firewalls in a small biz environment

Hi Folks,

This post is a bit of stream of consicousness, please bear with. Some of this may do well on network administration forums as well, but I really am thinking of a network firewall overhaul and Wilder's folks always have good ideas.

In a small biz environment (in this case about 20 PCs) you need the minimal amount of user intervention, you also would like a network administrator to easily know what was allowed that should be reviewed. So requirements are a bit different than techie-fare.

A firewall like Online Armor or Outpost might work if the configuration files were set up on one computer for the major programs and then copied over to the others. In the real world, does that make sense ?

And you would have some cost with such programs because you are using the biz version, a cost that may not be necessary. Cost-benefit analysis anyone ? Recommendations ?

Right now we are using the Windows Firewall (along with some Symantec stuff, which seems to be largely anti-virus) and the users are reasonably savvy, although occasionally one or two goes haywire (we don't have IP blocklists yet, I am just beginning to monitor this stuff). Working with the Windows Firewall is not the most pleasant, with its one-way actions and lack of information, but it does do a job of sorts.

We also have an appliance (InstaGate) that was inherited with our mini-computer purchase where we could try to load the firewall stuff. That at the moment is largely dormant.

And similarly I was somewhat impressed with the idea of taking a program like Spiceworks on a dedicated XP or Linux box and letting that work as a firewall for the whole network. Then at least you have some sensible central administration built in, rather than dealing with 20 firewalls. Maybe you do that and let all the individual PC's roam free. btw, this is all in one building but there is not an administrator here all the time.

I noticed on a recent network administration trial install (ManageEngine's Desktop Central, fairly impressive) that I ended up going over to a puter and doing a special agent install - which helped mollify the firewall. All a bit strange. And I have various blockages with other softwares -- a backup program eVault and I am trying Spiceworks -- that may be firewall-related. Tedious.

Interestingly, some programs see a lot more on the network and can do a lot more than others. One agentless backup software (Asigra) was able to grab files from other puters that you would think would ring bells and alarms ! While Autoscan Network "sees" a bunch of stuff, caring little about firewall protections.

Ok, I covered a wide base. Just want to hear some of your thoughts and suggestions, emphasis on firewall, overlapping a bit with network administration.

Even on my own puter on the network I am looking to try a quiet firewall. I know Online Armor and I like it (my basic home firewall-HIPS along with some other security programs) .. I just de-installed Comodo and I could try any of the others. Along time ago I used Sunbelt-Kerio and ZoneAlarm, yet of course .. times have changed.

Is there a freebie or inexpensive one to put on a network environment that really properly replaces the Windows firewall .. by being quiet to the users ?

Your thoughts ---

Shalom,
Steven Avery

 

Both Comodo and PC Tools firewall are free for commercial use. So you could install them without the HIPS components for silent use.
But if that is too much work try Filseclab Personal Firewall Professional Edition. Its free and easy to configure.

 

Personally I would go for Untagle.

Untagle for Windows can handle up to 25pcs and it's free.

Panagiotis

 

Installing/supporting SMB networks is what I do for a living.
Primary concern...is securing the perimeter via hardware appliance. The days of running a business network behind a home grade Linksys/Nutgear/DLink plain old NAT router are done with, UTM appliances are the desired edge device.

Juniper, Watchguard, for some common retail ones.
For open source for the budget aware....I've used Endian and more often lately...Untangle. I recommend taking a peek at Untangle. Not the VM for Windows XP version..that's really just a sales demo tool, not designed for production environments.

If you're desiring a 3rd party software firewall on each workstation...I recommend looking at a centrally managed product that is managed from an Admin console. Whichever brand you prefer, most of them do have a business grade version which is controlled from a centralized console.

Spiceworks....have tried it several times...it's a bit...pokey..to say the least.

Free firewalls are often frowned upon by the support people of line of business software. Of primary concern to any SMB consultant...but your network AROUND the line of business applications.

 

OpenDns

Ip/site filtering can be controlled, for employee personal browsing habbits. You can disable facebook, myspace, etc. If youre a meanie

And on a security level, they have a decent ip blacklisting.

Its much recommended.

 

Good suggestions, I would say look at Untangle and OpenDNS also. Perfect for small business, and will give you the ability for high level control of the network.

 

Yes....great addition....for a few years now I have all my clients using OpenDNS. Their networks with domain controllers(which most are)...I have the DNS server properties forwarders going to OpenDNS. For networks with no domain controller, I simply edit the routers DHCP properties and use these instead.

OpenDNS helps block some malware...so it'a a free additional layer of protection. Also they will do free content filtering if you set that up.

 

I'm not applying to the absolute wisdom, but finally I came to a decision that if you use something for "biz" it should be "paid". Otherwise your "biz" fails sooner or later. This is rather a superstition than a logically backed idea, but some sad examples prevent me from taking an extra risk. Feel free to ignore what I did say

 

Well most importantly, paid means you get support. There are a few other paid linux solutions out there not mentioned before like Astaro, Smoothwall, IPCop (have to buy third party support).

 

FWIW, I have had good experiences with Kerio's Winroute firewall in a similar environment.

Winroute is not free, but I like how it requires a separate NIC for internet connection and local network connection.

Having a firewall on only one PC does help with administration, and since it runs under Windows, it does integrate better in an Active Directory setup.

If it is for business, I don't think it is good idea to try to "get over" by focusing on free solutions.

 

Hi Folks,

Thanks, I had forgotten that I was checking out Untangle for the firewall function, more than Spiceworks, which I was really playing with more for things like network inventory. My oversight -- I had been concentrating first on the backup realm where the main players were eVault and Asigra (there is an iSeries, for which I am the programmer, backed up in addition to the network. And the iSeries was the main backup issue). eVault we decided on - and I installed the agents tonight, the iSeries has been backing up for a week, now cloud as well as tape. btw, The backup realm is a fascinating area as well, there is not any real discussion about the huge architectural and practical differences in these products that I could find, that was a tuff decision, with some vault vendors working with both backup products. (My company settled on VaultLogix, aka DPS, Data Protection Services, and they handle both softwares.)

And in that realm of network inventory I am getting more out of ManageEngine Desktop Central 6, where I also installed the agents tonight at the same time. (Spiceworks I think is agentless, as is Asigra in the backup realm). Desktop Central is a nice program, free up to 10 users, if the 20 (or it may be 25) user is a few hundred $ I may recommend purchase. Spiceworks is still bogged down thinking of most of the PC's as unidentified, although conceivably that is a Windows Firewall problem. (I told WF about Desktop Central on each PC). I have to check the Spiceworks docs and forums. With ManageEngine they had an excellent knowledgebase (superb on the issue of error messages when you try to connect with the PCs) combined with good support, even for pre-sales trial and free version. Surprising, since they even use Google for ads on the net. Often that is a bad sign in the PC environment, maybe not in the network environment. Sidenote: ManageEngine has separate products for Active Directory and Workgroup, so it was interesting getting started with demos and trials and such.

So, back to network, Untangle will get primary consideration. When I was referencing "free" it was more on the personal PC firewall side (where we now use Windows Firewall, we have a Symantec subscription for antivirus. btw, We are a food importer). Filesclab and PC Tools (now owned by Symantec I think) were interesting suggestions there (I won't use Comodo for both integrity and practical usage reasons, I uninstalled their firewall off my own PC at work a couple of days ago, actually I may take one of the suggestions made here as a trial-test replacement to try out rather than Online Armor, which I use at home very satisfactorily) -- I wonder if either imports Windows Firewall settings, that would be very helpful.

A whole nother side issue is finding out when the Symantec subscription ends and how much it costs. Since it is working we probably will keep up, but I will want to consider the alternatives .. may become a network anti-virus discussion in a separate thread. Maybe Untangle or an alternate will substitute in this realm ? InstaGate claimed that they could, but we never put them to the anti-virus test.

Now, on the firewall, if I use Untangle and/or OpenDNS I probably will end up leaving WF alone. It's there, it works, I understand it now, its not busted, no real problems. Unless it is recommended to turn off or replace.

Juniper, Watchguard, Endian were mentioned as being appliance-oriented. I'll have to do some more checking. I didn't think of Untangle as being "appliance", rather the alternative to an appliance like Instagate, so I have to get a better fix on the alternate methods and terminology -- I know that Asigra refers to a Linux box they offer as an option as an "appliance" -- so the terms can be a bit confusing. Is anything using a dedicated centralized administration box referred to as appliance ? The difference with InstaGate is that the box is physically locked in and you control through the web interface, much like a router.

I will also check Kerio WinRoute, I used to use the personal, now Sunbelt. I see that Kerio only unloaded the personal, so that should be interesting. Note: At this time we have the kludgy workgroup setup, and we probably won't switch to Active Directory unless there is a compelling reason. This was all set up by another person, a whole long story of little interest. I don't really control the setup itself even now, however I have a pretty free hand in lots of administration, removing-preventing malware, setting up security, backup, PC niceties. Pretty much everything other than Windows 2003 server setup and adding and moving the PC's around.

e.g. I also removed Regcure off one puter tonight, an Ascentive product I plan to unload tomorrow (similar reg scan scareware). And I do install fully free freewares like Free Commander, Firefox and Purrint. I ran Malwarebytes on a puter and saw they consider the Ascentive stuff (PC SpeedScan Pro) as malware, which was a confirmation of how it looked to me, and how WOT sees their stuff. (Note: Malwarebytes had a likely false positive on Magic-iso, something I should check more.) When it comes to uninstall I usually switch to Revo (hmm, have to check the commercial licensing issue there).

The issue of a nice list of fully-free freewares, even in business environments, comes up. e.g. While I may slightly prefer Total Commander, Free Commander is very capable and there is no compelling reason to get into licensing things on a simple file manager with users who are used to Explorer. If anyone knows of a PC utility list of functional fully free softwares in a commercial setting, please share away. e.g. Not Belarc, maybe WinAudit instead.

Returning again to firewall, also I will be looking at Astaro, Smoothwall, IPCop. Does the workgroup setup effect the choice much ? I gather if I am going to leave the Windows 2003 server alone I would use a dedicated Linux or XP box for some of these solutions. A dedicated box for a few hundred that does a similar job firewall-wise as the Instagate, but is much easier to manage.

Thanks for the suggestions and thoughts. Good stuff.

Shalom,
Steven

 

I am wondering what you are choosing to use the firewall for? As an example, I setup firewalls at one point on a small network of 15 computers. Actually, tried a few. The end result was constantly peeps needing changes made. If I let them make changes, either it was allowing everything or nothing. Eventually I decided to forgo any application aware firewalls and use ipSec rules. It is simple enough. I set a batch file to implement all computers. First I delete all values, the use ipseccmd to institute new rules. The rules themselves are simple. Chosen ports/protocol/direction are allowed per subnet or ip. Allow port 80 outbound WAN. Allow netbios ports only local subnet. Remote registry allows you to control. I use VNC to do it myself. Since I have done this, I know what ports will be allowed to go where, user sees no prompts, all I have to worry about is keeping users rights under control and try not to escelate privelages for applications, although that is not always 100% happening.

Food for thought anyway.

Sul.

 

When comparing the *nix distros out there....some are UTM..so you have NAT router/firewall features...as well as additional UTM features like antivirus scanning/spam removal/etc (which, IMO, should be desired for a business network)...others are really just powerful plain firewalls..NAT boxes.

M0n0wall, Smoothwall, IPCop (by itself), PFSense, etc...pretty much just NAT boxes with other features.

Endian, Astaro, Untangle, and IPCop WITH the addition of the Copfilter add-on...those are UTMs.

Endian does have a community distro you can download for free and install on your own hardware like most other *nix distros. They do have pay for appliances 'n support too.

Untangle...has a free version, as well as pay for versions.

I've used IPCop w/Copfilter for some clients years ago...then found Endian and used that for a few. Then Untangle a couple of years ago..since it's a pretty new distro. More features, such as the SpywareBlocker...I've found that's helped my clients remain cleaner after I put Untangle at the edge of their network.

I commonly use small form factor business grade desktops to run their appliance on, like Compaq/HP Evo/Dc series, or Dell Optiplex models. Sticking with good quality biz grade desktops that have solid proven Intel chipset motherboards, and better onboard NICs, helps make a good stable box. Put in a 2nd NIC, a new hard drive...and install your distro. For some larger clients I've used 1U rack mount servers, like Dells PowerEdge R200.

 

Do you find that these distros support the hardware most of time? Have you ever had driver/hardware support issues?

 

Hi Folks,

Thanks, Sul. Actually I am not sure what is needed, the main ideas are to possibly warn the user that something strange is up, and have an admin log with flares and bells that is centralized. A tuff order if the firewalls are independent. Untangle might be the way to go. In all likelihood we will simply muddle along with the Windows Firewall for awhile, since we aren't doing bad. Our biggest problem (I looked at all the puters the last couple of days) on the puters were installs of Reg Cure and Ascentive sham products, and only a couple of those, and I knocked them off with warnings.

However I did load the Outpost freebie on my own puter after knocking off the Comodo stuff, Outpost with the training wheels modality, where it accepts everything on the system as hunky-dory (a bit of a paraphrase). So I did not get a pop-up all day. Wonder .. would my users be stronger with .. something like that .. than continuing to have the one-way Corrigan Windows firewall ? However there are all sorts of practical problems, maybe I am thinking ahead, anticipating more difficulties. Actually I have a couple of friendly users, but that is not available for biz environment anyway.

Shalom,
Steven Avery

 

I would encourage you to try some ipSec rules instead of windows firewall. Unless you are using Advanced Firewall for Vista or 7.

Since you are using windows firewall, let me present a batch file that might explain a bit of what you could do with ipSec with no prompts. I don't see it as much different than Windows Firewall really, except ipSec can restrict both inbound and outbound. It reminds me a lot of a simple in/out firewall that is not application aware. If I remember correctly, there are some logs you can enable or view. I also had a thread started some time ago, located here
https://www.wilderssecurity.com/showthread.php?t=227296&highlight=ipsec

Code:

@echo off
cls

:: Make a simple policy to just allow everything
ipseccmd -w REG -p "Allow All Traffic" -r "Allow All" -f 0:*:*+*:*:* -n PASS
ipseccmd -w REG -p "Allow All Traffic" -r "Stop IPsec" -f *=0:500:UDP *=0:4500:UDP -n BLOCK

:: Make a simple policy to block everything
ipseccmd -w REG -p "Block All" -r "Block All" -f *:*:*+*:*:* -n BLOCK
ipseccmd -w REG -p "Block All" -r "Stop IPsec" -f *=0:500:UDP *=0:4500:UDP -n BLOCK

:: Make a simple policy to allow ONLY LAN activity
ipseccmd -w REG -p "LAN Only" -r "Block All" -f *:*:*+*:*:* -n BLOCK
ipseccmd -w REG -p "LAN Only" -r "Allow LAN" -f 0:*:*+192.168.1.*:*:* -n PASS
ipseccmd -w REG -p "LAN Only" -r "Stop IPsec" -f *=0:500:UDP *=0:4500:UDP -n BLOCK

:: Make a more complicated policy that encompasses all normal communications needed for daily use
ipseccmd -w REG -p "Firewall" -r "Block All" -f *:*:*+*:*:* -n BLOCK
ipseccmd -w REG -p "Firewall" -r "Allow LAN" -f 0:*:*+192.168.1.*:*:* -n PASS
ipseccmd -w REG -p "Firewall" -r "DNS" -f 0:*:UDP+22.22.22.22:53:UDP 0:*:UDP+22.22.22.23:53:UDP 0:*:UDP+22.22.22.24:UDP 0:*:TCP+22.22.22.22:53:TCP 0:*:TCP+22.22.22.23:TCP 0:*:TCP+22.22.22.24:TCP -n PASS
ipseccmd -w REG -p "Firewall" -r "FTP Control" -f 0:*:TCP+*:21:TCP -n PASS
ipseccmd -w REG -p "Firewall" -r "FTP Data" -f 0:*:TCP+*:20:TCP -n PASS
ipseccmd -w REG -p "Firewall" -r "IMAP" -f 0:*:TCP+*:143:TCP -n PASS
ipseccmd -w REG -p "Firewall" -r "HTTP" -f 0:*:TCP+*:80:TCP -n PASS
ipseccmd -w REG -p "Firewall" -r "HTTPS" -f 0:*:TCP+*:443:TCP -n PASS
ipseccmd -w REG -p "Firewall" -r "PROXY" -f 0:*:TCP+*:8080:TCP 0:*:TCP+*:3128:TCP 0:*:TCP+*:8081:*:TCP 0:*:TCP+*:8000:TCP -n PASS
ipseccmd -w REG -p "Firewall" -r "NNTP" -f 0:*:TCP+*:119:TCP -n PASS
ipseccmd -w REG -p "Firewall" -r "NTP" -f 0:*:TCP+*:123:TCP -n PASS
ipseccmd -w REG -p "Firewall" -r "POP3" -f 0:*:TCP+*:110:TCP -n PASS
ipseccmd -w REG -p "Firewall" -r "POP3S" -f 0:*:TCP+*:995:TCP -n PASS
ipseccmd -w REG -p "Firewall" -r "SMTP" -f 0:*:TCP+*:25:TCP -n PASS
ipseccmd -w REG -p "Firewall" -r "SSH" -f 0:*:TCP+*:22:TCP -n PASS

ipseccmd -w REG -p "Firewall" -r "Stop IPsec" -f *=0:500:UDP *=0:4500:UDP -n BLOCK
ipseccmd -w REG -p "Firewall" -r "Tight VNC" -f 0:*:TCP+*:5900:TCP -n PASS
ipseccmd -w REG -p "Firewall" -r "ICMP Allow" -f 0:*:ICMP+*:*:ICMP -n PASS

::ipseccmd -w REG -p "Firewall" -r "Stop VNC Defaults" -f *=0:5900:TCP *=0:5800:TCP -n BLOCK
::ipseccmd -w REG -p "Firewall" -r "Allow VNC Custom" -f *=0:5999:TCP *=0:5888:TCP -n PASS

::ipseccmd -w reg -p "firewall3" -r "Block Big Group" -n BLOCK -f *=0:135:tcp *=0:139:tcp *=0:445:tcp *=0:137:udp *=0:138:udp *=0:445:udp *=0:500:udp

pause
exit

And here is a reg file to delete these values.

Code:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]

I don't know if this is any use to you at all, but it has certainly simplified a lot of my work. You will of course need a copy of ipseccmd.exe to use with that batch file. After you run the batch file, use secpol.msc to look at your ipsec policies, and you can enable whichever you would like. I even have some WMI or AutoIt script examples if you need them for automating which ipSec ruleset is active.

You can also just create your ipsec rules using the snap-in as well.

Sul.

 

I personally have not...but in forums dedicated to them I see frequent issues.

What I try to do (as I always do with computers)...it stick with mainstream top notch brands and chipsets. Since I'm an SMB consultant, the computers I work with are business grade/business level workstations. Upper model HP and Dell, not home grade models, and not cloner "el cheapo motherboard of the month" models. I run far far away from stuff that has "Via" or "SiS" chipsets. Business grade models use very standardized chipsets which generally don't have a lot of "fluffy" added features, very bare bones, very rock solid, very compatible, widely supported.

For the 2nd added NICs....sticking with 3COM and Intel Pro NICs has proven to be reliable and stable. Surprisingly some of the DLink models too.

The couple of times that I've used laptops to install them on (which I do at home for PFSense)....I used older IBM Thinkpad models. The only time I ran into some hardware that didn't work was when setting up a few laptops...some of the PCMCIA NICs I tried for the 2nd NIC didn't work...so it's a little more picky there.

Over the years I've taken a strong interest in the various *nix router distros out there...and I've installed and played with a lot of them...a lot of them. There are quite a few, many with their own strengths, depending on what it is you're looking for.

With my rule of thumb of installing them on solid hardware, I simply don't see the problems I see in some forums about users complaining about them locking up, or having to reboot them. It's those who tend to use more budget parts, or oddball home grade stuff..that have these problems. I find when using solid parts...you install them, configure them..and let them run 24x7x365...rock solid, throw as much load on it as your want...no reboots needed unless you're doing some upgrade to a new version.

You get features and performance and stability that normally would require some enterprise grade router that would cost over $5,000.00 or much more if you purchased some off the shelf product.

 

Thanks YeOldeStonecat