Hello all,

I have minimal network experience having a simple box no. 1 providing printer and dial-up for
box no. 2. box no. 1 has simple firewall run at startup as /etc/rc.d/rc.firewall (I run
slackware). But I am lost when considering setting up a secure network at work.

I have a couple questions I haven't found direct answers for. They are listed below but I'll
first explain the setup I have in mind. Please advise if the basic setup is wrong and also
if you know of any urls which are relevant , etc

My boss is super paranoid and this has been the stumbling block to setting up a network and why
we have just three out of 6 workstations using dial-up access in the main office, each from a
modem attached to respective desktop phone.

The boss has now requested that we look into an adsl connection which means networking all
boxes to modem/router and also wants to discuss using either one or two of our domain names
with setting up websites (hosting) and our own mailserver(s).

I am thinking that this would best be done with website hosting and mailserver in one linux box
set up in a DMZ and the office workstations (running XP) on a separate network behind a
firewall.

I would bring in a local hardware supplier who sets up network if we go this way but first I
need to clarify a few things before I try to sell this to my boss.

Assume modem router with 2 ethernet ports one two 8 port switch/internal network and one to
linux box hosting external services.

(1) External services, i.e. hosting, mailserver are in DMZ in a dedicated linux box/should this
box be configured with its own firewall? Traffic would not be all that great, is there a
performance hit by running firewall on this external services box?

(2) I was thinking of something like a Netgear FVS318 for switch on internal network since it
has firmware firewall but is this the best way to go? (I'm not flogging any brand this one just
comes to mind)

(3) Alternatively, given that both internal network and external services box in DMZ need to be
behind afirewall can this be done with one firewall, say, use a firmware firewall box (or linux
box with firewall) just behind modem/router and then have DMZ and internal network as two
seperatenetworks behind the firewall. Or does internal network and DMZ need separate firewalls

(4) I would expect we will get one or two permanent IP's for hosting one or two websites with
their own domain names as well as hosting mail servers for both domains. Does this pose any
problems if we were to put both internal network and DMZ behind the same firewall or indeed the
hosting and mailservers behind a firewall?

(5) Is this the best way to go about meeting our needs as outlined? Economy will be an issue so
I have tried to keep it to something simple.

Many thanks for any answers, advice, or constructive criticism

Hey justwantin,

I have a similar network set up. We have a pretty small office (mostly running Windows), but the idea of having a Windows firewall was/is completely out of the question. We have a Fractional T1 setup with our ISP, so they can send me Ethernet out of their CSU/DSU. Basically, if you're going to have an ADSL modem as a PCI card inside your firewall, just substitute your ppp0 interface for my eth0 interface. For this example, my public IP addresses are in the subnet 192.168.2.160/28, leaving me 14 available IP addresses (192.168.2.161 through 192.168.2.174), since of course the first IP (192.168.2.160)is the network address and the last IP (192.168.2.175) is the broadcast address.

Please excuse me if I over-explain things.

Here's my firewall setup:

eth0 -- net -- 192.168.2.162/255.255.255.248 gateway 192.168.2.161
eth1 -- lan -- 10.0.0.1/255.255.255.0 gateway 192.168.2.161
eth2 -- dmz -- 192.168.1.1/255.255.255.0 gateway 192.168.2.161

Note that the IP address of the DMZ interface is one of the RFC "private" IP addresses. It doesn't matter what this address is, as long as it's private and it's different than the subnet of your lan.

All interfaces on the firewall have a default gateway set to the next hop from eth0, or my ISP-assigned default gateway address.

eth0 plugs into our ISP's channel bank (or in your case, you get your ADSL signal from your ISP).
eth1 plugs into a switch dedicated to all machines on the LAN.
eth2 plugs into a switch dedicated to all machines on the DMZ.

If I want to have a publicly-available protected server on the DMZ, I assign that server a public IP address that's inside my public IP range. For instance, let's say I want to set up a www/mail server in the DMZ. That server's IP address might be 192.168.2.163. I can tell the firewall to force eth2 to respond to arp requests for that IP address, which would allow the firewall to route between interfaces while having a server on the DMZ on the same subnet as the external interface. This is called Proxy ARP. I think Proxy ARP is set up differently for each firewall software, i.e. iptables vs. shorewall, etc. But this has proven to be a great setup for our office. Essentially you can turn one firewall into two.

As for your questions:

(1) It depends on what the hardware specs of your www/mail server are. If you have a decently fast machine, then go ahead and put a firewall on that box in addition to your routing firewall. If I understand correctly, packet inspection and filtering is not that CPU intensive.
(2) I'm not familiar with that particular switch, but stateful packet filtering occurs at the IP layer, not the ethernet layer. If it's a layer-3 switch, then that seems like a viable option.
(3) You can set it up either way. Most people will tell you that having two separate firewalls configured in front of and behind the DMZ is the way to go. But you set up a protected perimeter network with a single firewall with 3 interfaces (that's what I've done above).
(4) Proxy ARP will solve the problems associated with this. If you're looking at a Linux solution using IPTables, you have 3 options for firewalling a DMZ that's on the same subnet as your external network: NAT, Bridging Firewall, and ProxyARP. I've found that ProxyARP is probably the most reliable way of doing things, but YMMV.
(5) You said something about a modem router. In my example above, I'm assuming that your modem connects directly to the linux firewall. IMHO, that is what I would do instead of having a modem router.

I hope that helps, and again, I'm sorry if I tried to explain some things that you already understood. But I'd rather be very specific than too vague.

Greg

First off, there should never be anything in the DMZ. There is no situation in which this is helpful. When firewall technology was not as advanced, DMZs were used because port forwarding was not always available, or wasn't as flexible to provide reliable service for the servers or worse, there was no way to forward traffic without weakening the firewall. Now, however, with advanced port forwarding and filtering, all hardware can be put behind the firewall reliably.

Anyway, about the firewall. You could setup a Linux machine as the firewall/gateway, but a better choice would be a hardware firewall. You can deploy it in about 20 minutes, it has no moving parts, and you will never need to do any maintenance on it. Set it up and forget about it for the rest of your career, because it will never fail. And, depending on the hardware you were going to use for the Linux firewall, it may well be cheaper.

I use them on my networks and they are great, I would suggest SonicWALL brand, as I found they are pretty much the best out there. The TZ170 would be a good choice for your network, I have used this model personally, and it is very good.

As for the mail/web server, that would be a Linux machine behind the firewall with the appropriate ports forwarded to it.

Hey MS3FGX,

I would have to respectfully disagree with you. What happens when the web server gets compromised and allows a hacker to run commands of his/her choice? The entire internal network is at risk at that point. Placing public servers in a protected and isolated part of the network will protect your internal servers from being wide open to hackers who gain access to the DMZ. While firewalling has come a long way, simply forwarding ports to the inside network is never a good idea. If anything else, having a protected network will give an administrator more time to catch the hacker and deal with the problem, because when just forwarding ports to the inside, it will take the hacker almost no time to do anything he pleases.

Putting it in the DMZ is going to get a machine broken into much faster than if it was getting a single port forwarded to it with a properly secured server application listening.

Putting it in it's own secured network in the hopes that it will only destroy itself and not the client machines in the event of a break-in is not a good security plan, the server should be secured from the ground up to ensure it is isn't broken into in the first place. There is in reality very few methods with which a hacker can break into a system, and if you have addressed all those venerabilities, and have secure passwords, there is very little security risk.

In fact, if the servers are secure enough, the firewall is more for the benefit of the clients than anything. 50 generic Windows installations is at a much higher risk than a handful of custom *nix machines.

Using a trihomed firewall can have it's benefits, it is not enough to rely on.

Thanks to all for comments so far.

The setup I had envisaged was based on a Linux Journal article found at http://www.linuxjournal.com/article.php?sid=4415

As I understood figure 2 in that article, there is a modem/router in front of the firewall then two subnets behind the firewall. One would be the LAN (to the workstations) and the second would be the DMZ network with several server s in seperate boxes.

For us I think a single Linux box would be suitable for hosting one or two websites with corresponding mail servers (although I don't know enough yet to be sure about that).

The LAN would basically allow alll workstations to have 24X7 access to the net. There would be no need for internal emails only incoming/outgoing emails fon the internet. Later if not sooner a box can be put on the LAN as a server for printshares or other things.

With regards to a server in the DMZ network, it would be my understanding that while a hacker might be able to comprimise a particular service, the hacker would not be able to do much beyond the service if permissions are set up correctly, and in any case if the server was comprimised it still would not allow the hacker to gain any advantage towards getting into the LAN. Again I may be wrong and that's why I've posted here.

Not so. If you set up your firewall rules correctly, they will have access to the exact same ports on the DMZ as they would have on the LAN. For instance, let's say I have a web server in the DMZ. On a three-interface firewall (net, dmz, lan), I can have a rule such as this:

ACCEPT from net to dmz:[ip of web server] where destination port = 80
DROP all packets from dmz to lan

Which basically only opens up port 80 of the web server to the outside world. This is the same concept as port forwarding directly into the lan. HOWEVER, if the web server gets hacked and compromised, it has to go through the firewall again to get inside the LAN where the real sensitive information is stored, whereas with your proposal it would already have access to the LAN. My firewall design would prevent many attacks that your proposal cannot defend against.

I am not suggesting this at all. A firewall is only as good as the rules the administrator has set in place. You NEVER allow access through a firewall unless you want to advertise a service on a particular port, i.e., I would never just allow all Internet traffic to reach my web server on any port. I only allow access from the Internet to the web server at port 80 and 443 for SSL. And you should definitely harden any server that you have running with a network cable plugged into it.

This is a huge misconception. Do you realize how many security vulnerabilities are discovered every single day? Each day software vendors release updates to their clients to fix the holes. If you're relying on patching as your only method of security, then you're waiting for disaster. There is no law that states a hacker can't be faster than you. What happens when a hacker finds a flaw before a patch is released? You're toast. Try searching the net for some security analysis tools web sites. You'll be amazed at how many hacking tools are available.

On the contrary -- firewalls should be transparent to the user. Firewalls are designed to keep unwanted network traffic out of your network. While you can also prohibit users from your LAN to access certain ports on the Internet, such as AIM or Gnutella file sharing ports, the main design of a firewall should be to protect your company's vital assets and computer data.

Also, please define "secure enough." I'm not about to stick a hardened server out on the Internet waiting to be hacked. That's just silly.

I agree with this statement. Having a good firewall in place is by no means a substitute for being lazy with product updates and security fixes. Internet security is much more than just firewalls, and it's much more than security fixes. For a security policy to be effective, you must consider every imaginable scenario of an attempted break-in and have policies in place to defend against such breakins.

Just because you have an alarm system installed in your house doesn't mean that you should just leave your doors unlocked. The same concept applies to Internet security. Continuing with this analogy, the best practice would be not only to have an alarm system with cellular fail-over (in case the phone lines are cut), locks and deadbolts on perimeter doors, but also locks on safes and jewelry boxes.

I think the problem here is that we are talking about two different things.

In many firewalls I have seen (I don't deal much with the software firewalls, I have only ever used iptables for this, so I am referring to hardware systems here) the DMZ allows all traffic into the DMZ. Many don't even have any DMZ configuration, other than what addresses to put into the DMZ.

I would never use such a mode since it completely opens a machine to the internet.

You however seem to be talking of a true trihomed firewall, one which essentially works as two separate firewalls. A "lose" forward firewall (which the servers are behind) and a "tight" firewall (which the clients are behind). In this situation I would agree to use this method, it just isn't what I have come to consider as a DMZ. A misunderstanding of terms.

I however still hold my position that there are in reality few real venerabilities. For instance, a recent study shows that 75% of all attacks are on port 80. The browser is quickly becoming the weapon of choice for hackers. This leaves you with your web server software as the biggest risk. If this is properly configured, and all patches are applied as quickly as possible, you have just blocked the majority of attacks. And if you aren't running any other services on that machine, then it is relatively bullet proof.

True that a hacker may get to your machine before you apply the patches, but that is the job of the administrator, to patch and secure all software as fast as possible. If you fail to do so, that is your own problem, and no level of firewalling is going to protect you.

In fact, I take the stance that "Hacking Exposed: 4th Edition" took, that in essence, firewalls are "useless" in network security. At first this sounds ridiculous, but reading their explanation, it makes perfect sense.

It explains that since the majority of attacks are now against web servers, firewalls don't help in the least, since you most likely have port 80 open, letting the hackers right in. It could even be argued that the reason most attacks are against web servers is that everything else has been blocked by firewalls, so the hackers had to start attacking the only thing they could get their hands on.

So in the current situation of network security, it is completely up to the administrator to secure the machine on the software side. You simply cannot rely on any form of firewall as a primary security device anymore.

Am I saying to not have a firewall? Hell no. Without the firewall, you are going to be completely screwed.

What I am saying though is that while the firewall is required, you cannot become lazy on the software side, since, at best, the firewall is only going to block 25% of the attacks out there.

While you may be correct in saying that 75% of all attacks are on port 80, that's no reason to not keep up with the other vulnerabilities that exist. But as a sysadmin, I NEVER want to have the attitude that my servers are bullet-proof. I think they are secure, and I think they are protected. But nothing is bullet-proof. There is always a way to break something -- that's exactly why new vulnerabilities get exposed every single day. IMHO, it's much better for an administrator to have an attitude of paranoia than an attitude of over-confidence. The paranoid guy wins in the end, because he has his eyes open to all threats, not just those on port 80.

I'm really glad we got on the same page -- I really wasn't excited about arguing ALREADY with someone (I just joined this forum yesterday). Seems that we agree on more than we disagree on. I think we both hold the same stance on most of the issues we're talking about.

Glad to see you guys had a good debate and that at least one of you walks away with a smile.

I'll try to glean something meaningful out of the above

Glad to help out. A friendly debate can go a long way!

Let me know if you need any assistance. I can share my rules with you if you'd like and give you a more in-depth knowledge of my current setup.

Greg

That was more of a satirical comment. You guys were over my head in some instances. I'll have to google out much of what you were talking about. I would get someone who knows linux and can supply hardware to do the work as we need some new boxes too.

I just wanted to get some ideas of what to look for and consider as the alternative is having the bookeeper's good buddy come in and sell/connect some more windows boxes and throw in some cabling and a windows server. Neither of them have a clue about security. I'd just as soon have something intellegent to say when the time comes.

Just recently I managed to resurrect a severely spec'd/botched SCADA system stitched together by radio at another site I'm just getting tired of sorting it all out after someone else buys it and screws it up.