hardware proxy/firewall for office

I'm looking to configure something for an office with 8 wifi laptops and 3 wired network PCs, to prevent access to undesirable sites. Internet will be coming in on a regular 24Mb DSL wired/wireless modem. I was going to run one PC off this that can access anything, outside the firewall.

I'm wondering if there's a second box I can hook up to this via cat 5 that will filter internet access to the other 2 PCs and 8 laptops? I'd prefer something with whitelist/blacklist ability, but I'm not really sure whats available.

LoGiE

Maybe take a look at smoothwall or ipcop?

LoGiE

LoGiE wrote: »

Maybe take a look at smoothwall or ipcop?

Thanks for those suggestions. They look promising. I'm ploughing through the smoothwall docs right now.

bhickey

Deleted User wrote: »

I'd prefer something with whitelist/blacklist ability, but I'm not really sure whats available.

OpenDNS is very effective and might be worth a look at too. It can be setup immediately and evaluated while you're thinking about what hardware setup you might like.

bhickey

bhickey wrote: »

OpenDNS is very effective and might be worth a look at too. It can be setup immediately and evaluated while you're thinking about what hardware setup you might like.

Thanks - that might be just what I need to start. I'm not relishing the thought of re-imaging an old machine, installing another NIC and tweaking all the settings, so I might just use this instead.

bhickey

Now as OpenDNS filtering is based on DNS, if you have some IT wannabe smart-asses on the premises, they will try and find a way around OpenDNS but you still have the options of some simple changes to keep manners on them :

1. Restrict their user permnissions on their computers to stop them messing with their computers' DNS settings
2. Firewall DNS. Depending on your firewall's capabilities, you may be able to redirect all DNS requests to OpenDNS's DNS servers even though a user might have changed their computer to try and use a different DNS server.
3. Make sure you tick the Proxy/Anonymiser box in your Network Settings in OpenDNS.

After that, the only way they'll get out is through a VPN to some external location. If they get that far then give up and offer them a job in the IT Dept :rolleyes:

bhickey

bhickey wrote: »

Now as OpenDNS filtering is based on DNS, if you have some IT wannabe smart-asses on the premises, they will try and find a way around OpenDNS but you still have the options of some simple changes to keep manners on them :

1. Restrict their user permnissions on their computers to stop them messing with their computers' DNS settings
2. Firewall DNS. Depending on your firewall's capabilities, you may be able to redirect all DNS requests to OpenDNS's DNS servers even though a user might have changed their computer to try and use a different DNS server.
3. Make sure you tick the Proxy/Anonymiser box in your Network Settings in OpenDNS.

After that, the only way they'll get out is through a VPN to some external location. If they get that far then give up and offer them a job in the IT Dept :rolleyes:

All very good points, and greatly appreciated. I'm not expecting to have any hackers on the premises, but you never know!

Jumpy

bhickey wrote: »

Now as OpenDNS filtering is based on DNS, if you have some IT wannabe smart-asses on the premises, they will try and find a way around OpenDNS but you still have the options of some simple changes to keep manners on them :

1. Restrict their user permnissions on their computers to stop them messing with their computers' DNS settings
2. Firewall DNS. Depending on your firewall's capabilities, you may be able to redirect all DNS requests to OpenDNS's DNS servers even though a user might have changed their computer to try and use a different DNS server.
3. Make sure you tick the Proxy/Anonymiser box in your Network Settings in OpenDNS.

After that, the only way they'll get out is through a VPN to some external location. If they get that far then give up and offer them a job in the IT Dept :rolleyes:

*types in IP address of playboy.com*

ta daaaaa

Capt'n Midnight

Jumpy wrote: »

*types in IP address of playboy.com*

ta daaaaa

IP ROUTE 216.163.137.68 MASK 255.255.255.255 10.0.0.1

where 10.0.0.1 is just a junk address

Capt'n Midnight

Capt'n Midnight wrote: »

IP ROUTE 216.163.137.68 MASK 255.255.255.255 10.0.0.1

where 10.0.0.1 is just a junk address

I take it smoothwall or ipcop would be more resilient against this kind of circumvention?

bhickey

Jumpy wrote: »

*types in IP address of playboy.com* ta daaaaa

Actually try that and you'll be putting your pants back on if any of the following categories are blocked in the OpenDNS settings :

....... Sexuality, Nudity, Pornography

OpenDNS is not as easy to get around as people might think.

LoGiE

Deleted User wrote: »

I take it smoothwall or ipcop would be more resilient against this kind of circumvention?

Yes as well as providing you with a good firewall, proxy and QOS. Then of course theres reporting tools for bandwitdh used, by whom and at what time of day etc. It's not very difficult to setup once you read the documentation and have a little networking knowledge.

jpl888

If you are going to the trouble of installing a machine for use with IPCOP or the type, why not install a full Linux distro on there and you will be able to do all the firewalling/blocking/whatever you need on that one machine.

For instance I install such machines for people which have file and print sharing, VPN, content filtering (OpenDNS and HAVP), mail serving, anti-spam, backup, firewalling, wireless acess point, virtualisation, the sky is the limit.

brianoconnell

To put any of these solutions in place they would have to be in front of the wired/wireless router your devices connect to. You may need additional network components to implement them.

jpl888

brianoconnell wrote: »

To put any of these solutions in place they would have to be in front of the wired/wireless router your devices connect to. You may need additional network components to implement them.

That isn't necessarily true, it's down to how you configure it. Perhaps you could elaborate on the scenario you are thinking of?

In my scenario PCs connect to a switch which is connected to a Linux server (acting as a bridge/router and firewall amongst other things) which is attached to a DSL modem.

In that scenario you only need extra equipment if you need wireless too. For instance you could purchase a wireless access point or configure the Linux server as a wireless access point (as long as you have an Atheros, Broadcom or Ralink chipset).

If the wireless access point is purchased it would need to be in front of the Linux server for the firewalling, etc to still be effective.

jpl888

So to answer the OP's question more specifically his "unrestricted" PC would need to go between the Linux server and the DSL modem, therefore bypassing the bridged firewall completely.

I have done this kind of setup so feel free to ask specifics.

See http://www.johnlewis.ie/2010/08/06/transparent-bridging-firewalls/ for an article I did on same.

At the moment, I'm looking at using OpenDNS with DNS set up at the router/DSL box.

The one thing that doesn't appear to offer me is the ability to put a machine on a "DMZ" - i.e. unaffected by OpenDNS content filtering. Is there any way to do this?

jpl888

Use different DNS servers on that machine, but then there's nothing stopping anyone else on the network changing theirs either. Something to bear in mind.

Capt'n Midnight

jpl888 wrote: »

Use different DNS servers on that machine, but then there's nothing stopping anyone else on the network changing theirs either. Something to bear in mind.

if you have a decent firewall you can set rules for port 53 traffic

The firewall is a zyxel (spelling?) from eircom, and we also have an older eircom netopia. I do have a linksys wrt54 at home that I could reflash with DD-WRT distro to extend the functionality.

brianoconnell

It would be helpfull at this point to lay out your network diagram. You have DSL into what model Zyxel? Does the Zyxel have wireless, are the wired PC's directly connected to the Zyxel, how many ports does it have?

rolion

Sorry,maybe too late posting...Why don;t you get a Sonicwall with 25 users licence and Comprehensive Security Gateway that has all the Content Filtering scheme that you want to use !? Also,antivirus,ids and ips !

Also,on the wireless network,is the most secure box out there,by using secure vpn for wifi clients and a different network subnet for WIFI net ,with powerfull NAT/Routing rules from wifi net to lan/wan networks !?

I mean,you can get many benefits than a simple CF function...


If you want to use a Linux distro/box,i recommend Astaro .

Regards.

bhickey

Deleted User wrote: »

The one thing that doesn't appear to offer me is the ability to put a machine on a "DMZ" - i.e. unaffected by OpenDNS content filtering. Is there any way to do this?

jpl888 wrote:

Use different DNS servers on that machine, but then there's nothing stopping anyone else on the network changing theirs either. Something to bear in mind.

This all depends on what your firewall can & can't to. For machines on the LAN, force all DNS requests to OpenDNS - that fixes the possible issue of people changing their own DNS servers settings. Similarly, on the DMZ allow all DNS requests to proceed unmolested.

It's unlikely that any router/firewall you have there would be able to do this sort of thing satisfactorily so you'll need a proper router/firewall (i.e. NOT Sonicwall) at some stage. Try any of the Mikrotik routers and you'd be amazed at all the funky sorts of things you can get up to with them.

rolion

bhickey wrote: »

It's unlikely that any router/firewall you have there would be able to do this sort of thing satisfactorily so you'll need a proper router/firewall (i.e. NOT Sonicwall) at some stage. Try any of the Mikrotik routers and you'd be amazed at all the funky sorts of things you can get up to with them.

Latest generation of Sonicwall routers comes with Enhanced Operating System version...Have you ever touch it ? ? Myself,never heard about Mikrotik in a small business setup,tbh !

With enhanced OS on Sonicwall,you get 8 (eight) ports that can be configured/nat/routing/and so on per port basis, so you can have 8 vlans with own settings for Firewall,for NAT,for IPS/IDS,for routing,with per port rules....is not enough ! ? ? But ,sometimes that is too much for some techies...

Regards.

bhickey

Okay fair enough, Sonicwalls are fine if they're setup properly by someone who knows what they're doing. Unfortunately I haven't yet come across one that was setup by such a person

Even so, I think that Sonicwalls are still too expensive for what they are. That, in my humble opinion, is the real reason that so may resellers/consultants push Sonicwalls. After all, why sell a customer a €50-100 router when you can sell them a €300-500 one plus land them with annual subscription fees for poorly implemented "protection" services?

jpl888

I've used Sonicwalls and the like quite a bit before. All I can say is it only has equivalent functionality to a well configured Linux distro (Ubuntu would be my choice) with Webmin or Ebox on and it's expensive.

Why would you want to trust something that is a closed box like that too.? Who knows what undiscovered vulnerabilities lie there.

rolion

jpl888 wrote: »

I've used Sonicwalls and the like quite a bit before. All I can say is it only has equivalent functionality to a well configured Linux distro (Ubuntu would be my choice) with Webmin or Ebox on and it's expensive.

Why would you want to trust something that is a closed box like that too.? Who knows what undiscovered vulnerabilities lie there.

Highlighted "WELL CONFIGURED "...i'm not here to sell Sonicwall devices ! Also not wanting to confuse the op mind...

You have to understand the risks associated with connecting a cable to WAN while having the cable plugged in the switch ! Is the outside->inside thread bigger than inside -> outside ! !?? I see it the other way !
Having an application level firewall NOT only port based ... also CF,IDS,IPS ,antivirus & antimalware engines enabled on the internal,external and DMZ ports...with a real time alerting system,that's the way you can assure that there are no open back doors from inside -> outside .

Price wise...? Cisco ASA is starting from 2k,a Sonicwall box with full Security Gateway and Enhanced OS is from 500e at least. Installation can take a day with site survey,gather client requirements ,installation,training and close-down,travel included @ x00e.


Regards...and enjoy it !

jpl888

rolion wrote: »

You have to understand the risks associated with connecting a cable to WAN while having the cable plugged in the switch ! Is the outside->inside thread bigger than inside -> outside ! !?? I see it the other way !
Having an application level firewall NOT only port based ... also CF,IDS,IPS ,antivirus & antimalware engines enabled on the internal,external and DMZ ports...with a real time alerting system,that's the way you can assure that there are no open back doors from inside -> outside .

That is what egress filtering is for. I agree there is as much risk from having Windows machines inside you LAN as anything on the internet.

Perhaps you haven't heard of NUFW which is an application based firewall for Linux?

CF - Dansguardian/OpenDNS/Squid (with something else I forget now)
IDS - Snort
IPS - Snort and snortsam
AV and anti-malware - HAVP and snortsam
Real time alerting - Snort and snortsam (again)

All enabled on whatever ports you like, largely free from licensing cost, free from vendor lock in and if it doesn't do what you want you can change the source code yourself.

Believe it or not I actually do know what I'm talking about, I've been there configured it and used it, it doesn't sound like you have.

Sorry - I've been offline all weekend due to circumstances beyond my control.

Re my networking diagram, I was hoping to start at least from the one router/modem. I think the openDNS will match most of my requirements here. I have the option to add a second router, and a linux box wired between the two boxes, at a a later date.

This all depends on what your firewall can & can't to. For machines on the LAN, force all DNS requests to OpenDNS - that fixes the possible issue of people changing their own DNS servers settings. Similarly, on the DMZ allow all DNS requests to proceed unmolested.

Would the custom linux distro for the linksys routers do this?

Thanks for all the comments so far. I definitely think I'll go with simplicity over function for now, and look at more elegant solutions later.

bhickey

Deleted User wrote: »

Would the custom linux distro for the linksys routers do this?

Have a look at :

http://forums.opendns.com/comments.php?DiscussionID=6901&page=1

brianoconnell

Perhaps the easiest and cheapest DIY job would be to consider your Zyxel as an Outside Internet facing Router. Anything connected to it, Wired/Wireless would be in the DMZ. To prevent users on the inside bypassing your defences you can disable the wireless on the Zyxel or change it's WPA key.

Then reconfigure the WRT54G to have the old SID of the the Zyxel with the old key and plug it into one of the Zyxel LAN ports. The WRT54G should be configured for the same network subnet, Gateway address and dhcp as the Zyxel.

You will need to configure a different subnet for the DMZ and probably turn off DHCP and any other services from the Zyxel. It is best to keep the DMZ as clear as possible of all unnecessary network protocols, ports and services to minimize the attack surface.

You can the place DMZ applications on the remaining Zyxel ports, or even inline by placing them between the Zyxel and the WRT54G.

On the WRT54G you could configure upstream DNS to OpenDNS so all clients that point to the Inside router for DNS would be directed there.

As per the post above, if you reflash the WRT54G you can configure iptables rules to lockdown DNS.