Using another computer networked as a Firewall

Archived from groups: comp.security.firewalls (More info?)

"SteadyEddie" <edd_edwards@yahoo.com> wrote in message
news:c6lf0g$n20$1@hercules.btinternet.com...
> I am trying to figure out a way of using another machine as a firewall
> then networking it to the machine i actually want to use. What is the

Define what you mean by "networking".
A firewall that is not connected to the network it is protecting is about as
useful as a chocolate teapot.

Archived from groups: comp.security.firewalls (More info?)

> >>I am trying to figure out a way of using another machine as a firewall
> >>then networking it to the machine i actually want to use. What is the
> >>most sucure way of doing this?
> >
> > http://www.ipcop.org details also on http://ipcop.hopto.org

> That looks good but im using a windows based system. I dont have linux.

Well ... you were asking for a "separate machine" (see above)
so there shouldn't be problems in installing linux on the machine
which acts like a firewall/nat/router, also, a windows machine
sitting behind such a firewall won't have problems using it to surf
the net; btw, if you want a windows based solution you may as
well have a look at http://www.idrci.net just pick the packet filter
along with the NAT and you'll be up and running in minutes


--

* ObiWan

DNS "fail-safe" for Windows 2000 and 9X clients.
http://ntcanuck.com

Support and discussions forum
http://ntcanuck.com/net/board

408 XP/2000 tweaks and tips
http://ntcanuck.com/tq/Tip_Quarry.htm

Archived from groups: comp.security.firewalls (More info?)

On Tue, 27 Apr 2004 14:00:59 +0000 (UTC), SteadyEddie spoketh

>we have a small business network. and im trying to put a computer in
>between the network and the internet to act as the firewall. but all the
> web has to offer is sollutions for Linux and I dont have linux
>

Symantec Enterprise firewall
Checkpoint Firewall 1
Microsoft ISA server

Or, simply get a firewall appliance like a Sonicwall or Watchguard ...


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

Archived from groups: comp.security.firewalls (More info?)

SteadyEddie <edd_edwards@yahoo.com> wrote in message news:<c6lf0g$n20$1@hercules.btinternet.com>...
> I am trying to figure out a way of using another machine as a firewall
> then networking it to the machine i actually want to use. What is the
> most sucure way of doing this?

As ObiWan suggested, IPCop is one choice. Another is Smoothwall
(www.smoothwall.com). Neither of these will work on a Windows-based
machine, but that shouldn't be an issue. Both firewalls install from
a bootable CD, and they will take care of installing the necessary
bits on your target machine, wiping away anything currently on the
hard drive. You don't need to know Linux or Unix to install these.
And once installed you don't need a keyboard, mouse, or monitor
because all the remaining configuring and maintenance is done remotely
via web interface.

What hasn't been mentioned; that may be overlooked; you will need to
install a second NIC into your firewall machine regardless of which
solution you choose.

Archived from groups: comp.security.firewalls (More info?)

http://www.zelow.no/floppyfw/

Use Floppyfw...Take an old PC with 2 NIC's ,a floppydrive and 12MB RAM, no
need for a harddisk because your booting from that floppy.

Floppyfw is a complete linux distribution finetuned for firewall/router that
fits on a single floppy 1.44Mb.

I'm using this now for a while and it is great. Saw some messages on the
FoppyFW forum from pepole using this piece of software for networks with
+400 conputers connected





"SteadyEddie" <edd_edwards@yahoo.com> wrote in message
news:c6lf0g$n20$1@hercules.btinternet.com...
> I am trying to figure out a way of using another machine as a firewall
> then networking it to the machine i actually want to use. What is the
> most sucure way of doing this?
>
>

Archived from groups: comp.security.firewalls (More info?)

"SteadyEddie" <edd_edwards@yahoo.com> wrote in message
news:c6lp2o$7j6$1@sparta.btinternet.com...
> we have a small business network. and im trying to put a computer in
> between the network and the internet to act as the firewall. but all the
> web has to offer is sollutions for Linux and I dont have linux

Most firewalls operate on the data packets that are passing through them so
don't give a toss about wether the network pcs are windows, Linux or Mickey
Mouse OS v2.331

For example, I have an IPCOP box as a firewall which happens to run Linux.
The network it protects has a mixture of Windows 9x, NT4, 2000,XP and Linux
(Three flavours) and the occasional Mac

Please don't take this the wrong way, but having gauged your level of
expertise from your postings I would recommend that you choose something
from the Watchguard range like a SOHO and buy it from a company that can
install it properly for you. You see, a badly installed firewall is almost
as bad as no firewall and you don't strike me as being knowledgable enough
to do it properly. Sorry :-)

Archived from groups: comp.security.firewalls (More info?)

Mike wrote:
> "SteadyEddie" <edd_edwards@yahoo.com> wrote in message
> news:c6lp2o$7j6$1@sparta.btinternet.com...
>
>>we have a small business network. and im trying to put a computer in
>>between the network and the internet to act as the firewall. but all the
>> web has to offer is sollutions for Linux and I dont have linux
>
>
> Most firewalls operate on the data packets that are passing through them so
> don't give a toss about wether the network pcs are windows, Linux or Mickey
> Mouse OS v2.331
>
> For example, I have an IPCOP box as a firewall which happens to run Linux.
> The network it protects has a mixture of Windows 9x, NT4, 2000,XP and Linux
> (Three flavours) and the occasional Mac
>
> Please don't take this the wrong way, but having gauged your level of
> expertise from your postings I would recommend that you choose something
> from the Watchguard range like a SOHO and buy it from a company that can
> install it properly for you. You see, a badly installed firewall is almost
> as bad as no firewall and you don't strike me as being knowledgable enough
> to do it properly. Sorry :-)
>
>

Actually, I'd say that a badly installed firewall is actually *worse* than
no firewall.

At least with no firewall you know you are not protected and should be much
more careful with every machine. With a faulty firewall you think you are
protected, when in fact you are not, and may well be more lax in protecting
machines behind the "firewall".

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555

Archived from groups: comp.security.firewalls (More info?)

The Great Cornholio <cornholio@cluelessweasels.com> wrote in
news:bu2u805ilac6vkbbmlp2ae9ko84138jo3i@4ax.com:

>>As ObiWan suggested, IPCop is one choice. Another is Smoothwall
>>(www.smoothwall.com).
>
> I think that should be http://www.smoothwall.org.

Well, for the free one, yes. I should have been more clear.

Archived from groups: comp.security.firewalls (More info?)

ObiWan wrote:
>>If you mean that you want to keep Windows
>>on that system, what on earth for?
>
>
> Well ... if windows is the way he wants to go...
> well, he can go for windows as well, no prob

Except it doesn't meet his "most secure" criteria...

The other problem is closing down all those ports which MS like to open for
you without asking first. Unless the OP is experienced at hardening Windows,
the Linux IPCop route should be much more secure out-the-box.

> just download the CHX-I packet filter and NAT
> from www.idrci.net install and configure it and
> let it go .. btw in either case (Linux or Windows)
> the machine MUST be used as a DEDICATED
> firewall, otherwise you can say goodbye to any
> security you want to achieve

But that would cost him, IPCop is free. CHX-I is only free for personal use,
and securing a "small business network" is most definitely not personal use.

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen wrote:
> On Thu, 29 Apr 2004 14:30:33 +0100, Nigel Wade spoketh
>
>
>>ObiWan wrote:
>>
>>>>If you mean that you want to keep Windows
>>>>on that system, what on earth for?
>>>
>>>
>>>Well ... if windows is the way he wants to go...
>>>well, he can go for windows as well, no prob
>>
>>Except it doesn't meet his "most secure" criteria...
>>
>>The other problem is closing down all those ports which MS like to open for
>>you without asking first. Unless the OP is experienced at hardening Windows,
>>the Linux IPCop route should be much more secure out-the-box.
>>
>
>
> Any professional grade firewall installed on a Windows platform are as
> secure as any other firewall installed on any other platform. And, with
> regards to the "ports MS likes to open for you", they are closed by the
> firewall by default, and you'll have to create specific rules to allow
> access to them.
>

It's just my natural cynisism showing through. I don't trust Windows, and I
most certainly don't trust Windows to run a boundary firewall.

I don't know enough about how a firewall operates in Windows to know what
it's failure modes are and what the implications for the security of that
machine and any others it is protecting are. Is it just a "user land"
application? If so, what happens if it crashes, does it crash "safe" with
all ports left protected, or does it crash and leave the system in the same
state as it would be if the firewall hadn't started?

In Linux, iptables is in the kernel. If the kernel crashes the machine goes
down and the system isn't vulnerable. It most definitely fails safe
(although I've never yet come across an example of iptables failing). If
it's a router/bridge everything behind it is safe.

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555

Archived from groups: comp.security.firewalls (More info?)

<huge snippage>
> In Linux, iptables is in the kernel. If the kernel crashes the machine
goes
> down and the system isn't vulnerable. It most definitely fails safe
> (although I've never yet come across an example of iptables failing). If
> it's a router/bridge everything behind it is safe.

No intention to start or aliment a flame here, but; first of all,
when I proposed IPCop the original poster wrote that he'd
like to use Windows, so; Ok, let's go for windows, and the
CHX NAT+PF I proposed works (imvho) very well; now,
about the "linux kernel" ... maybe you didn't know this but
Windows 2000 and up (XP, 2003) has a builtin firewall and
packet filter API which resides _in_the_kernel_ so there's
no point in the statement you made above (notice also that
those APIs were _already_ there in NT4 too although they
were undocumented and some functions didn't exist)

Here's the Microsoft reference

http://msdn.microsoft.com/library/ [...] erence.asp

and here's an interesting diagram

http://www.ndis.com/papers/winpktfilter.htm

All the best

Archived from groups: comp.security.firewalls (More info?)

> A firewall that is not connected to the network
> it is protecting is about as useful as a chocolate
> teapot.

Well .. but a chocolate teapot *IS* useful !!

You can always eat it :-) !!!

Archived from groups: comp.security.firewalls (More info?)

"Nigel Wade" <nmw@ion.le.ac.uk> wrote in message
news:c6te4i$s57$1@south.jnrs.ja.net...
> Lars M. Hansen wrote:
> > On Thu, 29 Apr 2004 14:30:33 +0100, Nigel Wade spoketh
> >
> >
> >>ObiWan wrote:

> In Linux, iptables is in the kernel. If the kernel crashes the machine
goes
> down and the system isn't vulnerable. It most definitely fails safe
> (although I've never yet come across an example of iptables failing). If
> it's a router/bridge everything behind it is safe.

Personally I would have thought a kernel crash in *any* operating system
would be enough to make it secure :-)