better network setup security wise - Security

This is a discussion on better network setup security wise - Security ; I have another question I am reconfiguring my network, so as to make the internet connection I have at home available to all machines without a single point of failure. The current setup is Internet --> adsl router --> FW ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: better network setup security wise

  1. better network setup security wise

    I have another question

    I am reconfiguring my network, so as to make the internet connection I
    have at home available to all machines without a single point of
    failure. The current setup is

    Internet --> adsl router --> FW machine --> local network

    the FW machine also works as a ad hoc machine, including as a game
    machine. This setup forces the fw machine to be up all the time. But the
    reason I chose this setup is that I trust the linux firewall much much
    more than the typical firewalls you find on any router. For example I
    can see in my FW logs that even though the adsl routers firewall is
    turned on, lots of requests from internet scanners reach the firewall
    machine, which they really should not.

    Additionally, the second network interface on the FW machine runs some
    services I need at home, such as samba. I don't want any internet
    scanners to find and access these services, because I don't want to
    spend time adding a lot of extra security to these services.

    So my question is, are router firewalls safe to use? I assume that the
    firewalls would need some reconfiguring from the factory/isp default to
    make them safer, but would that be safe enough?

    I realise that it is difficult to answer that question and that it
    depends on the level of the default isp configuration. But my suspicion
    is that generally router firewall are of mediocre quality and easy to
    bypass in contrast to the linux firewall. Actually more generally, that
    any commercial security product is at best of mediocre quality. Tests I
    have read about it, indicated that.

    tom

  2. Re: better network setup security wise

    Really all the hardware routers can do (normally) is provide NAT, port
    forwarding and block ports. There's no protocol examination and they
    won't connection attempts like a portsentry/iptables combo. it's a lot
    better than relying on a host based firewall as most Microsoft Windows
    XP users do. That said, while you shouldn't rely on it I think it
    provides another layer of protection and you have fewer worries about
    it being corrupted or altered. You should of course disable remote
    administration of the device.


  3. Re: better network setup security wise

    Tom Forsmo wrote:
    > I have another question
    >
    > I am reconfiguring my network, so as to make the internet connection I
    > have at home available to all machines without a single point of
    > failure. The current setup is
    >
    > Internet --> adsl router --> FW machine --> local network
    >
    > the FW machine also works as a ad hoc machine, including as a game
    > machine. This setup forces the fw machine to be up all the time. But the
    > reason I chose this setup is that I trust the linux firewall much much
    > more than the typical firewalls you find on any router. For example I
    > can see in my FW logs that even though the adsl routers firewall is
    > turned on, lots of requests from internet scanners reach the firewall
    > machine, which they really should not.


    Even so, I would not recommend you use an everyday-use machine for
    critical functions like network routing and firewalling.

    If you have any spare hardware lying around, from a Pentium-100 on up,
    you could do yourself an enormous favour by installing a dedicated *nix
    firewalling solution - there are at least half a dozen of those.

    My personal favourite is ipcop, not in the least because it has:

    - support for up to 5 interfaces: dial-up, WAN, LAN, DMZ and WiFi.
    - very tight security by default
    - easy web administration
    - extensive logging and monitoring capabilities
    - SNORT intrusion detection, fully configurable
    - Squid caching http proxy
    - support for multiple IPsec VPN tunnels

    And a few dozen 3rd party plugins available to add even more functionality.

    It will run on any system, 100MHz and up w/64MB or more.

    www.ipcop.org to find out all about it.

    > Additionally, the second network interface on the FW machine runs some
    > services I need at home, such as samba. I don't want any internet
    > scanners to find and access these services, because I don't want to
    > spend time adding a lot of extra security to these services.
    >
    > So my question is, are router firewalls safe to use? I assume that the
    > firewalls would need some reconfiguring from the factory/isp default to
    > make them safer, but would that be safe enough?


    TRhat depends a lot on the exact make and model of the device; there is
    as much difference between their security as there is between their
    prices, boxes, and features.

    Some of them have absolutely no clue at all what network security is.

    > I realise that it is difficult to answer that question and that it
    > depends on the level of the default isp configuration. But my suspicion
    > is that generally router firewall are of mediocre quality and easy to
    > bypass in contrast to the linux firewall. Actually more generally, that
    > any commercial security product is at best of mediocre quality. Tests I
    > have read about it, indicated that.


    I would amend that to read "any *consumer* commercial product".
    I don't think our Cisco firewalls are inherently insecure

    J.

  4. Re: better network setup security wise

    One other option, esp if you are worried about noise or power
    consumption is a Linux based router such as the WRT54GL or any other of
    a number of devices supported by Open - WRT or DD-WRT. These devices
    are tiny processors which run Linux by default and may be updated with
    a number of open source replacement firmware configurations to include
    real firewalls such as ip-tables with logging to a remote computer. Of
    course there's less worry about corruption of the file system with such
    devices and they are easy to reflash. You should remove remote
    administration of course. I use one as the first off the net device and
    then run another Linux computer with iptables running behind it. The
    second one has no logins but has Samba running and serves as a file
    server and secondary barrier for the internal network.


+ Reply to Thread