Ok! I follow ypu! Although I guess ZA needs some configuring to do exactly what you want, but I take your point about configuring some of the OS products.
You may find this http://www.amazon.co.uk/Squid-Defini...2638456&sr=8-1
useful. I haven't read it myself (I don't use squid) but the O'Reilly books tend to be pretty good (I used the Apache one) and it will certainly get you started.
(\__/)
(='.'=)
(")_(")
Been helped or just 'Like' a post? Use the Thanks button!
My broadband speed - 750 Meganibbles/minute
To use Squid as a content filter you'd still need to setup and maintain the site blocking yourself, surely, whereas a commercial solution will do that for you.
Yes, (although you could still use Squid as a local proxy for the access control and logging if that is important).
(\__/)
(='.'=)
(")_(")
Been helped or just 'Like' a post? Use the Thanks button!
My broadband speed - 750 Meganibbles/minute
peterb appears to be the only one that touched on it, but one of the most powerful security hardening procedures you can do is to ensure users are not administrators on their own machines.
Not necessarily for what they might try to do, but for what a rogue process running under their credentials might try to do without their (or ZA's) knowledge.
The infrastructure points have mostly been covered, but I would add that having a HOSTS file on your client machines with the name of your Novell server might prevent slow LAN access - as your clients are going to default to the router for name resolution, and I doubt (and hope) your ISP's DNS server knows your internal IP of your file server
Be wary of setting "trusted networks" per client - if you implicitly trust any internal IP address because they are behind the firewall, in the event of a client being compromised you now have a "man on the inside" that the others will readily accept as friendly...
It shouldn't even be necessary to "trust" the Novell server, as your clients will be accessing it, not the other way round.
~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3
Sorry Paul, I've only just seen your reply
All users are using Limited User accounts.Originally Posted by Paul Adams
Regarding the HOSTS file;The infrastructure points have mostly been covered, but I would add that having a HOSTS file on your client machines with the name of your Novell server might prevent slow LAN access - as your clients are going to default to the router for name resolution, and I doubt (and hope) your ISP's DNS server knows your internal IP of your file server
Using my current machine as an example
Would I add another line;Code:127.0.0.1 localhost
Code:%server IP address% %servername% #Novell ServerAre you referring to ZA settings here?Be wary of setting "trusted networks" per client - if you implicitly trust any internal IP address because they are behind the firewall, in the event of a client being compromised you now have a "man on the inside" that the others will readily accept as friendly...
It shouldn't even be necessary to "trust" the Novell server, as your clients will be accessing it, not the other way round.
YUp, the HOSTS edit just prevents your clients trying DNS lookups when you want to access the NetWare server, then having to time out or fall back to other protocols.
That's assuming you're running NetWare on TCP/IP and not IPX/SPX *shudder*
Yes, for a personal firewall I don't think there is value in trusting an entire subnet based on where the traffic comes from (or appears to come from) - thinking "10.x.x.x is my internal network, I can trust all of those machines" isn't a grand idea in my opinion, as it takes only a rogue machine or a friendly machine that has been rooted to expose those others that trust it.
~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3
Added and thanks, such a simple thing that I hadn't even thought of
Between you and I, we were running on BNC over IPX/SPX up until four or so years ago. When I found the time to recable the office we moved on to TCP/IP
Thanks again, noted.Yes, for a personal firewall I don't think there is value in trusting an entire subnet based on where the traffic comes from (or appears to come from) - thinking "10.x.x.x is my internal network, I can trust all of those machines" isn't a grand idea in my opinion, as it takes only a rogue machine or a friendly machine that has been rooted to expose those others that trust it.
To update a little, I've taken the leap and after I get a few queries resolved on the Smoothwall boards, I should have Smoothwall up and running by next weekend. I did a lot of overtime and sat down and worked through things. A faulty NIC was to blame and it is now in pieces in my office car park after it 'fell' out the 4th storey window
Next step is ZA pro. All the help is very much appreciated too
Please keep us posted how you get on!
(\__/)
(='.'=)
(")_(")
Been helped or just 'Like' a post? Use the Thanks button!
My broadband speed - 750 Meganibbles/minute
Another NIC down and I'm flying again.
Amongst other things, I've learnt I need to go back to IP gateway, DNS and routing school, but that aside, it's all going "ok".
9 new machines are up and running (wow, that was hard work) and all have restricted, protected internet access.
My smoothwall has been up for two whole days and I can't get enough of checking (or even watching) the bandwidth graphs
Brief specs of the beast;
Pentium III (Coppermine) @ 600 Mhz, 347 Mb RAM and a single 40Gb HDD. I'm running DansGuardian for now, but I'm not too au fait with the configuration side of it, so I'm looking for something else to play with in the future.
I really wanted to go with the ideas thrown out by charleski and feel bad for following them almost to completion and tossing them aside, but something just clicked with Smoothwall and I really got into it. There's something to be said for the satisfaction of making something seemingly so simple (to tens of thousands of people but not me) work after endless hours of trying.
Thank you both (all) for your advice and assistance.
ZA Pro here I come....I think....and then a new server next year....whoo and hooo
I'm sure charleski won't mind - in these situations there isn't really one 'best' way of doing things - the best solution for you is the one that meets the requirement AND that you can control and administer. Glad it all clicked with smoothwall!
(\__/)
(='.'=)
(")_(")
Been helped or just 'Like' a post? Use the Thanks button!
My broadband speed - 750 Meganibbles/minute
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote
