[TCLUG] Firewall suggestions?

Tue Feb 26 19:19:03 CST 2002

Carl Zeilon <cznews at att.net> wrote:
>
> My father helps run the computer network for a small public library in 
> Maine.  They run a W2000 server (donated by MS) that provides about 15 
> machines with Internet access, book checkout data, card catalog info, 
> etc.  They also host the library's website from this machine.  As you can 
> guess, they have been Nimda'd & everything else imaginable to death.  They 
> have a T1 line to a Cisco 1605R router (no firewall software installed) to 
> a network hub. [...]

Hmm..  First off, I'll note that putting a website behind a firewall is no
way to protect it from attacks coming in on port 80.  If you have that
hole poked in the wall, everything that can fit there can come through it
(Nimda would still get in, for example). Of course, if this is an
internal-only website, it doesn't matter..

It'd be best to isolate public services from private ones.  I'd recommend
putting the website on a separate server, and put it on a different
network, if possible.  It could be another firewalled network, or it could
be put in the `DMZ' between your router and a firewall.  I guess this
could be difficult if the card catalog is integrated with the website or
something, though..

Regardless, since port 80 is visible to the outside, someone will have to
watch Microsoft's update sites for patches to IIS all of the time..

I'd have to think that you'd be able to set up something sufficient with
the software that's already on the router, but maybe not.  It'd probably
be a pain to set up, though.

Linksys boxes are pretty nice, and they allow configuration through a good
web interface.  They allow port-forwarding and other fun tricks, but you
can only have one subnet behind a box (I think -- I guess the only one I've
played with was a single-port model).

A Linux box would be good for someone who likes fiddling with things and
making a very custom solution, but is probably overkill here.  You might
be able to assemble something cheaper than getting a Linksys, but the
computer would take up a lot more space, suck more power, etc..  I'd
probably end up going for a Linux box myself, but I'm concerned about
support for future protocols like IPv6 and stuff too..

-- 
 _  _  _  _ _  ___    _ _  _  ___ _ _  __   Do you want fries with
/ \/ \(_)| ' // ._\  / - \(_)/ ./| ' /(__   that?
\_||_/|_||_|_\\___/  \_-_/|_|\__\|_|_\ __)  
[ Mike Hicks | http://umn.edu/~hick0088/ | mailto:hick0088 at tc.umn.edu ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020226/5a0dc60b/attachment.pgp