Where should I place the firewall?

nnbnbnnbnbHey,

we're getting a new network setup in our company. Security is one of the biggest issues (as it should be in every company). We have 8 workstations and three high-end servers.

The three servers are more or less the backbone, they contain all the sensitive data like customer information, critical files, accounting, etc. They have to be protected, by all means, from being accessed from the Internet.

The workstations need access to the servers mentioned above and they have to be able to use the Internet for websurfing and emailing.

My boss has given me a limited budget (I wanted an unlimited budget (hehe ), but that was out of the question) for making the necessary arrangements.

I've already purchased and configured a RedHat machine which acts as a router/gateway to handle the Internet Connection Sharing part. This gateway is a mailserver as well. And IMO this should be my first line of defense as well. The connection to the Internet is being handled by a cablemodem with a static IP. I already have a switch in the form of a 3Com SuperStack II and a patch panel.

We really need extra security for the 3 servers, so I was thinking about getting a hardware-based firewall like a 3Com OfficeConnect Internet Firewall as the second line of defense. If someone can recommend another firewall of another brand ($400 - $ 500 max) then please don't hesitate to tell me.

I've uploaded a graphical representation of the situation in PDF at the following location:

www.xs4all.nl/~cic00149/schematics.pdf (*)

Now comes the part where it gets tricky (he finally gets to the point, some of you may be thinking ), where should I place the firewall? Should it be between the switch and the 3 servers or between the cablemodem and the Linux gateway?

Thanx in advance!

---

(*) For viewing PDF files you will need Adobe Acrobat Reader which can be download for free at the following location:

www.adobe.com/products/acrobat/readstep2.html

Demon,

There are several ways to handle this, but if you already have a hardware firewall and can purchase another I would take the router/gateway responsibilities away from the Redhat machine and use this as your mailserver.

I would create a DMZ between the 2 firewalls and put your Mailserver there. Use the first firewall as your router/gateway. This will be your first defense. Then use put your 2nd firewall as your 2nd defense, protecting your internal network.

Chris does a great job explaining this in the Firewall/Firewall Topologies page. The diagrams will help you understand the pluses and minuses.

Tom.

Welcome back tfs,

I was just thinking about the diagram available in the page you mention as I was reading your post.

Since I was going to give the same suggestion, I'll stop right here!

The only point I'd like to note is having open ports on any of your firewalls. This seems to be a weak point on most firewalls, which is used by hackers to penetrate firewalls.

You must make sure that only the required ports are open and no unwanted services are running on your firewalls. You should also implement an Intrusion Detection system that will help you catch traffic that might be traces of hackers trying to break in.

Lastly, make sure you use nmap ( www.insecure.org ) to scan your network/firewall for vulnerabilities.

Cheers,

Damn, talking about a fast reply!

Thanx guys, well I kinda figured that running a mailserver on the same machine as the gateway wasn't a good idea. The reason I wanted to use that setup was to reduce the expenses. Then again, a mailserver doesnt need cutting-edge technology and an "older box" will do.

The gateway should be running Linux because I have to meet some specific demands made by my boss, which I think can only be set by using iptables and crontab. The gateway can also be configured as a firewall for outside connections and can be used as the first line of defense.

Now for the second firewall, can you recommend any brand or product?

I have been using Sonicwall for a couple of years and it works great and seems to be in your range ($400-500). Has various models based on number of users (addresses) it will let through (5, 10, 50 etc), so make sure you check your current and future requirements. Easy to configure and update.

I also have used Linksys Routers and Firewalls and they work pretty good for a lot less money. There are various other commodity devices that should work just as well. I could be wrong here, but I would assume you want your best firewall to be your first one IMHO.

Tom.

Staying within a budget while implementing security is an art - its good to see that you're trying to strike that balance.. however cost cutting at the EXPENSE of security (such as the firewall running multiple services is a big no no)

Since your post seems to state that this should be a highly secure network I agree with Tom and Chris that you should create a DMZ for the mailserver and then have an internal firewall for the internal network. If you're worried about intrusion from the internal workgroup .. then a firewall just before the servers is also a very good idea (of course thats more expensive .. three firewalls)

I also think implementing intrusion detection would be a good idea. For host based IDS you can just have a file integrity checker such as tripwire run over the servers.. if you need to implement a network IDS, make it monitor promiscuously at all the critical points of the network. you can use a network tap like a hub to let the IDS look in on the traffic going around the network. Make the IDS invisible by breaking its tcp ip stack (no ip address).

This is all very expensive -- we go back to that art of striking a balance.. but let me just illustrate how easily a misconfiguration can cause outside access to the servers

If the edge firewall allows an inbound request to say an FTP server in the workgroup and that is compromised.. and then your internal firewall allows all traffic from workgroup to server.. the attacker can just attack from the workgroup !

Remember, you're only as strong as your weakest link.. not much point having that fancy firewall if your internal net is soft and mushy.. with people running rogue wifi stations etc. (This may sound implausible.. believe me it is not)

uhh other points - yeah harden those firewalls !! This can be much trickier on the Linux box if you're not familiar with it. Also you might consider using different firewall software for each firewall.. this is a good practice as if an attacker exploits a vulnerability in one firewall package, he needs another one for the other software (of course this is once again more expensive lol

You might seriously consider outsourcing the security to a specialised security company, they will know how to make sure you're secure, and if they're any good, will be able to work with the budget.


And you thought your post was long

Cheers,
Sahir.