Announcement

Collapse
No announcement yet.

Hardware Firewalls

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Macavity
    replied
    Originally posted by Friendly_fire
    The trick is to use equipment that doesn't get as hot. The main computer is decent system. The two added motherboards are from older pc's, and a smaller form factor. I believe they used to be emachines and they run around 700mhz (p3). I'll probably add a small fan to the front, just to kick up some more air through the two boards. Probably not the best idea, but it was a lot of fun. So....any firewall suggestions?

    (pictures snipped)
    Well, I'm not too expereinced with server protection, but here's what my experience has taught me:

    99.9% of all problems regarding so-called 'hacking' are directly traceable to user ineptitude, with Clueless Bobby Enduser downloading and running that attachment that seems to come from a friend and purports to be a screensaver with naked pics of (insert celebrity here) - or some similar idiocy.

    Therefore, most people won't need some fancy security suite like Encom UberDefender (Corporate Decker Edition), and standard off-the-shelf stuff works just fine. However, I would recommend that you not use BlackICE Defender, as it's half a firewall (namely, the intrusion-detection half - it stops outside programs from accessing your computer, but does nothing to stop programs from sending information out to the 'Net). Mind you, I last read up on BlackICE Defender about six months ago, so this data could already be out of date.

    Now, my personal preference for a firewall would be either Zone Labs' ZoneAlarm or Tiny Personal Firewall for the surfer-side part of the system, and possibly add a second hardware firewall on both connections. (Correct me if I'm wrong, but I believe it's possible to connect multiple computers to a single hardware firewall.)

    I don't use hardware firewalls myself, mainly because - unlike most people - I'm still stuck on dialup, and a dial connection's usually too slow to be of any real use to a malicious hacker. There may be some out there who have special uses for hijacked dial-up computers, but I haven't heard of anything (outside of DDoS and DRDoS attacks).

    (I would also recommend you test your firewall setup with Gibson Research's ShieldsUP!, but that's just part of my test routine.)
    Last edited by Macavity; August 26, 2005, 15:47.

    Leave a comment:


  • ck3k
    replied
    Hardware firewall fun -

    The WRT54G makes an excellent firewall and a ton of apps are out there for it, including openvpn and some other nifty things.

    PFsense, I use it currently on a test box, however it is internal net only, I don't feel it is ready to be pushed out just yet. It is also really easy to set up you say your internal and external nics and bam, it is up routing with a web based configuration panel. It is based on PF which is openbsd's firewalling solution which is really robust. If you got an old box you might want to give your own set of pf rules a whirl.

    Leave a comment:


  • Friendly_fire
    replied
    Originally posted by Macavity
    Myself, I'd think it would definitely be possible.

    However, what I'd want to know is:

    A) whether it'd be wise to do so, and

    B) just how much cooling equipment you'd need to make sure that your fancy new homebrew surfer/server combo system doesn't become a very expensive paperweight.

    (My money's on water-based liquid cooling and four case fans - two intake, two output - at least.)
    The trick is to use equipment that doesn't get as hot. The main computer is decent system. The two added motherboards are from older pc's, and a smaller form factor. I believe they used to be emachines and they run around 700mhz (p3). I'll probably add a small fan to the front, just to kick up some more air through the two boards. Probably not the best idea, but it was a lot of fun. So....any firewall suggestions?




    Leave a comment:


  • Macavity
    replied
    Originally posted by Friendly_fire
    yeah, in addition to the one that's supposed to be in there. It was quite a project. Hardest part was getting all the PSU's in.
    -ff
    Myself, I'd think it would definitely be possible.

    However, what I'd want to know is:

    A) whether it'd be wise to do so, and

    B) just how much cooling equipment you'd need to make sure that your fancy new homebrew surfer/server combo system doesn't become a very expensive paperweight.

    (My money's on water-based liquid cooling and four case fans - two intake, two output - at least.)

    Leave a comment:


  • Friendly_fire
    replied
    Originally posted by highwizard
    Wait.. are you saying you put two motherboards in a single PC case?
    yeah, in addition to the one that's supposed to be in there. It was quite a project. Hardest part was getting all the PSU's in.
    -ff

    Leave a comment:


  • highwizard
    Guest replied
    Originally posted by Friendly_fire
    I don't mean to piggyback on this thread, but my question is very similar and the answer should help Spanners as well. I happen to have a 2 more motherboards i've managed to stuff into my pc case,
    -ff
    Wait.. are you saying you put two motherboards in a single PC case?

    Leave a comment:


  • Friendly_fire
    replied
    I don't mean to piggyback on this thread, but my question is very similar and the answer should help Spanners as well. I happen to have a 2 more motherboards i've managed to stuff into my pc case, and I was thinking I'd run one as a server and one as a firewall, just for kicks. I was wondering if someone could recommend the platform to use for the firewall. I was thinking between *bsd, gentoo, or a linux-firewall distro. The goal is to learn the most while setting it up, and end up with a secure firewall. Can someone who has setup a pc as a firewall offer a suggestion on which platform would best meet those goals?
    -ff

    Leave a comment:


  • skroo
    replied
    Originally posted by Twigman
    Sorry you've lost me?
    All right. Let me see if I can clarify.

    Originally posted by Twigman
    "Hardware firewalls are dedicated devices" - yes agreed.
    We're on the same page so far.

    Originally posted by Twigman
    "you suggesting that corporate environments should run dedicated PCs (for example) as firewalls?" - yes? Well they can if they feel it is necessary. Obviously is depends on circumstances and many other things.
    Right, I think I see where you're coming from, so will attempt to answer accordingly: yes, there's nothing preventing them from doing so, but in general it doesn't happen. More:

    But my main point was that corporate environments are much more suited to having dedicated machines than the home environment in my opinion.
    Is that what you mean? Sorry Im a bit confused.
    Not exactly - I think what had me confused was the use of the term 'machine' in this context. When I hear 'machine', I think PC or equivalent. When I hear 'device', I think dedicated piece of infrastructure (router, switch, firewall, AP, etc.).

    Answering the point raised, though, it would generally go against best practices to run firewalls on PCs in a corporate environment. From the standpoints of management, vulnerability, and efficiency it's generally better to have an infrastructure device in place carrying out whatever task it's intended for than a general-purpose computer.

    Think of it this way: you work for Company X, whose entire routing infrastructure is based on ISA under Windows 2000 (it would be crappy, but it's doable and only an example, so bear with me). The worm of the week hits one of your internal machines before a patch is available. It now spreads to your routing infrastructure, meaning that not only has it a) killed its path of infection, but also b) brought your network to its knees, meaning that c) you can't effectively patch the affected machines. With dedicated infrastructure in place, the likelihood of that infrastructure itself being taken down by <insert threat here> is greatly reduced. Not eliminated, but reduced.

    Note that I'm not saying that only a Windows routing platform would be a mass-nightmare scenario in a situation like this: remove the worm from the equation and replace it with a zero-day remote root exploit in, say, iptables, and you've got the same potential for disaster in a Linux-based environment.

    Leave a comment:


  • Twigman
    replied
    Originally posted by skroo
    Hang on... Hardware firewalls are dedicated devices - so unless I've missed something here, are you suggesting that corporate environments should run dedicated PCs (for example) as firewalls?
    Sorry you've lost me?
    "Hardware firewalls are dedicated devices" - yes agreed.
    "you suggesting that corporate environments should run dedicated PCs (for example) as firewalls?" - yes? Well they can if they feel it is necessary. Obviously is depends on circumstances and many other things. But my main point was that corporate environments are much more suited to having dedicated machines than the home environment in my opinion.
    Is that what you mean? Sorry Im a bit confused.

    Originally posted by highwizard
    Listen, if you're replying to a post that is not the parent poster it's consider bad taste and confusing to not quote it. The reason for this is, I don't know if you're replying to my post in this thread or someone elses.
    Yes, I realise that was a bit retarded. It was in relation to "Voltage Spike"'s post above mine with the power usage issue.

    Leave a comment:


  • skroo
    replied
    Originally posted by Spanners
    Thanks Skroo, some of the third-party firmware looks excellent. What made you change your setup from the WRT54G out of interest?
    No worries. By doing some reshuffling of the network infrastructure, I was able to get the WRT54G positioned in such a way that the IDS could monitor all of the traffic between it and the wired network. Since this was in the *really* early days of firmware hacks for those boxes, it was pretty much my only option. That was a couple of years ago and I've just left it that way ever since. The decision had nothing to do with WRT54G performance or other issues - in fact, I was very happy with it up to the point where a cheaper-than-dirt Pix fell into my lap, and am still more than satisfied with its performance as (essentially) a wireless bridge. Hell, we even used it as our AP at LayerOne last year and it performed brilliantly.

    Leave a comment:


  • noid
    replied
    Since it seems like you're looking for hardware firewalls for home use I personally would suggest MicroTik (http://www.mikrotik.com/). They have some really nifty stuff. For example they have a 128MB IDE Flash with the software on it, so you just slot it in your motherboard and you instantly have the router/fw set up. They also have lots of nifty wireless gear too.

    Leave a comment:


  • Spanners
    replied
    Originally posted by noid
    What have you looked at besides PIX?
    I've looked at very little in the vendor world to be honest, your advice would be invaluable. Random homebrew research has suggested IPCop, Smoothwall, Devil or just self-tweaked 2.6.x kernel stuff if time and motivation permitted.

    Originally posted by highwizard
    price range? .. configure your own .. or .. vendor?
    No particular budget but being frugal helps me sleep at night. No preferences between homebrew/vendor, but I assume a homebrew solution gives a lot more control.

    Originally posted by skroo
    something like a Linksys WRT54G .. There are also a LOT of options in terms of third-party Firmware
    Thanks Skroo, some of the third-party firmware looks excellent. What made you change your setup from the WRT54G out of interest?

    Sorry for starting a firewall war! My initial question is answered - Yes I should use a hardware firewall.

    Leave a comment:


  • highwizard
    Guest replied
    Originally posted by Twigman
    That was going to be my point.
    In the standard home situation, having a dedicated machine on 24/7 is:

    Listen, if you're replying to a post that is not the parent poster it's consider bad taste and confusing to not quote it. The reason for this is, I don't know if you're replying to my post in this thread or someone elses.

    Leave a comment:


  • klepto
    replied
    Originally posted by skroo
    Mmmm... The Linksys units are still in need of some TLC out of the box, same as the others. As for egress/ingress filtering, this is where the ability to change to a 3rd-party firmware comes in.
    Not much 3rd party firmware, most are WAP or WIFI-Router hacks.

    True, but not everyone has the budgetary constraints to run that hardware.
    Depends, You can get a linksys rv042 for about 150 bucks if you look hard. and since the thread starter has a network, and doesn't use the router/switch unit, then I assume he/she is using a standalone switch. buy that linksys router for 150 bucks and slap on the switch since he has 5 nodes, Router only handles 4 direct links. The router handles ingress/filtering and many other options. US robotics also has a pretty decent unit that can offer the same protection/options with around the same price if not a lil bit higher.

    Leave a comment:


  • skroo
    replied
    Originally posted by klepto
    Dlink and Netgear's configuration I believe, you have to play with it a little and lock it down. Linksys is the better of the bunch with everything disabled.
    Mmmm... The Linksys units are still in need of some TLC out of the box, same as the others. As for egress/ingress filtering, this is where the ability to change to a 3rd-party firmware comes in.

    Business grade routers do have the option for egress/ingress filtering and that's why I recommended it.
    True, but not everyone has the budgetary constraints to run that hardware.

    I meant to state that he should use the 'business-class' stuff for home use. If you want REAL business grade stuff, then go for Juniper or F5
    *Shrug* if wishes we're horses, I'd have some Maseratis and a helicopter.

    Leave a comment:

Working...
X