firewalls in a small biz environment

Discussion in 'other firewalls' started by Steven Avery, Jun 15, 2009.

Thread Status:
Not open for further replies.
  1. Steven Avery

    Steven Avery Registered Member

    Joined:
    Nov 13, 2007
    Posts:
    110
    Hi Folks,

    This post is a bit of stream of consicousness, please bear with. Some of this may do well on network administration forums as well, but I really am thinking of a network firewall overhaul and Wilder's folks always have good ideas.

    In a small biz environment (in this case about 20 PCs) you need the minimal amount of user intervention, you also would like a network administrator to easily know what was allowed that should be reviewed. So requirements are a bit different than techie-fare.

    A firewall like Online Armor or Outpost might work if the configuration files were set up on one computer for the major programs and then copied over to the others. In the real world, does that make sense ?

    And you would have some cost with such programs because you are using the biz version, a cost that may not be necessary. Cost-benefit analysis anyone ? Recommendations ?

    Right now we are using the Windows Firewall (along with some Symantec stuff, which seems to be largely anti-virus) and the users are reasonably savvy, although occasionally one or two goes haywire (we don't have IP blocklists yet, I am just beginning to monitor this stuff). Working with the Windows Firewall is not the most pleasant, with its one-way actions and lack of information, but it does do a job of sorts.

    We also have an appliance (InstaGate) that was inherited with our mini-computer purchase where we could try to load the firewall stuff. That at the moment is largely dormant.

    And similarly I was somewhat impressed with the idea of taking a program like Spiceworks on a dedicated XP or Linux box and letting that work as a firewall for the whole network. Then at least you have some sensible central administration built in, rather than dealing with 20 firewalls. Maybe you do that and let all the individual PC's roam free. btw, this is all in one building but there is not an administrator here all the time.

    I noticed on a recent network administration trial install (ManageEngine's Desktop Central, fairly impressive) that I ended up going over to a puter and doing a special agent install - which helped mollify the firewall. All a bit strange. And I have various blockages with other softwares -- a backup program eVault and I am trying Spiceworks -- that may be firewall-related. Tedious.

    Interestingly, some programs see a lot more on the network and can do a lot more than others. One agentless backup software (Asigra) was able to grab files from other puters that you would think would ring bells and alarms ! While Autoscan Network "sees" a bunch of stuff, caring little about firewall protections.

    Ok, I covered a wide base. Just want to hear some of your thoughts and suggestions, emphasis on firewall, overlapping a bit with network administration.

    Even on my own puter on the network I am looking to try a quiet firewall. I know Online Armor and I like it (my basic home firewall-HIPS along with some other security programs) .. I just de-installed Comodo and I could try any of the others. Along time ago I used Sunbelt-Kerio and ZoneAlarm, yet of course .. times have changed.

    Is there a freebie or inexpensive one to put on a network environment that really properly replaces the Windows firewall .. by being quiet to the users ?

    Your thoughts ---

    Shalom,
    Steven Avery
     
  2. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Both Comodo and PC Tools firewall are free for commercial use. So you could install them without the HIPS components for silent use.
    But if that is too much work try Filseclab Personal Firewall Professional Edition. Its free and easy to configure.
     
  3. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,566
  4. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Installing/supporting SMB networks is what I do for a living.
    Primary concern...is securing the perimeter via hardware appliance. The days of running a business network behind a home grade Linksys/Nutgear/DLink plain old NAT router are done with, UTM appliances are the desired edge device.

    Juniper, Watchguard, for some common retail ones.
    For open source for the budget aware....I've used Endian and more often lately...Untangle. I recommend taking a peek at Untangle. ;) Not the VM for Windows XP version..that's really just a sales demo tool, not designed for production environments.

    If you're desiring a 3rd party software firewall on each workstation...I recommend looking at a centrally managed product that is managed from an Admin console. Whichever brand you prefer, most of them do have a business grade version which is controlled from a centralized console.

    Spiceworks....have tried it several times...it's a bit...pokey..to say the least.

    Free firewalls are often frowned upon by the support people of line of business software. Of primary concern to any SMB consultant...but your network AROUND the line of business applications.
     
  5. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    OpenDns

    Ip/site filtering can be controlled, for employee personal browsing habbits. You can disable facebook, myspace, etc. If youre a meanie :thumbd:

    And on a security level, they have a decent ip blacklisting.

    Its much recommended.
     
  6. Spiral123

    Spiral123 Registered Member

    Joined:
    Jan 10, 2007
    Posts:
    128
    Good suggestions, I would say look at Untangle and OpenDNS also. Perfect for small business, and will give you the ability for high level control of the network.
     
  7. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Yes....great addition....for a few years now I have all my clients using OpenDNS. Their networks with domain controllers(which most are)...I have the DNS server properties forwarders going to OpenDNS. For networks with no domain controller, I simply edit the routers DHCP properties and use these instead.

    OpenDNS helps block some malware...so it'a a free additional layer of protection. Also they will do free content filtering if you set that up.
     
  8. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    I'm not applying to the absolute wisdom, but finally I came to a decision that if you use something for "biz" it should be "paid". Otherwise your "biz" fails sooner or later. This is rather a superstition than a logically backed idea, but some sad examples prevent me from taking an extra risk. Feel free to ignore what I did say :)
     
  9. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Well most importantly, paid means you get support. There are a few other paid linux solutions out there not mentioned before like Astaro, Smoothwall, IPCop (have to buy third party support).
     
  10. Wildest

    Wildest Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    304
    FWIW, I have had good experiences with Kerio's Winroute firewall in a similar environment.

    Winroute is not free, but I like how it requires a separate NIC for internet connection and local network connection.

    Having a firewall on only one PC does help with administration, and since it runs under Windows, it does integrate better in an Active Directory setup.

    If it is for business, I don't think it is good idea to try to "get over" by focusing on free solutions.
     
  11. Steven Avery

    Steven Avery Registered Member

    Joined:
    Nov 13, 2007
    Posts:
    110
    Hi Folks,

    Thanks, I had forgotten that I was checking out Untangle for the firewall function, more than Spiceworks, which I was really playing with more for things like network inventory. My oversight -- I had been concentrating first on the backup realm where the main players were eVault and Asigra (there is an iSeries, for which I am the programmer, backed up in addition to the network. And the iSeries was the main backup issue). eVault we decided on - and I installed the agents tonight, the iSeries has been backing up for a week, now cloud as well as tape. btw, The backup realm is a fascinating area as well, there is not any real discussion about the huge architectural and practical differences in these products that I could find, that was a tuff decision, with some vault vendors working with both backup products. (My company settled on VaultLogix, aka DPS, Data Protection Services, and they handle both softwares.)

    And in that realm of network inventory I am getting more out of ManageEngine Desktop Central 6, where I also installed the agents tonight at the same time. (Spiceworks I think is agentless, as is Asigra in the backup realm). Desktop Central is a nice program, free up to 10 users, if the 20 (or it may be 25) user is a few hundred $ I may recommend purchase. Spiceworks is still bogged down thinking of most of the PC's as unidentified, although conceivably that is a Windows Firewall problem. (I told WF about Desktop Central on each PC). I have to check the Spiceworks docs and forums. With ManageEngine they had an excellent knowledgebase (superb on the issue of error messages when you try to connect with the PCs) combined with good support, even for pre-sales trial and free version. Surprising, since they even use Google for ads on the net. Often that is a bad sign in the PC environment, maybe not in the network environment. Sidenote: ManageEngine has separate products for Active Directory and Workgroup, so it was interesting getting started with demos and trials and such.

    So, back to network, Untangle will get primary consideration. When I was referencing "free" it was more on the personal PC firewall side (where we now use Windows Firewall, we have a Symantec subscription for antivirus. btw, We are a food importer). Filesclab and PC Tools (now owned by Symantec I think) were interesting suggestions there (I won't use Comodo for both integrity and practical usage reasons, I uninstalled their firewall off my own PC at work a couple of days ago, actually I may take one of the suggestions made here as a trial-test replacement to try out rather than Online Armor, which I use at home very satisfactorily) -- I wonder if either imports Windows Firewall settings, that would be very helpful.

    A whole nother side issue is finding out when the Symantec subscription ends and how much it costs. Since it is working we probably will keep up, but I will want to consider the alternatives .. may become a network anti-virus discussion in a separate thread. Maybe Untangle or an alternate will substitute in this realm ? InstaGate claimed that they could, but we never put them to the anti-virus test.

    Now, on the firewall, if I use Untangle and/or OpenDNS I probably will end up leaving WF alone. It's there, it works, I understand it now, its not busted, no real problems. Unless it is recommended to turn off or replace.

    Juniper, Watchguard, Endian were mentioned as being appliance-oriented. I'll have to do some more checking. I didn't think of Untangle as being "appliance", rather the alternative to an appliance like Instagate, so I have to get a better fix on the alternate methods and terminology -- I know that Asigra refers to a Linux box they offer as an option as an "appliance" -- so the terms can be a bit confusing. Is anything using a dedicated centralized administration box referred to as appliance ? The difference with InstaGate is that the box is physically locked in and you control through the web interface, much like a router.

    I will also check Kerio WinRoute, I used to use the personal, now Sunbelt. I see that Kerio only unloaded the personal, so that should be interesting. Note: At this time we have the kludgy workgroup setup, and we probably won't switch to Active Directory unless there is a compelling reason. This was all set up by another person, a whole long story of little interest. I don't really control the setup itself even now, however I have a pretty free hand in lots of administration, removing-preventing malware, setting up security, backup, PC niceties. Pretty much everything other than Windows 2003 server setup and adding and moving the PC's around.

    e.g. I also removed Regcure off one puter tonight, an Ascentive product I plan to unload tomorrow (similar reg scan scareware). And I do install fully free freewares like Free Commander, Firefox and Purrint. I ran Malwarebytes on a puter and saw they consider the Ascentive stuff (PC SpeedScan Pro) as malware, which was a confirmation of how it looked to me, and how WOT sees their stuff. (Note: Malwarebytes had a likely false positive on Magic-iso, something I should check more.) When it comes to uninstall I usually switch to Revo (hmm, have to check the commercial licensing issue there).

    The issue of a nice list of fully-free freewares, even in business environments, comes up. e.g. While I may slightly prefer Total Commander, Free Commander is very capable and there is no compelling reason to get into licensing things on a simple file manager with users who are used to Explorer. If anyone knows of a PC utility list of functional fully free softwares in a commercial setting, please share away. e.g. Not Belarc, maybe WinAudit instead.

    Returning again to firewall, also I will be looking at Astaro, Smoothwall, IPCop. Does the workgroup setup effect the choice much ? I gather if I am going to leave the Windows 2003 server alone I would use a dedicated Linux or XP box for some of these solutions. A dedicated box for a few hundred that does a similar job firewall-wise as the Instagate, but is much easier to manage.

    Thanks for the suggestions and thoughts. Good stuff.

    Shalom,
    Steven
     
    Last edited: Jun 17, 2009
  12. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I am wondering what you are choosing to use the firewall for? As an example, I setup firewalls at one point on a small network of 15 computers. Actually, tried a few. The end result was constantly peeps needing changes made. If I let them make changes, either it was allowing everything or nothing. Eventually I decided to forgo any application aware firewalls and use ipSec rules. It is simple enough. I set a batch file to implement all computers. First I delete all values, the use ipseccmd to institute new rules. The rules themselves are simple. Chosen ports/protocol/direction are allowed per subnet or ip. Allow port 80 outbound WAN. Allow netbios ports only local subnet. Remote registry allows you to control. I use VNC to do it myself. Since I have done this, I know what ports will be allowed to go where, user sees no prompts, all I have to worry about is keeping users rights under control and try not to escelate privelages for applications, although that is not always 100% happening.

    Food for thought anyway.

    Sul.
     
  13. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    When comparing the *nix distros out there....some are UTM..so you have NAT router/firewall features...as well as additional UTM features like antivirus scanning/spam removal/etc (which, IMO, should be desired for a business network)...others are really just powerful plain firewalls..NAT boxes.

    M0n0wall, Smoothwall, IPCop (by itself), PFSense, etc...pretty much just NAT boxes with other features.

    Endian, Astaro, Untangle, and IPCop WITH the addition of the Copfilter add-on...those are UTMs.

    Endian does have a community distro you can download for free and install on your own hardware like most other *nix distros. They do have pay for appliances 'n support too.

    Untangle...has a free version, as well as pay for versions.

    I've used IPCop w/Copfilter for some clients years ago...then found Endian and used that for a few. Then Untangle a couple of years ago..since it's a pretty new distro. More features, such as the SpywareBlocker...I've found that's helped my clients remain cleaner after I put Untangle at the edge of their network.

    I commonly use small form factor business grade desktops to run their appliance on, like Compaq/HP Evo/Dc series, or Dell Optiplex models. Sticking with good quality biz grade desktops that have solid proven Intel chipset motherboards, and better onboard NICs, helps make a good stable box. Put in a 2nd NIC, a new hard drive...and install your distro. For some larger clients I've used 1U rack mount servers, like Dells PowerEdge R200.
     
  14. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Do you find that these distros support the hardware most of time? Have you ever had driver/hardware support issues?
     
  15. Steven Avery

    Steven Avery Registered Member

    Joined:
    Nov 13, 2007
    Posts:
    110
    Hi Folks,

    Thanks, Sul. Actually I am not sure what is needed, the main ideas are to possibly warn the user that something strange is up, and have an admin log with flares and bells that is centralized. A tuff order if the firewalls are independent. Untangle might be the way to go. In all likelihood we will simply muddle along with the Windows Firewall for awhile, since we aren't doing bad. Our biggest problem (I looked at all the puters the last couple of days) on the puters were installs of Reg Cure and Ascentive sham products, and only a couple of those, and I knocked them off with warnings.

    However I did load the Outpost freebie on my own puter after knocking off the Comodo stuff, Outpost with the training wheels modality, where it accepts everything on the system as hunky-dory (a bit of a paraphrase). So I did not get a pop-up all day. Wonder .. would my users be stronger with .. something like that .. than continuing to have the one-way Corrigan Windows firewall ? However there are all sorts of practical problems, maybe I am thinking ahead, anticipating more difficulties. Actually I have a couple of friendly users, but that is not available for biz environment anyway.

    Shalom,
    Steven Avery
     
  16. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I would encourage you to try some ipSec rules instead of windows firewall. Unless you are using Advanced Firewall for Vista or 7.

    Since you are using windows firewall, let me present a batch file that might explain a bit of what you could do with ipSec with no prompts. I don't see it as much different than Windows Firewall really, except ipSec can restrict both inbound and outbound. It reminds me a lot of a simple in/out firewall that is not application aware. If I remember correctly, there are some logs you can enable or view. I also had a thread started some time ago, located here
    https://www.wilderssecurity.com/showthread.php?t=227296&highlight=ipsec

    Code:
    @echo off
    cls
    
    :: Make a simple policy to just allow everything
    ipseccmd -w REG -p "Allow All Traffic" -r "Allow All" -f 0:*:*+*:*:* -n PASS
    ipseccmd -w REG -p "Allow All Traffic" -r "Stop IPsec" -f *=0:500:UDP *=0:4500:UDP -n BLOCK
    
    :: Make a simple policy to block everything
    ipseccmd -w REG -p "Block All" -r "Block All" -f *:*:*+*:*:* -n BLOCK
    ipseccmd -w REG -p "Block All" -r "Stop IPsec" -f *=0:500:UDP *=0:4500:UDP -n BLOCK
    
    :: Make a simple policy to allow ONLY LAN activity
    ipseccmd -w REG -p "LAN Only" -r "Block All" -f *:*:*+*:*:* -n BLOCK
    ipseccmd -w REG -p "LAN Only" -r "Allow LAN" -f 0:*:*+192.168.1.*:*:* -n PASS
    ipseccmd -w REG -p "LAN Only" -r "Stop IPsec" -f *=0:500:UDP *=0:4500:UDP -n BLOCK
    
    :: Make a more complicated policy that encompasses all normal communications needed for daily use
    ipseccmd -w REG -p "Firewall" -r "Block All" -f *:*:*+*:*:* -n BLOCK
    ipseccmd -w REG -p "Firewall" -r "Allow LAN" -f 0:*:*+192.168.1.*:*:* -n PASS
    ipseccmd -w REG -p "Firewall" -r "DNS" -f 0:*:UDP+22.22.22.22:53:UDP 0:*:UDP+22.22.22.23:53:UDP 0:*:UDP+22.22.22.24:UDP 0:*:TCP+22.22.22.22:53:TCP 0:*:TCP+22.22.22.23:TCP 0:*:TCP+22.22.22.24:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "FTP Control" -f 0:*:TCP+*:21:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "FTP Data" -f 0:*:TCP+*:20:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "IMAP" -f 0:*:TCP+*:143:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "HTTP" -f 0:*:TCP+*:80:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "HTTPS" -f 0:*:TCP+*:443:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "PROXY" -f 0:*:TCP+*:8080:TCP 0:*:TCP+*:3128:TCP 0:*:TCP+*:8081:*:TCP 0:*:TCP+*:8000:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "NNTP" -f 0:*:TCP+*:119:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "NTP" -f 0:*:TCP+*:123:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "POP3" -f 0:*:TCP+*:110:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "POP3S" -f 0:*:TCP+*:995:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "SMTP" -f 0:*:TCP+*:25:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "SSH" -f 0:*:TCP+*:22:TCP -n PASS
    
    ipseccmd -w REG -p "Firewall" -r "Stop IPsec" -f *=0:500:UDP *=0:4500:UDP -n BLOCK
    ipseccmd -w REG -p "Firewall" -r "Tight VNC" -f 0:*:TCP+*:5900:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "ICMP Allow" -f 0:*:ICMP+*:*:ICMP -n PASS
    
    ::ipseccmd -w REG -p "Firewall" -r "Stop VNC Defaults" -f *=0:5900:TCP *=0:5800:TCP -n BLOCK
    ::ipseccmd -w REG -p "Firewall" -r "Allow VNC Custom" -f *=0:5999:TCP *=0:5888:TCP -n PASS
    
    ::ipseccmd -w reg -p "firewall3" -r "Block Big Group" -n BLOCK -f *=0:135:tcp *=0:139:tcp *=0:445:tcp *=0:137:udp *=0:138:udp *=0:445:udp *=0:500:udp
    
    pause
    exit
    
    And here is a reg file to delete these values.

    Code:
    Windows Registry Editor Version 5.00
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
    I don't know if this is any use to you at all, but it has certainly simplified a lot of my work. You will of course need a copy of ipseccmd.exe to use with that batch file. After you run the batch file, use secpol.msc to look at your ipsec policies, and you can enable whichever you would like. I even have some WMI or AutoIt script examples if you need them for automating which ipSec ruleset is active.

    You can also just create your ipsec rules using the snap-in as well.

    Sul.
     
  17. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    I personally have not...but in forums dedicated to them I see frequent issues.

    What I try to do (as I always do with computers)...it stick with mainstream top notch brands and chipsets. Since I'm an SMB consultant, the computers I work with are business grade/business level workstations. Upper model HP and Dell, not home grade models, and not cloner "el cheapo motherboard of the month" models. I run far far away from stuff that has "Via" or "SiS" chipsets. Business grade models use very standardized chipsets which generally don't have a lot of "fluffy" added features, very bare bones, very rock solid, very compatible, widely supported.

    For the 2nd added NICs....sticking with 3COM and Intel Pro NICs has proven to be reliable and stable. Surprisingly some of the DLink models too.

    The couple of times that I've used laptops to install them on (which I do at home for PFSense)....I used older IBM Thinkpad models. The only time I ran into some hardware that didn't work was when setting up a few laptops...some of the PCMCIA NICs I tried for the 2nd NIC didn't work...so it's a little more picky there.

    Over the years I've taken a strong interest in the various *nix router distros out there...and I've installed and played with a lot of them...a lot of them. There are quite a few, many with their own strengths, depending on what it is you're looking for.

    With my rule of thumb of installing them on solid hardware, I simply don't see the problems I see in some forums about users complaining about them locking up, or having to reboot them. It's those who tend to use more budget parts, or oddball home grade stuff..that have these problems. I find when using solid parts...you install them, configure them..and let them run 24x7x365...rock solid, throw as much load on it as your want...no reboots needed unless you're doing some upgrade to a new version.

    You get features and performance and stability that normally would require some enterprise grade router that would cost over $5,000.00 or much more if you purchased some off the shelf product.
     
  18. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Thanks YeOldeStonecat
     
Loading...
Thread Status:
Not open for further replies.