Where should I place the firewall?

Thanx Sahir,

yup that was a long post, but worth reading!

Well, I've dropped the plan of running our own mailserver. I'll just contact our ISP for some POP3-accounts and let them take care of that.

To stay within budget I'm getting a 3Com OfficeConnect Firewall as the first line of defense. The second line of defense will be a Linux-based router which will be powered by IPCop Linux.

IPCop offers everything I need:

- Firewalling
- Routing
- Logging
- IDS
- Iptables
- Crontab

The setup will be like this:

cable-modem <===> 3Com Firewall <===> Linux box <===> Switch

If the budget allows it I will add more security to the internal network. But I think (and hope) that the 3Com firewall and the Linux box will provide enough protection from the outside world.

Both firewalls will be configured so that they block all incoming unsollicited traffic. Only web- and emailtraffic will be allowed to go outside.

The only thing I have to worry about are trojan horses, if one of the workstations gets infected by a trojan horse which is able to tunnel its messages over HTTP then I'm screwed This can be prevented by running AV software, not a watertight solution, but the best I can think of.

Thanx again, Demon

Ahh HTTP tunneling I love that topic.. its only recently been coming into the limelight.. and its actually quite deadly.. because theres no real way to guard against it other than not provide web access !! Luckily I have yet to come across a trojan which uses this but...
While on the topic of covert channels there ARE trojans (some very easy to use unfortunately) which use ICMP as a covert channel !!! I mean can you imagine a trojan talking through ping requests ! Its fairly simple.. your normal ping request contains the data :

abcdefghijklmnopqrstuvwxyz or something similar... the trojan just sticks its own data there instead.

Nice to see you're up to date on the hot security topics, perhaps you should badger your organisation into making you a Chief Security Officer just make sure you get a fat salary for it !!

Good luck with the firewall,
Sahir.

nnbnbChief Security Officer... now that has a nice ring to it! And a fat salary sounds even better Well, actually I am studying for the CompTIA Security+ exam at the moment.

Trojans with the ability to transmit their data in ICMP datagrams make sense. I haven't thought about it, but why shouldnt it be possible. AFAIK every protocol used in networks can be engineered so that it's possible to embed malicious data in it.

Maybe new security features in IPv6 are able to prevent things like this, but until then people should be aware that their networks are at risk and I think that the document Sahir posted at:

www.geocities.com/sahir_h/Personal_Firewalls.doc

will contribute to the fact that users should run Personal Firewalls at their home and office boxes.

I have some questions. I've read this post and reviewed the topologies, but still want to make sure I am providing the most secure network possible. Here is my topology.

Currently I have this setup:

Modem===>Router 1====>Webserver/mail/etc

Router 1===>Firewall===>Personal computers



Now this is where the question comes in. I'm getting another router that is also a print server and I want or need it to handle communication between networks. Also I'm getting numerous old computers that can run as firewalls and servers. What I want to do is build up a network that is secure. Plus I have some neigbors that I'm going to share my connection with. Lastly, this will not be a high traffic website by any means. I am doing this to learn how to setup networks and learn Linux. Now that you know my goals, here is what I want to do:

Key: R=Router
FW=Firewall
GW=Gateway

--Subnet 255.255.255.240
--R 1 IP 192.168.1.1 GW 66.67.???.?? (I have this info)
--FW 1 IP 192.168.1.2 GW 192.168.1.1
--R 2 IP 192.168.1.3 GW 192.168.1.1
--Webserver/mail/etc IP 192.168.1.4 to 192.168.1.5 GW 192.168.1.1
--R 3 (Print server handle communication between networks) IP 192.168.1.33 and 192.168.1.6
--FW 2 (Firewall) IP 192.168.1.34 GW 192.168.1.1
--Personal Computers IP 192.168.1.35 to 192.168.1.40 GW 192.168.1.1



Modem===R 1===>FW 1===>R 2====>Webserver/mail/etc

R 2==>R 3===>FW 2===>Personal Computers


I have setup my personal computers on a different network. Does this make it more safe from attack? Second, if I put a router to handle communication as I have shown (and I need to because those computers need to access the internet) have I lost all the security I gained by putting it on another network making it a waiste? Also remember that R3 is my print server, will I still be able to print on it from behind FW 2?

No matter the answer to the question above, assuming the network stays the same as shown, how would I have to setup Router 3 to accomplish the communication. I understand it needs an IP on both networks, but I am unaware of how to do that on a Lynksys type router.

I would like (but this is not a must) to get the index files saved on the Webserver or save the files on the Webserver from the personal computers. Assuming I impliment the design above, should I allow the Personal Computers to access files on the Webserver or should I just upload it with a FTP keep security better (assuming this is more secure)?

I had thought about make my webserver on one network and then all the other shared internet connections comming out of Router 1 being on another network. This would be easier. Should I do this instead assuming I do not lose any security.

Now if this is not the best design to handle my needs, please feel free to tell me how to change it. I included the subnet and IP's to make sure it was clear as to how I wanted the different networks.

Hi Gator,
It would be good if you could post a network diagram for us to understand the architecture better.....

Remember to remove your public ip addersses from it though

Cheers,

I understand a diagram would be better, but that would mean I would need to have a webpage up, and at the moment I do not have that cababilities because I am doing this . However, I have provided a crude network diagram in the previous post. Maybe an explination would help.

This is my future network structure

Modem===R 1===>FW 1===>R 2====>Webserver/mail/etc

R 2==>R 3===>FW 2===>Personal Computers


Starting from left to right on the top line. I have the modem connected to Router 1(R1) which goes into Firewall 1 (FW 1) then into Router 2 (R2) and the Webserver/mail/etc connects to R2.

The next line starts with R 2. That means there would be a cable running from R2 to R3 then to FW 2 and then to the Personal Computers.

It's really a simple diagram, just because there are no graphics does not make it hard to understand.