What is the Best Firewall for Servers? 673
Sushant Bhatia asks: "I maintain a bunch of servers (Win 2003/XP Pro) at our labs in the university. Of late, the number of attacks on the computers has been more noticeable. The university provides firewall software (Kerio) but that doesn't work with Win 2003 (works with XP). And so we keep getting hit by zombie machines taken over in the Education Department or from Liberal Arts :-). So what does the Slashdot crowd use when they need to secure their Linux and Windows servers? Does it cost less than US$100?"
OpenBSD, of course! (Score:5, Informative)
Re:OpenBSD, of course! (Score:3, Informative)
This avoids the situation that I had previously when someone hacked into my machine. They hacked into my OpenBSD firewall, then opened it all up, and marked my
This way, if they hack my Linux server, they'd still have to hack into my OpenBSD box in order to open up the ports. I have plans to lock that up tight o
hahahaha (Score:3, Funny)
Re:OpenBSD, of course! (Score:4, Informative)
So, why don't you make your OpenBSD a firewalled (and possibly ip-less) bridge ? That way, attackers have no way of knowing that there's a firewalled bridge between them and the HTTP server, and packets still get filtered... just disallow any outside connections to your bridge-server and you're safe.
Make sure you set your webserver to only allow to respond to accepting connections, not initiate new connections.
Re:If you're going to ip-less bridge... (Score:5, Informative)
Re:OpenBSD, of course! (Score:3)
Because ironic would be my saying that I run OpenBSD because it's never been hacked, and then being hacked myself.
My statement that OpenBSD is a good OS to choose because it has a low track-record of remote exploits is perfectly justified. Just because I've had an OpenBSD system hacked on the one remote exploit in 4 years, doesn't dilute my arguement.
Telling someone to run a software firewall on a notoriously insecure operating system is fundamentally flawed. Software fails, and
Re:OpenBSD, of course! (Score:5, Informative)
OS is irrelevant (Score:3, Insightful)
Until you can get basic security steps like those in place, the world's best firewall is like
Coyote Linux, of course! (Score:5, Informative)
One exception to this is Coyote Linux [coyotelinux.com]. Not only does it not have the usual services enabled by default, nearly all of them have been stripped out. It includes just the components (such as iptables) that serve the central function of safely connecting a LAN to the Internet. And because it's so minimal, it fits on a floppy and runs on a 386 with 12MB RAM. It's no substitute for a full-featured Cisco Pix (for that you'd have to look at Coyote's big brother Wolverine), but it's worked great for me for years, both at home and in a couple offices I've worked at.
Re:OpenBSD, of course! (Score:3, Informative)
Re:OpenBSD, of course! (Score:3, Informative)
Re:OpenBSD, of course! (Score:3, Informative)
Linux-HA [linux-ha.org] fails firewalls just fine.
"pf supports routing of traffic based upon OS fingerprinting."
It's a module in iptables called "osf", but I don't recommend it. Anything that relies on information (even passively gathered information) provided by the remote host is fundamentally unreliable. Worse, by filtering based on OS you open yourself up to all sorts of confusi
Re:OpenBSD, of course! (Score:4, Informative)
P1 = 10-20W
P2 = 15-35W
P3 = 25-45W
P4 = 35-165W
Chipset and RAM power also increases across generations so a few more watts need to be added to each upgrade... and another extra in the 10-20% range for the extra VRM and PSU losses. (PWM regulator technology and components have not changed much over the last 10 years)
But yes, having a faster CPU/RAM does make a substantial difference in firewall responsiveness and throughput. When I upgraded my router from 100MHz to 200MHz, loopback throughput roughly tripled - from 660KB/s to 2.3MB/s. (On top of being slower, a slow chip also spends more of its time processing interrupts and background stuff, leaving less time for 'useful' work, double-hit. Seems like the 100MHz chip in this case was wasting something like half of its time on house-keeping stuff.)
2.3MB/s might not seem like much but I am not expecting local ISPs to offer >20Mbps (combined up+down) for another ~10 years... at least not under CAN$50/month.
Re:OpenBSD, of course! (Score:5, Informative)
Of course if they DID want additional hardware, the absolute cheapest general-purpose linux box is the Linksys WRT54G. At least, it becomes a general purpose box as soon as you throw OpenWRT [openwrt.org] on it. Just set up the iptables rules however you like. You may want to disable the wireless functionality.
I've seen the WRT54G selling for as little as $50 CDN, which is probably about $40 US. It doesn't get much cheaper than that for a linux box.
Still, I think he meant more software-wise.
Re:OpenBSD, of course! (Score:4, Interesting)
It was $30+OpenBSD donation for me. That was the cost government surplus PIII-450s with enough RAM and HD space for moderate use. It would be a rare university that didn't have machines like that lying around.
Re:OpenBSD, of course! (Score:5, Informative)
* DMZ: Put your servers into appropriately configured DMZ's using a seperate OpenBSD host as the firewall. Lock it down so that only traffic which you specifically allow can get through.
* PATCH: Keep your Windows servers patched.
* FILTER: Doesn't Windows 2003 have a built in packet filter? If so, use it!
* HARDEN the Windows servers. Remove every service which they don't *need* to be running.
* REPLACE any Windows servers that you can, with more secure options.
* BACKUPS: Keep good regular backups so that it will be less hassle for you to restore from them and patch, should they be compromised. The longer between backups, the harder your job will be to fix the problem because you might find the losses of restoring an old backup hurt more than the actual compromise itself. You'll be checking what is newer and working hard to make sure that the newer files are not infected with trojans, worms, viruses, etc.
* DON'T DEPLOY: If you can get away with it, don't give people a solution if the only solution is an insecure one. You may find that you provide a solution which people suddenly "can't live without" but is either uneconomical to keep secure or impossible to keep secure. It is better to not give people a taste of that solution at all. Especially since they worked just fine without it up until now and *you* know that they don't *need* it.
* SOE: Develop standard operating environment's for the desktops, lock them down and enforce IT usage policies. Do the desktops need to share data amongst themselves peer-to-peer? Having worked in edu for years, I would imagine not on the whole, so apply a firewall to the SOE itself which will fit within your network configuration. A smaller department server you will be able to take ownership of and control if they want to share amongst themselves and this takes the tinker factor away from the end users and removes their excuse for admin rights for that task. You can also make it so that any damage or network congestion they cause, can be limited to their department. You do it this way for them because "you can easily backup a central server" and upper management will agree with you on that from a risk point of view. If all your desktops, servers and network are as secure as you can make them and you have polices people must adhere to, then you will have much less problems.
What you will also find is that you will get to a stage where instead of putting out fires all the time, you will be constantly improving your systems and making IT better instead of always trying to make IT work. You will also find that problems start to settle with the real problem staff and you will then be able to manage them and point to the polices.
Re:LAYERED SECURITY, of course! (Score:3, Insightful)
3.) Tcp/IP filtering @ the IP Stack levels (UDP & TCP) allowing ONLY port 80.
Could you please explain how things like DNS(pretty well required for surfing), HTTPS (port 443), FTP, SSH and several other services would work?
at the risk of getting flamed into submission... (Score:4, Insightful)
Re:at the risk of getting flamed into submission.. (Score:3, Informative)
Re:at the risk of getting flamed into submission.. (Score:2)
I use the hardware firewall in my router and the Windows Firewall on my home machine. Either one should be ok actually.
Re:at the risk of getting flamed into submission.. (Score:5, Funny)
Pedantry (Score:3, Informative)
Quadrivium: arithmetic, astronomy, geometry, and music.
So math has two of the liberal arts.
Re:at the risk of getting flamed into submission.. (Score:3, Insightful)
A $25 surplus P-II should suffice. I've been running an OpenBSD/PF firewall at home for ages now and the system load has never gone above 0%.
Re:at the risk of getting flamed into submission.. (Score:5, Funny)
Have you tried plugging it in?
Re:at the risk of getting flamed into submission.. (Score:5, Informative)
Does anyone else remember the warez newbies crying that their off-the-shelf blackbox router crashes if their P2P app opens too many connections? Now you may laugh.
Re:at the risk of getting flamed into submission.. (Score:3, Informative)
Re:at the risk of getting flamed into submission.. (Score:5, Interesting)
System specs are pretty normal, 1Ghz Athlon with 512MB RAM.
Re:at the risk of getting flamed into submission.. (Score:3, Insightful)
Smoothwall (Score:4, Informative)
Also IPCOP (Score:5, Informative)
I've used smoothwall for a while and I was very satisfied with it. But at some moment, it stopped working. The ADSL connection couldn't be established anymore.
While I think it was rather a hard disk crash and not a direct smoothwall problem, it made me feel like replacing my smoothwall with ipcop, another firewall dedicated linux distro (forked from smoothwall).
I'm very happy with ipcop at the moment, it's a bit more "customizable" than smoothwall. I know both are GPL'ed so they can both be customized to fit any purpose, but as ipcop is a 100% community-based distro, it is a bit more designed to be tweaked than smoothwall.
Check out IPCOP site [ipcop.org]
Re:Also IPCOP (Score:4, Interesting)
Actually the same thing happened to me. Well sort of the same (my connection uses DHCP). My problem was that the webpage configuration never came up. I finaly figured out that this was because my 100mb
Clearing that out made the smoothy run fine again. It has since happened a few more times and everytime i just have to clear out all the logs. That said, while the disk was full, it was still routing traffic as expected for months before i discovered the issue.
The one thing I would like to see would be a better way of tracking all the connections being setup and torn down by the machine, realtime, say logging to a console window. I used to have a dubbele NETBSD firewall ( http://firewall.dubbele.com/ [dubbele.com] ) that, becasue of the firewall package on there (vastly superior to iptables IMHO) i could run a simple command (ipmon -o N) and it would list everything going on. very cool. I know about IP contrak mod for smoothwall but on a webpage just doesnt have the same cool feel as realtime. Its nice to catch all those EA games you have calling home when you launch them
Anyways the one story i love to tell about the netbsd machine was that the hard drive failed on it months before i found out. The machine was running flawlessly until i rebooted it for some reason and got a nice primary HDD fail in the bios. The last timestamp for a file on the HDD was like 8 months previous.
Use a *separate* firewall box. (Score:5, Insightful)
I use a dedicated PPro box running Coyote Linux myself, but there are far more robust solutions out there...
Re:Use a *separate* firewall box. (Score:3, Interesting)
from what it sounds like he just wants incoming ports blocked(being hit by zombies).
30$ should buy an external fw/nat box with simple rules - a little more and you could get some similar router&on board firewall combos that run on top of linux too.. should fit the bill pretty well.
well, blocking incoming ports should be doable with windows own built in fw too.. so maybe he just would want a free kerio or something - you know, with fancy menus and crappy threat detection and popup
Re:Use a *separate* firewall box. (Score:3, Informative)
There's a few things to do to limit the problem:
1. As you said, have an externa
Hardware or Software? (Score:2, Insightful)
Re:Hardware or Software? (Score:2)
What's wrong with windows firewall (Score:2, Insightful)
Or get a $50 router and block all uncessary ports to give yourself and additional layer of security.
Re:What's wrong with windows firewall (Score:3, Insightful)
The thinking here is a separate machine will help maintainability (assuming of course that you know linux), ease of upgrades (one system vs a "bunch"). Of course, in this case a little router box would work just fine as well. The only thing with the router boxes is the ones sold to
Re:What's wrong with windows firewall (Score:3, Informative)
Is this a joke? (Score:5, Funny)
Liberal Arts zombies? Are you sure they're not dogs [slashdot.org]?
(And, as always, the best answer to your question may come from Google. Linux.com | A Linux firewall primer [linux.com].)
Re:Is this a joke? (Score:2)
iptables (Score:2, Insightful)
OT: Captchas (Score:5, Funny)
Are you sure you are human?
Re:OT: Captchas (Score:3, Funny)
Why do you ask are you sure you are human?
Security (Score:2, Funny)
The missing 1% is for the ninja squirrels
Re:Security (Score:3, Funny)
Commercial HW, free SW (Score:2, Informative)
Of course - investing in "fresh" knowledge on FreeBSD or whichever other platform you wish to roll your own firewall/ids solution on top of - is going to be expensive. Thus this solution might not work for all...
Yeah... (Score:2)
A cheap linux firewall (Score:5, Informative)
Re:A cheap linux firewall (Score:5, Insightful)
There is always something to be said about having a real server act as a firewall. For home use, sure, use an old computer running linux - but for anything that you would like to count on a reliable, get a real piece of hardware to put that linux distro on, and you'll be happier.
Re:A cheap linux firewall (Score:3, Informative)
You always has OpenBSD [openbsd.org] that comes with pf [openbsd.org] (packet filter), CARP [openbsd.org] (redundancy) and pfsync [openbsd.org] (firewall synchronizing)
You can find an example here [countersiege.com]
Re:A cheap linux firewall (Score:5, Informative)
But it seems that the poster can get way with using a simple router box with multiple LAN ports as well (or 1 LAN and 1 WAN port might even work).
Re:Compaq Proliants are ~$50 on eBay... (Score:3, Informative)
mem=exactmap mem=640k@0M mem=255M@1M
Re:A cheap linux firewall (Score:3, Informative)
http://www.linux-ha.org/ [linux-ha.org]
This would work with any number of machines, with the virtual ip taking over if any loss occurs.
I've used heartbeat numerous times with redundant servers, works like a charm.
Two Words... (Score:3, Informative)
Zone alarm? (Score:2)
http://www.zonelabs.com/store/content/company/pro
Win2k3 SP1 Firewall (Score:2, Informative)
Also, it's free.*
*Well, you know what I mean.
Does it cost less than US$100? (Score:4, Insightful)
Re:Does it cost less than US$100? (Score:2)
While advisable to get a more expensive (read built and priced for the task), a PII box and cables can be picked up fot $70 on eBay and, with a minimal Linux firewall install (say, 1 hour to set up @ $30/hour) does cost $100/hour. Of course this assumes the tech expertise exists in the first place, which seems not to be the case in this 'Ask Slashdot'.
Re:Does it cost less than US$100? (Score:5, Insightful)
Or maybe you missed the part about how the attacks are coming from other departments, over which he has no authority, and who obviously don't place a high value on security?
Re:Does it cost less than US$100? (Score:3, Interesting)
Or maybe you missed the part about how the attacks are coming from other departments, over which he has no authority, and who obviously don't place a high value on security?
I work at a university, so I know the game.
I would recharge the other department $50 for 'security services' each IP they fail to pro
Re:Does it cost less than US$100? (Score:5, Insightful)
This *is* at a university. Universities are well-known for being completely isolated from the rest of society, and as a result, they have some pretty weird ideas. One of which is not spending any money on computer security.
Re:Does it cost less than US$100? (Score:5, Insightful)
Keep in mind that the OP works for a university, which probably doesn't have a budget outside of what they already spent on their software firewall. It doesn't mean that security isn't important to him, just that there's probably not an existing budget for it.
The OP is looking for a cheap and innovative way to secure his university network's servers - and I can't think of a better place to ask the question than here.
I say let the FOSS community answer his question and provide him a solution to his unique problem in the way that they know best and leave the "isn't this worth more than $XXX?" questions to the salesman.
a linux box set up as a hw firewall (Score:2)
Isolate and hardware firewall (Score:2)
ummmmm (Score:2)
Re:ummmmm (Score:2)
it is based on freebsd, a better choice for a firewall than linux
Re:ummmmm (Score:2)
try FreeBSD there sparky:
m0n0wall is based on a bare-bones version of FreeBSD, along with a web server, PHP and a few other utilities. [m0n0.ch]
You ain't (Score:2)
To protect the equipment, you will simply tell them to go hardware firewalls, preferably Cisco PIX 500s will do the trick. But be prepared to pay for the name, but the protection that this unit will provide will be worth every penny.
Wrong Approach (Score:5, Informative)
There are different types of firewalls and they can be divided into these types using different criteria. However, I will use the most simple one. There are host-based and network-based firewalls. Host-based firewalls, are not very cost-effective (or even effective at all) for protecting large, medium or even small server "farms". They work fine on single-server or home machines.
The proper way to protect server farms in campus is to have secure network. Firewalls are like city walls. They offer protection, but if breached, you're doomed. Secure network consists of firewalls, segmented network (separate VLAN's, switching blocks, etc.). Excellent reference for secure network design is Cisco's SAFE Blueprint for Enterprise Networks. I would recommend reading it, even though you're not using Cisco gear.
Marko.
Re:Wrong Approach (Score:2)
Re:Not bullshit at all (Score:3, Insightful)
But what you're describing is exactly what the GP was rejecting. Back when I was an academic, I assure you that I would have up and left any school which dared to tell me what I could or could not run, or what I could or could not expose. However, I would have been perfectly w
say 'network diaper', not 'firewall' (Score:2)
Firewall sounds all dignified and techie, when you're really saying "TCP stack incontinence appliance'. Use the short form of this, 'network diaper', in coversations with management, and perhaps you'll get to use a real operating system.
If you canna go bare, why you even gonna go there?
Re:say 'network diaper', not 'firewall' (Score:2)
ipf -Fa -f
pfctl -Fa -f
These are examples of what one would do on a 'real' computer. This place, it has a goodly portion of Linux heretics, and I suggest you pay them no mind
A cheap box (Score:3, Informative)
Think outside the box. (Score:2)
iptables, portsentry, and some py scripting. (Score:2)
i also use some assorted python scripts that watch the system logs for common attacks that portsentry does not pick up (e.g., repeated ssh login failures), and then dynamically block those IP / port combos as necessary.
IPCop (Score:5, Informative)
Only port forward what ports you absolutely need and keep your servers out in the DMZ. IPcop will easily allow you to seperate your network into zones with multiple nics and will likely only take a 486 or Pentium class machine to keep up with your bandwith. Hey, you asked for cheap. Doesn't get much cheaper than that.
You can also keep detailed logs and it also features a good SNORT setup for NIDS. It sets up convieniently with a web browser.
There is also Smoothwall. Both are really Linux based software firewalls. The difference is that IPCop is totally free and supports a wide variety of features that you would likely have to pay for in Smoothwall. Updating NIDS signatures automatically comes to mind.
I would personally avoid Windows software firewalls like the plague, as they run at escalated priveledges and can potentially put your system at even more risk as they add to the number of possible vulnerabilities, but that is just me.
If you can't afford a PIX or something in hardware, FreeBSD and Linux software firewalls are always the best way to go IMHO.
Happy hacking!
Re:IPCop (Score:3, Informative)
Decent firewall (Score:3, Funny)
Another box! (Score:2)
If you want only a software firewall for windows, I like Sygate. It does
Linux: Firestarter or firehol (Score:3)
If your requirements are a little more complex (eg: DMZs, VPNs, etc.), you might want to have a peek at firehol instead. Text-based configuration, but greatly simplifies the process of wrangling with iptables.
I tend to recommend zonealarm for windows for most people, but that's more out of apathy (ie: I haven't reviewed the options lately) than anything else.
Red.
hardware is the way forward... (Score:3, Informative)
Put another firewall ideally of a different type (break one you've still got another to break) and use that to isolate all the departmental computers...
Ensure the policies are locked down tight and that any changes are approved by someone who knows what they're about before being implemented.
Adaptive Packet Destructive Filter (Score:2)
http://roseweb.de/caro/pages/security/v-one/cut-o
It costs well under $100, and unlike every other firewall it is guaranteed 100% secure.
Best of all, it can be applied to those pesky zombie systems in addition to your own servers for the ultimate in protection.
A separate firewall (Score:2)
You might also dig up a junk machine and set up the Linux Router project (or a *BSD equivalent) on it.
If the servers are big enough that a cheap hardware firewall won't do, then I'd say they are big enough to need a real router in front of them.
Kerio Firewall (Score:2, Informative)
Windows Server 2003 SERVICE PACK 1 has a firewall (Score:5, Informative)
There's a "Security Configuration Wizard" that will help you config the firewall and services at a more advanced level than in XPSP2
Re:Windows Server 2003 SERVICE PACK 1 has a firewa (Score:3, Insightful)
I'm sorry you feel that running an OS is some kind of machismo thing. Would you like some stubble glitter for Christmas? I despise OS bigots. They're unprofessional, bullheaded and usually wrong.
On the other hand, anyone using a windows-based firewall as a perimeter defense is a complete moron. You either use some firewall-in-a-box, and for bigger networks, you use s
Take One Old PC (Score:4, Informative)
Add free Linux 2.4 distribution or higher
Activate netfilter and iptable
See: ttp://www.netfilter.org/
Deploy firewall using instructions in the netfilter how-tos:
See: http://www.netfilter.org/documentation/ [netfilter.org]
Or, if that's too much for you, just get the equipment and add one of the pre-configured firewall Linuxes like SmoothWall (http://www.smoothwall.org/ [smoothwall.org]), Devil-Linux (http://www.devil-linux.org/home/index.php [devil-linux.org]) or Coyote Linux (http://www.coyotelinux.com/ [coyotelinux.com]).
No fuss, no muss.
Steven
Re:WTF is all this Old PC+Linux worship? (Score:3, Insightful)
Steven
Preferentially? (Score:4, Informative)
But with zombies in general, I prefer a more proactive approach: a 12 gauge shotgun loaded with 00 buck does nicely.
Seriously though. Every Windows machine should be behind an entirely seperate firewall, protecting it from everything and everything from it. A Windows machine on a public network that isn't being agressively administered is about as safe as a polish handgun.
By the description of your environment and problem, it sounds like you basically want to quarantine the humanities from the rest of campus so they don't wreak their plague of stupidity upon everyone else (this is good policy in general, I've found - humanities aren't fond of reasoned, concrete thought).
Probably the best way to do that would be to set up an IDS gateway between their networks and the rest of campus. Something from CISCO would probably be best, but I'm fairly certain you could do it with linux/BSD or another COTS solution for decreased price. Have the IDS set up to basically drop all trafic from zombied machines. When they complain to you that "their" network isn't working and that it's your fault, give them the ISP treatment: fix your machine and we'll let you back on.
Really, allowing humanities types to manage their own hardware is just a receipe for disaster. Would you let your accountant work on your car? It's not adviseable, and would likely cost you more than not having repair done at all and waiting for further problems.
Windows Firewall and IPsec (Score:5, Informative)
Note that while this is easier to manage with Group Policy via Active Directory, you can use the local group policy settings and migrate them across your lab. My thoughts on this are valid for XP and 2003.
The internal firewall is your first defense, blocking all non permitted inbound random/unimportant information from reaching your machines. Tell the firewall the applications you will be using, and it will dynamically open required ports as the program needs them. This way you don't need to deal with local port management. You want this setup to prevent traffic from reaching IPsec, and for any logging purposes you may have. IPsec's current version doesn't really do packet logging, and is in no way a firewall (Although, I used it for years as a firewall with Windows 2000 and never had any ill-received problems, but they were not on critical systems either).
Use IPsec in pure authentication mode without encryption (unless you have encryption offload cards). You can use it in several ways.
All communication requires authentication:
No computer can talk to yours that is not setup properly. Period.
All inbound communication requires authentication:
All inbound traffic must authenticate or be dropped.
If you lock inbound, but not outbound, your clients can still access web resources and any other computer without issue, but you have completely prevented anyone else from initiating communication with your systems.
IPsec works like this: Generic rules (require authentication from everyone) are over-ridden by a more explicit rule (do not require authentication from whatever.system.local). Generic all IP rules are over-ridden by port rules, port rules are over-ridden by explicit IP address rules or subnet rules. Etc.
For your purpose, I would at least require all inbound traffic to require authentication by String, however this is not secure and anyone with administrator access can rip the password out of the registry. To do it securely, you need to do it by certificate or Kerberos. The kerberos implementation will require active directory, the certificate method will require a full IKE/PKI configured for your area. You do not need to buy a certificate from a place like verisign, you can do it all yourself through your own self-signed certificates. This entire process with IPsec can be automated through Active Directory, but if you don't have active directory, I believe any generic IKE/PKI server can generate valid certificates for your use. It's a lot less work on your part doing it through active directory.
IPsec policies will work between Windows 2000, XP, and 2003, however your key strength is limited based on the oldest OS you use. 2000 will only function with low keys, XP with both low and medium, and 2003 with strong keys and the two weaker keys. Also, you can set it up from strongest key generation to weakest, so 2003 will always talk to 2003 in strong, 2003 to XP in medium, 2003 to 2000 in weak. It may be possible to make IPsec work side-by-side with Linux using Freeswan, or whatever project replaced it, however I never used that program.
One last thing, if your systems are used by untrusted users, considers how possible it is to use the software restrictions built into Windows. Once that is activated and configured well, it becomes very difficult for a local user to run non-authorized software without sitting at the machine and taking it over first. Refer to rules regarding Software Restriction Policies for this.
K.
Re:Windows Firewall and IPsec (Score:3, Informative)
Having said that, it works great. You can even import your certificates into group policy so that domain members can communicate normally automatically - this is useful if you utilise the other security group policy objects and enforce anti-virus, anti-spyware/malware on your domain systems.
Non Domain systems can be configured and issue
FreeBSD... (Score:3, Insightful)
Why? Because everyone is out trying to hack Linux and Windows machines, they seem to leave the FreeBSD machines alone, maybe because they don't know what to do with them. Or at least there seems to be less people hacking FreeBSD. Most likely its just less press about it. NetBSD or OpenBSD would also probably work as well.
I run my firewall off a custom hacked FreeBSD CDROM. While this makes updates more difficult, it makes replaceing files near impossible. Hackers can't replace /bin/ls unless they mount /bin as a memory filesystem, in which cause they now have to replace df, mount and several other programs. You really only need /var and /tmp as memory filesystems, and maybe some parts of /etc or the whole /etc.
It has no hard drive so if the power cycles, it just reboots and its all fine and dandy. I have a seperate machine that I can do builds on and updates. I have trimmed it down to a 64 Megs CD and that includes perl, sshd, apache, dhcpd, and bind9.
You could do this with Linux as well. I haven't heard of anyone creating a Windows bootable CDROM firewall. Mac needs special hardware, and I'm not that familar with Mac, but you could probably create a Mac firewall on cd as well.
If you think its been hacked, reboot and the hackers have to try again :-)
There are also commercial hardware firewalls. Some are cheap, like the Netgear, dlink, and Linksys, but some of the better ones are in the $500 plus range.
Re:FreeBSD... (Score:3, Insightful)
If a user knows how to run and setup a Linux firewall, it's a better idea to stick with a Linux firewall; the 'superiority' of BSD over the Linux solution is arguable at best; however one thing that should be beyond argument is that if you know how to set up and use a Linux firewall, y
Cheap Old PC (Score:3, Insightful)
To secure your windows server (Score:3, Funny)
---
Or the Aliens option: "Bug out, nuke the site from orbit. Only way to be sure"
for all those who recommended m0n0wall... (Score:3, Interesting)
my first monowall used the rhine and intel chipset with less than stellar performance, but when i changed the ethernet cards to identical asante etherfast with the tulip chipset, my performance increased dramatically(sorry for the lack of any tech details, but the difference was "subjectively" noticable).
if you go the route of using a CF card, do yourself a favor and load monowall on a couple of cards, 16-32 mb cards are dirt cheap. this way you can always experiment with later versions of the firmware, just by swapping cards out. on the otherhand, if you go the CD route, you can run without a harddrive(use floppy for xml configs).
lastly, use a PII or PIII. prolly overkill for your scene, but the last thing you want is a firewall struggling with an anemic cpu.
m0n0wall is definitely the *nix based firewall for the NT admin
Re:I'm sorry. (Score:2, Insightful)
Re:I use.... (Score:2)