Well, I'm not too expereinced with server protection, but here's what my experience has taught me:

99.9% of all problems regarding so-called 'hacking' are directly traceable to user ineptitude, with Clueless Bobby Enduser downloading and running that attachment that seems to come from a friend and purports to be a screensaver with naked pics of (insert celebrity here) - or some similar idiocy.

Therefore, most people won't need some fancy security suite like Encom UberDefender (Corporate Decker Edition), and standard off-the-shelf stuff works just fine. However, I would recommend that you not use BlackICE Defender, as it's half a firewall (namely, the intrusion-detection half - it stops outside programs from accessing your computer, but does nothing to stop programs from sending information out to the 'Net). Mind you, I last read up on BlackICE Defender about six months ago, so this data could already be out of date.

Now, my personal preference for a firewall would be either Zone Labs' ZoneAlarm or Tiny Personal Firewall for the surfer-side part of the system, and possibly add a second hardware firewall on both connections. (Correct me if I'm wrong, but I believe it's possible to connect multiple computers to a single hardware firewall.)

I don't use hardware firewalls myself, mainly because - unlike most people - I'm still stuck on dialup, and a dial connection's usually too slow to be of any real use to a malicious hacker. There may be some out there who have special uses for hijacked dial-up computers, but I haven't heard of anything (outside of DDoS and DRDoS attacks).

(I would also recommend you test your firewall setup with Gibson Research's ShieldsUP!, but that's just part of my test routine.)

Hardware firewall fun -

The WRT54G makes an excellent firewall and a ton of apps are out there for it, including openvpn and some other nifty things.

PFsense, I use it currently on a test box, however it is internal net only, I don't feel it is ready to be pushed out just yet. It is also really easy to set up you say your internal and external nics and bam, it is up routing with a web based configuration panel. It is based on PF which is openbsd's firewalling solution which is really robust. If you got an old box you might want to give your own set of pf rules a whirl.

The trick is to use equipment that doesn't get as hot. The main computer is decent system. The two added motherboards are from older pc's, and a smaller form factor. I believe they used to be emachines and they run around 700mhz (p3). I'll probably add a small fan to the front, just to kick up some more air through the two boards. Probably not the best idea, but it was a lot of fun. So....any firewall suggestions?

Myself, I'd think it would definitely be possible.

However, what I'd want to know is:

A) whether it'd be wise to do so, and

B) just how much cooling equipment you'd need to make sure that your fancy new homebrew surfer/server combo system doesn't become a very expensive paperweight.

(My money's on water-based liquid cooling and four case fans - two intake, two output - at least.)

yeah, in addition to the one that's supposed to be in there. It was quite a project. Hardest part was getting all the PSU's in.
-ff

Wait.. are you saying you put two motherboards in a single PC case?

I don't mean to piggyback on this thread, but my question is very similar and the answer should help Spanners as well. I happen to have a 2 more motherboards i've managed to stuff into my pc case, and I was thinking I'd run one as a server and one as a firewall, just for kicks. I was wondering if someone could recommend the platform to use for the firewall. I was thinking between *bsd, gentoo, or a linux-firewall distro. The goal is to learn the most while setting it up, and end up with a secure firewall. Can someone who has setup a pc as a firewall offer a suggestion on which platform would best meet those goals?
-ff

All right. Let me see if I can clarify.

We're on the same page so far.

Right, I think I see where you're coming from, so will attempt to answer accordingly: yes, there's nothing preventing them from doing so, but in general it doesn't happen. More:

Not exactly - I think what had me confused was the use of the term 'machine' in this context. When I hear 'machine', I think PC or equivalent. When I hear 'device', I think dedicated piece of infrastructure (router, switch, firewall, AP, etc.).

Answering the point raised, though, it would generally go against best practices to run firewalls on PCs in a corporate environment. From the standpoints of management, vulnerability, and efficiency it's generally better to have an infrastructure device in place carrying out whatever task it's intended for than a general-purpose computer.

Think of it this way: you work for Company X, whose entire routing infrastructure is based on ISA under Windows 2000 (it would be crappy, but it's doable and only an example, so bear with me). The worm of the week hits one of your internal machines before a patch is available. It now spreads to your routing infrastructure, meaning that not only has it a) killed its path of infection, but also b) brought your network to its knees, meaning that c) you can't effectively patch the affected machines. With dedicated infrastructure in place, the likelihood of that infrastructure itself being taken down by <insert threat here> is greatly reduced. Not eliminated, but reduced.

Note that I'm not saying that only a Windows routing platform would be a mass-nightmare scenario in a situation like this: remove the worm from the equation and replace it with a zero-day remote root exploit in, say, iptables, and you've got the same potential for disaster in a Linux-based environment.

Sorry you've lost me?
"Hardware firewalls are dedicated devices" - yes agreed.
"you suggesting that corporate environments should run dedicated PCs (for example) as firewalls?" - yes? Well they can if they feel it is necessary. Obviously is depends on circumstances and many other things. But my main point was that corporate environments are much more suited to having dedicated machines than the home environment in my opinion.
Is that what you mean? Sorry Im a bit confused.

Yes, I realise that was a bit retarded. It was in relation to "Voltage Spike"'s post above mine with the power usage issue.

No worries. By doing some reshuffling of the network infrastructure, I was able to get the WRT54G positioned in such a way that the IDS could monitor all of the traffic between it and the wired network. Since this was in the *really* early days of firmware hacks for those boxes, it was pretty much my only option. That was a couple of years ago and I've just left it that way ever since. The decision had nothing to do with WRT54G performance or other issues - in fact, I was very happy with it up to the point where a cheaper-than-dirt Pix fell into my lap, and am still more than satisfied with its performance as (essentially) a wireless bridge. Hell, we even used it as our AP at LayerOne last year and it performed brilliantly.

Since it seems like you're looking for hardware firewalls for home use I personally would suggest MicroTik (http://www.mikrotik.com/). They have some really nifty stuff. For example they have a 128MB IDE Flash with the software on it, so you just slot it in your motherboard and you instantly have the router/fw set up. They also have lots of nifty wireless gear too.

I've looked at very little in the vendor world to be honest, your advice would be invaluable. Random homebrew research has suggested IPCop, Smoothwall, Devil or just self-tweaked 2.6.x kernel stuff if time and motivation permitted.

No particular budget but being frugal helps me sleep at night. No preferences between homebrew/vendor, but I assume a homebrew solution gives a lot more control.

Thanks Skroo, some of the third-party firmware looks excellent. What made you change your setup from the WRT54G out of interest?

Sorry for starting a firewall war! My initial question is answered - Yes I should use a hardware firewall.

Listen, if you're replying to a post that is not the parent poster it's consider bad taste and confusing to not quote it. The reason for this is, I don't know if you're replying to my post in this thread or someone elses.

Not much 3rd party firmware, most are WAP or WIFI-Router hacks.

Depends, You can get a linksys rv042 for about 150 bucks if you look hard. and since the thread starter has a network, and doesn't use the router/switch unit, then I assume he/she is using a standalone switch. buy that linksys router for 150 bucks and slap on the switch since he has 5 nodes, Router only handles 4 direct links. The router handles ingress/filtering and many other options. US robotics also has a pretty decent unit that can offer the same protection/options with around the same price if not a lil bit higher.

Mmmm... The Linksys units are still in need of some TLC out of the box, same as the others. As for egress/ingress filtering, this is where the ability to change to a 3rd-party firmware comes in.

True, but not everyone has the budgetary constraints to run that hardware.

*Shrug* if wishes we're horses, I'd have some Maseratis and a helicopter.