[CentOS] [OT] Corporate Firewall -- [Practices] More? Policies? SNMP?

Thu Nov 10 11:58:17 UTC 2005

Ajay Sharma <ssharma at revsharecorp.com> wrote:
> Hey,
> The company I work for is in the market for a new firewall.

How big of a company?
How much do you want to lock-down access?

Traditionally, people take 3 approaches: 

1. Allow everything out (SOHO 'Ritters)

2. Allow everything out by default, then block destination
ports (SMB 'Ritters)

3. Allow nothing out by default, then open destination ports
(a "real" setup)

Ideally, even in a small-to-medium business (SMB), you should
do #3 and deny _all_ access in _both_ directions, and then
only open on explicit ports as necessary.

This includes not even allowing out 53 (domain), 80 (http)
and 443 (https).  I use dedicated, internal DNS servers and a
proxy server, and only those dedicated systems can get out. 
I also like to setup a SOCKS5 proxy for other protocols,
including SSH.  That way I know about those connections, and
some arbitrary Malware can't simply establish a tunnel
without my knowing about it.

I would at least do such and block those ports even for #2. 
But all it takes is someone to run something on a
non-standard port and they can go right through #2 -- hence
why I do #3.

> Right now we're hosting all of our own stuff (on CentOS
> servers) behind an old checkpoint firewall.

Eeewwwww.  ;->

> I think Checkpoint is overkill for our needs and very
> expensive,

Actually, it might be underkill!

> plus I don't like the "per-user" charges of some commercial
> solutions.

You'll find that still remains true of the top-2 appliances
under $5,000 -- SonicWall (VxWorks-based,
http://www.sonicwall.com/) and WatchGuard (Linux-based,
http://www.watchguard.com/).  25, 100, etc... user licenses
are typical as well.

> What do you guys suggest that we upgrade to?

Depends on size, budget, etc...

I mean, you can go as little as IPCop (http://www.ipcop.org)
and tie it down tight -- such as blocking all outgoing, and
redirecting select ports to internal DNS, proxy and other
servers.  IPCop has IDS and everything else built-in, but
it's a pretty "canned" solution overall.  E.g., last time I
checked, it still used SNAT/DNAT to private IPs for the DMZ
and LAN -- although you _can_ setup 1:1 NAT or "pool" public
IPs.

Or you can spend from hundreds to upwards of $20,000+ on a
Nokia (Linux-based with optional Checkpoint features)
product.  In financial environments, I've typically trusted
Nokia's solutions.

http://www.nokiausa.com/business/security/1,8189,fwall,00.html

Network Associates and Symmantec also sell Linux-based
gateway appliances with scanning features, let alone a huge
3rd party market has been built up around firewalls with
SPAMAssasin and ClamAV built-in for inbound SMTP.  A
consideration if your SMTP server(s) are in the DMZ.

> Here are some of the features that I would like:
> 1) decent gui, either web based or a local client

One thing to remember with a web-based client -- don't use
the same browser profile (and all its cookies) that you use
to surf the web with.

> 2) usage graphs based on protocol.

A managed layer-2/3 switch on your network would provide a
far better solution for this -- probably at a lower price.

Cisco has some excellent 5000 series SMB switches for a
couple thousand with lots of such capabilities, as well as
built-in PIX.  I didn't know if you were a Cisco shop.

And if that's still too costly, the NetGear FSM7328
(http://www.netgear.com/products/details/FSM7328S.php) has an
entry-level layer-3 switch (RIPv1/v2, including port-to-port
switching across VLANs of different subnets) with 4xGbE,
24x100M that has full SNMPv3, RMON, etc... for under $400
(double the 100M ports with the FSM7352S for a couple hundred
more).  You can also setup a monitoring port to tap your
internal IDS to.

As you can see, there are a _lot_ of considerations here --
many outside the real of your "gateway device."  ;->

> So if our tiny T1 is saturated, I want to be able to find
> out what's eating up the bandwidth

You can do that with an intelligent layer-2 (or layer-3)
switch for your _entire_ LAN, not just the Internet
connection.

> 3) VPN-friendly for a couple of road-warriors.

You can do VPN at the gateway, or you can pass it through to
a VPN device behind the device (possibly into a limited
access DMZ).

> There won't be any remote offices so no server-to-server
> setups, just remote clients.

I was going to say, if you start doing more than 1 subnet,
then having a layer-3 switch is a _huge_ advantage.  If
anyone is remotely considering connecting two networks, plus
having roaming users, then those networks could really use a
layer-3 switch.

Including the recent thread on routing issues with a VPN and
multiple subnets.  ;->

[ Oh if I could only take a baseball to some of my "smaller"
clients in the past that said, "why do I have to pay over
$500 for only a few GbE ports when I can get a Linksys 8-port
GbE for under $100?"  Grrrrrr.  Thank God for NetGear's
entry-level FSM7328S product, or I'd _never_ get routing
problems solved at this firms! ]

> 4) we have a DMZ and about 30 machines on the local
> network.  Everyone has a "normal" IP address, meaning that
> no one is behind NAT.

That's one area where IPCop doesn't really care for.  I've
never tried it without using private IPs.  But you can setup
public IPs to 1:1 NAT, as well as pool connections.

> So it needs to handle this (which is pretty basic stuff)
> 5) high-availablity.  So if I buy two machines, one can
> successfully die and the other take over.

With IPCop, you can save all settings to a floppy and build a
replacement, or download/upload settings.  But no, it doesn't
have heartbeat/failover capabilities.

Other software solutions in Linux do offer them, and there
are devices that such.

But if you're really worried about that, then you should
_also_ be worried about the router beyond your gateway
device.  It should do Hot Standby Routing Protocol (HSRP)
otherwise you're fail-over design will be incomplete.

And then what about your internal network, DMZ, etc...?

I mean, what's the sense of building redundancy at the
gateway if the router beyond the gateway can still fail (let
alone you don't know if it has!), or the ports of the LAN
have, etc...

E.g., you _could_ consider an "all-in-one," dual-unit product
that is the external routers, gateway, internal switch
ports/router, firewall, IDS, etc... all-in-one, that fails
over between 2 devices.  I'm clearly looking at the Cisco
5000 series now, and it ain't so cheap with those features. 
;->

> 6) no per-user charges.  If the company hires a dozen
> people next year, we shouldn't have to "upgrade" our
> license.

Then forget a lot of products.  The key is that depending on
the features you want, some might be per-user -- especially
if they are software/firmware of gateway/firewall/IDS/etc...
appliances.

> Right now we're looking at some open-source stuff like
> pfsense, m0n0wall, etc...  But I'm totally open to an
> affordable commercial firewall appliance.

I could make far better recommendations if I knew how many
users (current and possible), components of your network that
you have or want to implement (you have IDS, right? ;-), how
much you are willing to tie down your outgoing access (e.g.,
internal DNS, proxy, etc... servers), etc... and what other
networking hardware you are currently using (e.g., does your
internal switch currently have SNMP/RMON capabilities?).

And especially your budget.

Given your list of desires for a gateway device, I think you
might be overlooking a lot of things that you should probably
do outside of the gateway device.

-- 
Bryan J. Smith                | Sent from Yahoo Mail
mailto:b.j.smith at ieee.org     |  (please excuse any
http://thebs413.blogspot.com/ |   missing headers)