know your ports - 20-21(ftp), 22(ssh), 23(telnet), 25(smtp aka email), 53(DNS), 80(http), 110(pop3 - email), 123(ntp - network time), 137-139(windows NetBIOS), 143(imap - email), 443(https). There are 65,535 ports each for tcp and udp, but the above are the most common.
    - you'll need to learn what ports your trading software uses, and allow them access in and out
    - you'll need to determine if you need finer-grained access control (user-based instead of IP/protocol/port-based rules) and learn how to implement/configure proxy servers.

    All in all, the questions you've asked are more complex than you probably bargained for...

    No matter what you decide, do recognize the following security principle:

    network security is like locking the doors and windows of your house. It keeps the stupid/clueless people out.

    The smart people will find easier ways to get what they want. Mostly through social engineering.

    The greatest security risk are people:
    - they tend to use the same password everywhere
    - they tend to use easily guessable passwords from personal info and relationships.
    - they never change their passwords
    - they trust others too easily
    - they willing give up info to complete strangers (especially "authority" figures who may not be)
    - they let complete strangers "case" them under the guise of a vendor/agency/authority - customer relationship
    - they reply back to "official-looking" emails
    - they click on bad links in their emails that convince them to enter exploitable information
    - they click on insecure pictures in emails like click see Lady Gaga's perky c-cups, etc
  3. Eight


    Start with the ideas of Linux and whitelisting. You initially close off all access to your secure computer from the internet, then supply a list of url's that you will allow connections to. If you are building a trading computer you would whitelist your broker and data provider. If you want to monitor activity on your trading computer you would have to whitelist the url's for doing that.

    Don't start with the idea that all the security products sold for Windows actually work, it's simply not true.

    Don't buy the idea that nobody is hacking Linux machines, it's simply not true. I set up a Linux whitelisting firewall with Firestarter but then left the firewall turned off. After an hour or two idleing but connected to the internet I found that somebody(s) had gotten in and changed my whitelist to include url's of a few DNS servers. I'm assuming they were planning to use those servers for a cache poisining attack on me.

    Somebody can correct me if I'm wrong but if you only allow the numerical forms of the url's in your whitelist you should bypass the DNS servers.

    Syswan builds some inexpensive hardware firewalls that can do whitelisting. I had the same hardware with another brand name on it and it would go wide open after a power glitch. Maybe if it were protected from power glitches that would be the most direct route to a secure trading computer.
  4. It's not a trading operation. It a manufacturing facility.

    There's nothing weird going on. A simple packet sniffer will allow me to see when there's traffic and see where it's coming from.

    So from a hardware perspective, can I take a pc with dual lan ports and run it from the modem to the switch?

    That makes it as easy as pulling a ethernet cable out of a port as I go to lunch or walk out on the production floor without having to shut down all the systems.

    The most critical data are on a box not even connected to the network or the internet. That's not an issue.

    I once had a home network where data went into a box stacked with LAN cards and when I'd get up from my desk I'd just pull the ethernet cable from a port and know it's as secure as can be; then when sitting back down it's as easy as reinserting that cable right in front of me.

    So a box between the modem and switch with dual LAN is feasable in this situation?

    Where are Winston, Boli & Scat?
  5. With most cable modems, you just need 1 NIC since the modems often have 4 ports on the box. Traffic is broadcast across all 4 ports, so you can plug in your system into any of the 4 ports to see all the traffic coming in from the outside.

    With 2 ports, you can configure the box as a router, and watch traffic coming in from both the outside and inside network....
  6. Of the 4 ports, 1 goes to the video survellience and 1 goes to the 24 port switch.

    What I'm proposing is take the 1 that goes to the switch and plug it into a pc. Then from another port on that pc, go to the switch. This lets me see everything coming in and I can disable the entire connection (except the video survellience) instantly and easily.

    Make sense?
  7. Yep...
  8. Thanks Blah. That's sort of what I used to do on a relatively complex home network 10 years ago.