dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1496
share rss forum feed


youssef

join:2008-04-17
Windsor, ON

Advantage to having a business class firewall

Hi Guys,

I'm looking to see if there are any real advantages to using a business class firewall as in Cisco PIX / ASA, Sonicwall or a m0n0wall firewall. I know that you can use the third party firmware like Tomato or DD-WRT, but I'm curious if that can be easily bypassed by an outside threat vs. a Cisco/Sonicwall/M0n0wall product. I currently run Tomato on my Linksys WRT54GL router, and want to see if there is an advantage to moving up to a better firewall.


NytOwl

join:2012-09-27
canada
Where a Business Class firewall would arguably be more useful would be that most utilize IPS (Intrusion Prevention System) in addition to basic firewall functions.

IPS analyzes the traffic that's flowing through and can drop packets based on whether the traffic matches a particular vulnerability that it knows about. Of course, IPS signatures do have to be updated from time to time on whatever firewall you're utilizing it on in order to be aware of new vulnerabilities.

In addition, a proper firewall would allow you to set security policies ("rules") for what kind of traffic would be allowed (or disallowed) in specific directions (inbound/outbound) from/to Internet and internal networks/VLANs.

Example Rule 1 (block specific services between two separate internal subnets):

Source: eth4 (192.168.200.0/24)
Destination: eth2 (172.16.30.0/24)
Services: http, ssh, microsoft-ds, nbsession, icmp
Action: DROP
Example Rule 2 (allow connection to Internet from specific internal subnet):

Source: eth2 (172.16.30.0/24)
Destination: eth0 (WAN)
Services: Any
Action: ALLOW
...and so on.

I don't know what kind of set up you have (or are planning to have) at your residence, so I can't really speak as to whether that functionality would have any true advantage to you.

Of course, you could also get this functionality from free firewall products installed on a spare computer (m0n0wall, IP-cop, pfSense, etc.) - though I don't know whether those products have IPS functionality as I have yet to experiment with them, myself.


youssef

join:2008-04-17
Windsor, ON
reply to youssef
NytOwl,

Thanks for the help. Currently my setup is like this:

Cable Modem --> WRT-54GL --> Cisco Switch --> 2 Servers.

1 Server holds all my important files including backups which is running Windows Server 2008

1 Server is running Linux and run's a Web server and is also a file server along with running SSH.

I've had a couple if intrusions on my linux box because it was not locked down good enough. I was lucky and caught it quite quick and locked it down using iptables.

I realize I could just using iptables on the tomato router, but I would like somthing a little more on the side of IPS instead of just iptables.

Next question would be, do you notice much lag (for lack of a better word, or bottle neck) because of the packet inspection due to IPS?


NytOwl

join:2012-09-27
canada

1 edit
From my standing, a good firewall shouldn't produce any noticeable lag with an IPS implementation (of course, if you're under some sort of big attack and it's hyper-analyzing, that could theoretically affect performance).

Unless I'm misunderstanding, your Windows server is strictly for internal use while your Linux server is being used for both internal and external purposes.

This is where having a proper firewall with separately defined interfaces/subnets would prove handy for added security to your internal network.

You could use one interface/subnet (say, 192.168.1.0/24) for your Linux server (and any other externally accessible devices you may want to implement in the future - call it a DMZ, if you will), and another separate interface/subnet (say, 172.16.1.0/24) for your internal devices. Next, use the firewall policy rulebase to give them both outbound access to the Internet, while restricting communication inbound to only the required ports/services per interface/subnet. In addition, use other rules to define which ports/services per direction that the interfaces/subnets are allowed to communicate between each other.

EDIT: You mentioned your Linux server is running SSH. One added security measure you could implement to lock it down more is to disable password authentication and strictly use certificates (please Google how to do this if you're not familiar - I'm not an expert on the topic). It's a PITA, because you'd only be able to SSH to it from devices that have the certificate installed, but it would virtually eliminate the possibility of a password brute-force attack being successful for SSH access.


d4m1r

join:2011-08-25
Reviews:
·Start Communicat..
reply to youssef
There is no need for a business class firewall if the reason you want is because your linux box got hacked into a few times....That just means you did a poor job of securing it (no offence) and a beefier firewall still won't do that for you.

I'd instead recommend reading up on basic steps to secure a linux box.
--
www.613websites.com Budget Canadian Web Design and Hosting


youssef

join:2008-04-17
Windsor, ON
Thanks for your input, but as I stated, I did not lock it down good enough, and I know that was my fault. Also, this was not my question, my question was what are the advantages to a business class firewall vs a tomato/dd-wrt router/firewall.

Thanks for your time though.


youssef

join:2008-04-17
Windsor, ON
reply to NytOwl
NytOwl: Thanks for all your information, I really appreciate your comments and help. I have already switched my SSH setup from password authentication to certificates. I found that pretty much stopped the attacks along with using iptables and DROPing packets headed to SSH from unknown IP's.

I will probably continue to look for a good business class firewall then. The firewall is not only for the use, but the fun of learning how to set it up correctly.


NytOwl

join:2012-09-27
canada
said by youssef:

I will probably continue to look for a good business class firewall then. The firewall is not only for the use, but the fun of learning how to set it up correctly.

Yes, it is indeed a good (and occasionally fun) learning experience.

I have a Fortinet FortiWiFi 20C at home. It's not what I would've purchased for myself, but I got it for free from work.

Because I support Fortinet firewalls at work, it's handy to have at home for self-training/learning.

I do plan on eventually switching to a different solution at home, however. The 40C would be better for my needs in the long term (the interfaces on the 20C are only in switch mode; you can't logically separate them; for this reason it's probably not good for you, either) but I might go in a different vendor direction altogether. My duties at work will slightly influence the decision when the time comes.


TwiztedZero
Nine Zero Burp Nine Six
Premium
join:2011-03-31
Toronto, ON
kudos:5
reply to youssef
For home use, build & roll your own firewall starting with a linux base. Theres a lot of info out there on this sort of deal and you'll get plenty of hands on real world experience.

Industrial/business class firewall appliances could be nice, but they do get spendy too most usually requiring a yearly liscencing fee apart from the initial layout for the hardware unit.

As for your Fortinet appliance, you lucked out
I'd wonder though if it has any liscencing/subscription requirements on a yearly basis?
If so, how hackable would it be to shoehorn your own solution into it once liscencing is no longer an option, for a home user it'd be a shame to have to toss it into a closet to gather dust unless you want to keep throwing cash at it every year.
--
You see there is only one constant. One universal. It is the only real truth. Causality. Action, reaction. Cause and effect.
Twitter:Merv Chat:irc.teksavvy.ca


youssef

join:2008-04-17
Windsor, ON
said by TwiztedZero:

For home use, build & roll your own firewall starting with a linux base. Theres a lot of info out there on this sort of deal and you'll get plenty of hands on real world experience.

Industrial/business class firewall appliances could be nice, but they do get spendy too most usually requiring a yearly liscencing fee apart from the initial layout for the hardware unit.

Thanks for the advice Merovingian! I thought of rolling out my own m0n0wall device, I still might buy a little alix board and install m0n0wall on it. I am still checking out my options right now. My thought on it was it can cost me a couple hundred bucks to get that up and running, and for under a hundred I could have a Cisco PIX.

As for the Liscencing, I am worried about that! I don't think I would have to get any farther liscencing for the pix as long as it came with the right liscencing. Newer stuff I would have to keep up to date. I was looking into Untangle, it looks pretty good. Anyone have experience with Untangle?


Inssomniak
The Glitch
Premium
join:2005-04-06
Cayuga, ON
kudos:2
Mikrotik!

Linux based, cheap, and powerful, lots of hardware choices.

I have well over a hundred in the field, but at the house here, I have an RB600 board (no longer made, I retired it from a PoP after doing 3 years of service in extreme conditions and many many terabytes of data) with 2x802.11N dual chain mini PCI cards, 3 gigabit ports.

Will do just about anything you want.
--
OptionsDSL Wireless Internet
»www.optionsdsl.ca


NytOwl

join:2012-09-27
canada
reply to youssef
Fortinet firewalls, including the bottom-of-the-line 20C model that I have, require a subscription for support and for IPS/Anti-Virus utilization. It comes with a 1-year subscription but afterwards it has to be renewed.

I would probably be able to renew mine for free when the time comes, if I so desire, through where I work, but by then I might be using a different solution. Time will tell.

I don't consider Fortinet a good option for home users who don't have any professional background in the Internet Security field; it's not the easiest suite to learn and get used to, quite frankly.

As for Cisco PIX, keep in mind that it's been EOL for a while, having been succeeded by the ASA (Adaptive Security Appliance) line.

I have yet to actually try out any of the do-it-yourself free Linux-based firewall solutions, personally. I've heard of countless ones, however:

pfSense
m0n0wall
IPCop
SmoothWall
OpenWall
Sophos UTM Home Edition (formerly Astaro's free home version)

One thing I would suggest is to download a bunch and install them in a virtual machine (VMware Workstation or the free Oracle VirtualBox) — or on a spare computer lying around — to try them out and see which one you'd likely prefer using as your actual production firewall.

Good luck!


CyberCam

join:2008-04-21
Whitby, ON
Reviews:
·TekSavvy Cable
·TekSavvy DSL

4 edits

1 recommendation

I can vouch for pfSense, I've used all those firewalls in that list and all are decent but I swear by pfSense being the gem out of the lot. It's the most secure, stable and practically maintenance free and it's very easy to use too!

I've set up pfSense as a firewall on every last one of the SMB customers that I support and have never had an issue with the software. It's free of licensing fees and can be install on a wide variety of hardware. Any issues that do arise, are always from incorrect configuration or bad hardware, that needs to be replaced.

There are many package add-ons that are downloadable from within the web interface. Some of the capabilities are MLPPP, WAN load balancing, Banwidth monitoring, OpenVPN, Snort IPS, UPnP forwarding, Squid Web Proxy with blacklisting and a numbers of other features!

Essentially I've set it up at a private Christian School a few weeks ago, so the kids can have Internet access, but can't get to any of the "BAD" sites on the web. The school LOVES it as do many other of my customers!

Here are some screenshot images from my pfSense firewall web configuration menus (I have Teksavvy MLPPP dual lines).

Login screen
»i54.photobucket.com/albums/g81/c···ogin.jpg

Main Dashboard
»i54.photobucket.com/albums/g81/c···oard.jpg

Package Manager
»i54.photobucket.com/albums/g81/c···ager.jpg

Bandwidth Monitor (3rd Party package)
»i54.photobucket.com/albums/g81/c···itor.jpg

Tabbed Menus
»i54.photobucket.com/albums/g81/c···menu.jpg
»i54.photobucket.com/albums/g81/c···menu.jpg
»i54.photobucket.com/albums/g81/c···menu.jpg
»i54.photobucket.com/albums/g81/c···menu.jpg
»i54.photobucket.com/albums/g81/c···menu.jpg
»i54.photobucket.com/albums/g81/c···menu.jpg
»i54.photobucket.com/albums/g81/c···menu.jpg
»i54.photobucket.com/albums/g81/c···menu.jpg

Hope this helps... Cheers!