Re: Firewall Solution - 50 Users on SDSL Connection

[Paul Robertson <proberts () patriot net>]

On Fri, 3 Oct 2003, Dan Harp wrote:

> Greetings,
>
> We have about 50 IP devices (workstations, servers, etc.) on a
> 100Mbps CAT5 network internally, and our connection to the 'Net
> is SDSL.
>
> We are looking for a relatively inexpensive (or open source)
> firewall device that does the following:
>
> Inbound filtering:
>       -ICMP, Ports (135, etc.), "default deny"

If you've got access to a router, it should be able to do this, if not, 
putting any almost any open source *nix machine in and making it the 
router to go to the external router with a cross-over cable will give 
the filtering.

*Be careful* filtering ICMP, if you're allowing the DF bit to be set, 
you're going to kill PMTU discovery if you're not careful.

There are lots of good stateful filtering solutions these days, both open 
source and commercial.  Keeping state is probably still useful enough to 
do as a matter of course, and (after several years) the performance point 
has finally been proven enough that it's obviously better than static 
filtering for most engines.  I'd control *what* was allowed out pretty 
darned carefully though- otherwise you'll lose the benefits pretty 
quickly (for instance, if IRC isn't a normal activity, then risking a bot 
going out isn't worth it, if it is normal, then filtering it to the few 
networks that are usually used is probably a good solution...)

>       -What about file extension filtering?

Best done at the application layer- the mail server, and a Web proxy if 
that's appropriate (MIME type filtering is probably the more current 
capability.)  I'd probably hack up Apache's mod_proxy or the fwtk's 
http-gw to get it to do it.  Postfix's regexp filtering would be the mail 
solution I'd use, unless I really wanted to go medieval on it, then I'd do 
a content_filter :)

> Outbound filtering:
>       -Does not allow unnecessary LAN traffic out

See above.

>       -Possibly file extension filtering?

Ditto.

> Currently, web, mail, and dns are being hosted externally.
> Although, we have internal e-mail via MS Mail, with about half
> with Internet access and external e-mail POP accounts, (which
> is currently downloaded separately per user).

I'd do a local caching-only nameserver to save on traffic, and to allow 
extra control over things that are emergent (being able to nuke a zone is 
a really powerful thing.)  A Web cache might not hurt, and Squid might 
have interesting filtering capabilities these days (dunno for sure, 
haven't really looked at it since it was named Harvest.)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards