Hi, I work for a company with few stores in the USA, how can I monitor/restrict the bandwidth of the stores, for instance, I would like to block sites like youtube, hi5, etc, also efectively block MSN, WebMSN, and yahoo Messenger, and block all peer-to-peer downloads (kazaa, emule, limewire, etc etc)
My network scenario in each store is: INTERNET > CISCO > SWITCH'S > PC-USERS
I would like to setup the netgear FWAG114 as a firewall with disabled routing, that is because the neatgear FWAG114 is behind a cisco router, and I dont want the "cisco integrated services router" to be replaced by the netgear, I only would like to use the firewall capabilities of the netgear. Is there a way for achieve it?
thanks in advance.
What kind of Cisco do you use? What kind of internet connection is it (Cable, DSL, Leased line) and if the latter what type of circuit? Is the Cisco also acting as a DHCP server?
Depending on the model and IOS you use, the FWAG114 may not add all that much that you can achieve with the router. In priciple, based on what I read from your first post, you could achieve most if not all of what you want with an access-list.
I have a cable internet, my goal is to block, MSN messenger, youtube, and peer-2-peer clients,
my cisco have a c870-advsecurityk9-mz.123-8.YI2 IOS, I think i can block ports with the cisco ACL but cant block msn and cant block by url, thats for I mind to combine with the netgear... just a think...
First, you can use an ACL to block IM's and P2P programs, as these use specific ports. If you use IOS version 12.4(9)T or higher you can block IM, P2P etc even if they are tunneled through another port (like HTTP).
Here's the but: most combined router/firewalls, such as the Netgear are either poor at routing or firewalling (this includes Cisco IOS, it is primaruily a router and will not achieve the level of security a firewall can). If youwant that I'd suggest using a dedicated firewall such as Checkpoint or PIX. Of course these are more expensive.
In case you want to use a dedicated firewall, you may want to just set up one at a central location and direct all traffic to that location, sending it to the firewall and back out to the internet as it saves on purchasing cost and maintenance. You can achieve this quite easily using VRF's on the central router and connect the other routers to that router via BGP. You do need to make sure your ISP has given tyou static IP's and that they allow BGP traffic between your routers, and you need to secure it from the rest of the 'net. It'll still allow you to send traffic between the stores without passing through the central location, and requires you to change the IOS from the adv security to the adv IP version. Note that you may also want to upgrade the bandwidth at the central location to facilitate the extra internet traffic.
The latter version is the more secure, as only the central site (which is firewalled) allows direct traffic from the internet. It's also much more complex to implement, but once it's running you only have one firewall to administer instead of multiple access-lists and routing policies as these are all the same (excepting the central location).
Hi, I contacted the Netgear support and they told me that my Netgear appliance have disabled the routing by default, so i just changed the subnet and attached to the my cisco router, that way I got a gateway between my router and my network with url filtering capabilities. Now I have the next question derived of the action I performed...
* In the cisco device I have configured Site to Site VPN with another remote identical cisco, I have a large ACL (access contro lists), i have NAT (port forwards for many virtual servers and many services...), and if now I have the Netgear to have a different subnet, it must became the DHCP server(I think) and default gateway for the network, is that right? If yes, the cisco NAT, ACL, VPN will become useless due a different subnet... is that a way to have the Netgear as a firewall but network clients having the cisco as a default gateway having the network to have the cisco subnet instead of the netgear-firewall subnet keeping all the cisco features as well as the netgear features... or May the cisco device handle with the Middle Netgear appliance and is there a way to keep all both devices features?
You can configure the Netgear as the firewall, but as it is not routing you could also allow the Cisco to be DHCP server. By far the easiest way, but the Netgear has to allow DHCP traffic to pass. Essentially nothing will change on the Cisco, so you need not reconfigure your VPN's.
I wouldn't use Netgear in an environment you describe, and don't have it at home, so I can't say what the exact config should be. Essentially if the Netgear is not in routing mode it should be bridging. If so it should not interfere with the VPN's or DHCP. You do need to allow that traffic in the Netgear firewall.
Another option is to set up the VPN from netgear to netgear and just let the Cisco route all traffic. Assuming the Netgear can do that.