Firewall on small network

On a small company network (<10 machines) is a 'hardware' firewall solution
built into a router such as the solwise 715pv, sufficient security for the
network or is a more advanced solution required/recommended such as m$ ISA
or a dedicated hardware firewall.

Thanks

Jaime

Jaime wrote:

> On a small company network (<10 machines) is a 'hardware' firewall
> solution built into a router such as the solwise 715pv, sufficient
> security for the network or is a more advanced solution
> required/recommended such as m$ ISA or a dedicated hardware firewall.
>
> Thanks
>
> Jaime
>
>


I would have thought that a built in solution was enough... Don't forget,
though, that a firewall is only a small part of what you need to do to keep
yourself secure.

The firebrick, www.firebrick.info, is aimed at the SOHO environment along
with many others. If you decide that it's worth it you have quite a few to
choose from.

Time spent on patching software and educating users is probably more
rewarding than spending an extra £2k on a firewall...

alex


--
Alexander Mann www.xisp.co.uk
Xanthus Design Ltd www.xanthusdesign.co.uk
__________________________________________________ ___________________
change noreply to alex to reply by email

Alexander Mann wrote:

> Jaime wrote:
>
> > On a small company network (<10 machines) is a 'hardware' firewall
> > solution built into a router such as the solwise 715pv, sufficient
> > security for the network or is a more advanced solution
> > required/recommended such as m$ ISA or a dedicated hardware firewall.
> >
> > Thanks
> >
> > Jaime
> >
> >
>
> I would have thought that a built in solution was enough... Don't forget,
> though, that a firewall is only a small part of what you need to do to keep
> yourself secure.
>
> The firebrick, www.firebrick.info, is aimed at the SOHO environment along
> with many others. If you decide that it's worth it you have quite a few to
> choose from.
>
> Time spent on patching software and educating users is probably more
> rewarding than spending an extra £2k on a firewall...
>
> alex
>
> --
> Alexander Mann www.xisp.co.uk
> Xanthus Design Ltd www.xanthusdesign.co.uk
> __________________________________________________ ___________________
> change noreply to alex to reply by email



And get them all antivirused too !

"Jaime" <(E-Mail Removed)> wrote in message
news:sJmeb.1209$(E-Mail Removed)...
> On a small company network (<10 machines) is a 'hardware' firewall
solution
> built into a router such as the solwise 715pv, sufficient security for the
> network or is a more advanced solution required/recommended such as m$ ISA
> or a dedicated hardware firewall.
>
>
I find the free IPcop ideal. Apart from firewall and intrusion detection its
transparent proxy cache excels when multiple machines decide to do a large
Windowsupdate.

"Clunk" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Alexander Mann wrote:
>
> > Jaime wrote:
> >
> > > On a small company network (<10 machines) is a 'hardware' firewall
> > > solution built into a router such as the solwise 715pv, sufficient
> > > security for the network or is a more advanced solution
> > > required/recommended such as m$ ISA or a dedicated hardware firewall.
> > >
> > > Thanks
> > >
> > > Jaime
> > >
> > >
> >
> > I would have thought that a built in solution was enough... Don't
forget,
> > though, that a firewall is only a small part of what you need to do to
keep
> > yourself secure.
> >
> > The firebrick, www.firebrick.info, is aimed at the SOHO environment
along
> > with many others. If you decide that it's worth it you have quite a few
to
> > choose from.
> >
> > Time spent on patching software and educating users is probably more
> > rewarding than spending an extra £2k on a firewall...
> >
> > alex
> >
> > --
> > Alexander Mann www.xisp.co.uk
> > Xanthus Design Ltd www.xanthusdesign.co.uk
> > __________________________________________________ ___________________
> > change noreply to alex to reply by email
>
>
>
> And get them all antivirused too !


Thanks for both replies, I was defently goijng to go antivirus on all the
workstations. Any idea about anti virus for the server? It would be good if
the server could check all the users files for viruses automatically as an
extra precaution and was protected when the administrator was loged in.

Thanks

Jaime

> > On a small company network (<10 machines) is a 'hardware' firewall
> solution
> > built into a router such as the solwise 715pv, sufficient security for
the
> > network or is a more advanced solution required/recommended such as m$
ISA
> > or a dedicated hardware firewall.
> >
> >
> I find the free IPcop ideal. Apart from firewall and intrusion detection
its
> transparent proxy cache excels when multiple machines decide to do a large
> Windowsupdate.
>

Thanks IPcop looks the way to go especially as we will have a spare machine
that it could be run on. Would there be any issues running both the routers
firewall and the IPcop one behind it to add extra security when all that is
required is basic web browsing and email.

Regards

Jaime

From Jaime:

>On a small company network (<10 machines) is a 'hardware' firewall solution
>built into a router such as the solwise 715pv, sufficient security for the
>network or is a more advanced solution required/recommended such as m$ ISA
>or a dedicated hardware firewall.
>
A good firewall should be a good starting point to your security. You
need to ensure that it is "stateful" and has a reasonable level of
control and security. It is my understanding that the Solwise one is OK
though I have no direct knowledge of it. I would suggest trying to find
a forum for it and posing the question there.

I would, however, strongly recommend that each workstation also runs a
"personal firewall". This will not only back-up the edge-of-network
protection but, more importantly, helps protect your network from
viruses, spyware and trojans by limiting OUTGOING connections by
application.

I personally recommend Agnitum Outpost currently as providing the best
level of security and features though your users may find ZoneAlarm
easier to get on with if they are not particularly PC literate.

If you plan to run your own Internet connected servers - especially if
they are used for selling or other financial or confidential services, I
would recommend that you get a dedicated firewall AND someone who knows
how to set it up correctly (it sounds like you are not yet at this stage
though).

--
Julian Knight,
/--------------------------------------------------------------------\
| *** Remove Anti Spam bits from address for Email Replies *** |
|Home Page: http://www.knightnet.org.uk/ |
|Location : Sheffield, South Yorkshire, United Kingdom. |
|Occupation: Security, Directory, Messaging, Network & PC Consultant |
\--------------------------------------------------------------------/

From Jaime:

....
>> And get them all antivirused too !
>
>
>Thanks for both replies, I was defently goijng to go antivirus on all the
>workstations. Any idea about anti virus for the server? It would be good if
>the server could check all the users files for viruses automatically as an
>extra precaution and was protected when the administrator was loged in.

It doesn't seem to make much difference what AV product you use these
days. None are 100% effective of course but I agree that server AV is
very important, it should AV check your email too of course and be set
to automatically update it's database at least DAILY.

--
Julian Knight,
/--------------------------------------------------------------------\
| *** Remove Anti Spam bits from address for Email Replies *** |
|Home Page: http://www.knightnet.org.uk/ |
|Location : Sheffield, South Yorkshire, United Kingdom. |
|Occupation: Security, Directory, Messaging, Network & PC Consultant |
\--------------------------------------------------------------------/

From Jaime:

>> > On a small company network (<10 machines) is a 'hardware' firewall
>> solution
>> > built into a router such as the solwise 715pv, sufficient security for
>the
>> > network or is a more advanced solution required/recommended such as m$
>ISA
>> > or a dedicated hardware firewall.
>> >
>> >
>> I find the free IPcop ideal. Apart from firewall and intrusion detection
>its
>> transparent proxy cache excels when multiple machines decide to do a large
>> Windowsupdate.
>>
>
>Thanks IPcop looks the way to go especially as we will have a spare machine
>that it could be run on. Would there be any issues running both the routers
>firewall and the IPcop one behind it to add extra security when all that is
>required is basic web browsing and email.

Only that your administrator (you?) will need to understand ALL of the
configurations! Seriously though, this is the common failing of
firewalls, not the technology but the administrator. Having a firewall
makes you FEEL secure but you may not be.

It is worth periodically running some intrusion tools against your
network to ensure that you have all of the main bases covered and that a
seemingly small change to the configurations has not opened up a large
hole.

Other things you might want to consider if you are putting in a Linux
security server are:
- Spam filtering
SpamAssassin is the standard tool for this. It is easy to set up and
reasonably effective at cutting down spam
- Web filtering and caching
This can make your bandwidth go further (by caching commonly used
pages) and help to limit exposure to destructive, damaging or
embarrassing web content.
All these are free of course apart from someone's time to configure and
keep them up-to-date

Of course, adding these services to your security server will slightly
reduce the PC's security but as long as you get rid of all other
software from the box, keep up to date with security bug fixes and have
a reasonable configuration, the benefits far outweigh any real risks.

--
Julian Knight,
/--------------------------------------------------------------------\
| *** Remove Anti Spam bits from address for Email Replies *** |
|Home Page: http://www.knightnet.org.uk/ |
|Location : Sheffield, South Yorkshire, United Kingdom. |
|Occupation: Security, Directory, Messaging, Network & PC Consultant |
\--------------------------------------------------------------------/

snip
>
> It doesn't seem to make much difference what AV product you use these
> days. None are 100% effective of course but I agree that server AV is
> very important, it should AV check your email too of course and be set
> to automatically update it's database at least DAILY.
>

Thanks, any recomendations for a windows 2003 based server?

Jaime