Originally Posted by
jay_oasis
what about a Linux firewall like IPCop or monowall?
See above, I had a play with Smoothwall but felt defeated
--------------------------------------
Originally Posted by
peterb
Hmm - I don't know what he capabilities of the router are. I use a Draytek 2800Vg at home (you wouldn't want the wireless version, but the V version supporting VPN might be useful for any homeworkers - but that isn't in your spec)
The Vigor does support restricted intenet hours, so you could close off internet except for 12 to 1 for example, or you could have two subnets, each with a separate time allowance. It also supports subscription to content blacklisters, and you can add your own (or blacklist all and have a whitelist) and also content filtering for sites that implement it.
BT router also supports restricted hours per user so that's an option. No idea if it allows subs to content filters though. It does have a black/white list option.
Smoothwall is very capable, but does need a bit of setting up. You could have internet machines in a DMZ. The options are quite extensive and there is no 'best' way.
Hmm, I tried, and felt deflated. I'm not willing to move back and give it another go, I feel I've "wasted" enough time on it already. I appreciate it's a simple thing, but maybe my heart isn't quite in it <sigh>
From what you describe, you are unlikely to be subject to a targeted attack, so NAT on a reliable router would almost certainly be adequate. I guess that Internet access isn't a core business requirement for the majority of users, but e mail is.
You could set up a proxy server which would further insulate the users from the internet, although that might be OTT (would reduce some of your network traffic, particularly if the users are accessing legal web sites. A dedicated mail server could give you centralised virus control and content management, but again adds to the system management burden.
You're right in saying internet access isn't as important as email and a mail server is still something we're toying with. There are, I'd say, 10 major sites that require access, I have a feeling the bulk of access will be during the lunch hour to non-work related sites.
The KISS approach is to invest in a router of known provenance, ensure the AV licences are kept up to date and updates applied (same for the OS - and of course make sure that users are not logging on with admin priveliges) and accept the management overhead of making sure the software is updated.
Next step would be to subscribe to a content management service and /or add in sometthing like smoothwall or a proxy server.
Belt and braces would be a mail server with centralised AV scanning, a proxy serve with content filtering/blacklisting and possibly something like smoothwall, but they must all be correctly configured to avoid the risk of a false sense of security. This should be backed up with enforced company security policy and security instructions to all staff, and is, I would suggest, a bit OTT.
All noted and understood - thank you very much for taking the time.
One other approach might be to ask your ISP to see what they can do as a managed service, if they provide your mail service, they might have AV and spam filters in use or available. Similarly they may be able to offer content filtering.
Hope that gives you some ideas and further avenues to pursue.
Sadly the ISP is BT. They do offer options, but I'm not too convinced I want to rely on them for everything. Another avenue to explore.
--------------------------------------
Originally Posted by
charleski
Here are my thoughts, which may or may not be of any help.
If I read your diagram correctly, right now your system effectively has 2 LANs, 1 carrying all of the desktops and the server, connected through the switch and offline, the other consisting of 4 desktops connected to the router/hub and online. You need to change that such that all desktops have internet access, within certain limits, and the server is protected. You don't need any form of VPN or remote access to the network. Is that right?
Spot on.
So you have several aims:
1) Protect all the machines from incoming attacks (DDOS, portscans, etc).
2) Prevent users from accessing undesired sites.
3) Prevent users from initiating insecure outbound connections (e.g. as a result of malware).
4) Prevent any data on the server from outside access.
Again, spot on.
Your idea of simply placing the router on one of the switch ports is probably the right way to go. The router's built-in SPI firewall and NAT will protect against 1).
It seems too simple to me. Is a standard router enough to do what I want?
Requirement 2) (content filtering) depends a lot on your precise needs. If
this is the correct guide for your router (BT's site isn't very well laid-out), then the router comes with basic content-filtering built-in. If you need something more sophisticated, then you will need new hardware, in fact the best route would be to replace your current router completely and buy one with more capability and a subscription to a content-filtering service. This would either be a customised box or another PC running gateway software such as the one you mentioned that would then connect to the net through a ADSL modem. Another, cheaper, option is to upgrade to ZoneAlarm Internet Security Suite, which carries a more advanced set of parental controls for content filtering, and ZA is going to be deployed to all the desktops anyway, so it's not adding more software to manage.
The router does have content filtering and it is in place on one machine. It works surprisingly well and coupled with Firefox (and some choice extensions) the machine is still virus/mal/adware free. The history cannot be erased (by the average user) and is inspected weekly. One thing it doesn't do is monitor who uses the machine. Obviously when access is granted to every desktop that'll become easier.. I never even thought of replacing the router for an all-in-one solution though- doh!
I presume there's something out there that serves as a router (both wired and wireless) a firewall and a content filter? Is there an off-the-shelf solution or would I have to assemble something. I can build PCs and networks, but I'm stumped on this so far which is embarrassing.
Requirement 3) will be handled by ZoneAlarm. ZA's management features aren't stellar, but if you only have a limited number of machines and aren't adding new ones regularly, then it works well.
That's what I wanted to hear. If I step up to the ZA Suite I think I'll feel more comfortable. With the machines behind a router/firewall and additional firewalls on each machine I'll be happy. The number of machines is fixed for the foreseeable future.
Requirement 4) could be implemented simply by blocking the server from accessing any IPs outside your network. Small LAN IP addresses are typically assigned in the 192.168.0.xxx range. Your router should have a static LAN-side IP address as well (the internet address assigned by your ISP will usually be dynamic, but that doesn't matter here). If your router's LAN-side IP address is 192.169.0.1, for instance, simply set up an IP-blocker on your server so that it can only contact addresses in the range 192.168.0.2-192.168.0.255. This provides an added layer of security in that the server won't be able to see the internet at all. You say it's a Novell server, facilities for doing this sort of IP blocking may already be built in to the OS, I'm not familiar with Novell.
Of course, how simple. I think this option is already up and running - I'll have a poke about today and see for sure though.
Buying new hardware or creating a new machine to act as an Internet gateway with the appropriate software will ease management issues, but will certainly cost more. What you're paying for is flexibility and the ease with which new machines can be added, if your network is static, then that's not really needed.
The network is static. I think I have it in my head that the router, while fairly decent, just isn't up to the job of protecting the whole site. I think I'm worrying about what the users will do when the internet is give to them.
Thank you too (both of you) for your help, it's good to know I got my requirements out and they were understood.
If the general consensus is that changing the router/firewall for something more functional/respected then that is what I'll do. I perhaps have to trust the users more, which is tricky when it took some of them months to work a mouse.
My next step is to compile a list of gateway servers and/or all-in-one solutions. Who's gonna help with that one then?
One final requirement which I think I missed was the ability to log who visits what (much like the parental controls does in Vista) and access it centrally. I presume again that the dedicated machines/hardware does this already?