logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Hardware & Networking View previous topic :: View next topic
Reply to topic   Topic: Firewalls
Author
Jorge



Joined: 12 Mar 2006
Posts: 376
Location: Belgium

PostPosted: Mon 09 Oct '06 16:29    Post subject: Firewalls Reply with quote

Hi all,

I use to use Kerio ServerFirewall,

It is now disconiteuned and my lisence expired.

I'm now looking for an alternative. What made Kerio so special to me:

1) I could configure it via the web browser
2) Groping of rules (e.g. 4 rules to allow my webserver) could be bundled
3) settings access policies for rule and groups of rules
4) light impackt on the system
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Mon 09 Oct '06 16:59    Post subject: Reply with quote

I would use a hardware firewall. It never expires, unhackable, config able by browser, very light to your CPU usage Wink

I use 4-Port Ethernet Broadband Router D-LINK DI-604 in my company. Starts at 12 Euros.
Back to top
Jorge



Joined: 12 Mar 2006
Posts: 376
Location: Belgium

PostPosted: Mon 09 Oct '06 17:26    Post subject: Reply with quote

Well i have 2 of those, Every thing is linked to a LinkSys WRT56GX and I have a Belkin Pre-N that is now working as a switch.
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Mon 09 Oct '06 23:06    Post subject: Reply with quote

If you have an older machine, or any system you wish to use as a router you could try a Linux router, something like Smoothwall. It is pretty darn easy to set up and you get far more functionality for the "price" since the software if free.

The disadvantage is it is actually running on a computer. So if you had an older machine, with maybe a 200w ps or smaller, or just run a single HD and keep it as lean as possible, you could UPS it and be relatively safe. Just do backups of the config incase of a disk failure.

Even better, if you had a little SMF sized PC, with RAID 1, then run two HD's with fualt tolerance.

Me, I use a ZyXel, exceedingly well tested and it smokes my old Linksys on stability.
Back to top
Jorge



Joined: 12 Mar 2006
Posts: 376
Location: Belgium

PostPosted: Wed 11 Oct '06 9:14    Post subject: Reply with quote

Well I'm looking for is a solution to run on the server machine itself, not on a seperate one.

For now I'm using mcAfee Firewall that came with my mcAfee Vscan, its not bad... but it crap compared to what i used to have.
Back to top
EElyn



Joined: 16 Oct 2006
Posts: 4

PostPosted: Mon 16 Oct '06 16:08    Post subject: Reply with quote

James Blond wrote:
I would use a hardware firewall. It never expires, unhackable, config able by browser, very light to your CPU usage Wink

I use 4-Port Ethernet Broadband Router D-LINK DI-604 in my company. Starts at 12 Euros.


Careful about the "unhackable" bit.. The only unhackable firewall in existence today is a disconnected firewall. Granted, a HW based firewall is less prone to hijacking than SW firewalls but that is mainly due to potential flaws in the vast range of other services a host of a SW based firewall offers. Still, it does not negate the fact that a HW firewall can be hijacked.

The DI-604 for example had a major flaw in June 2006, where the classical buffer overflow flaw could allow a badguy to hijack that particular firewall.. http://secunia.com/advisories/21081/ .. Not an easy task I might add, but possible non the less Smile

The worst firewall setup is actually the default out-of-the-box setup, where all LAN servers/clients can access the Internet unhindered. If you where to setup an SMTP gateway on a LAN box, punching the correct hole in your firewall, and that service is flawed in some ways, then a badguy could "easily" hijack your system even with the firewall in place.. Cheap mainstream firewalls do not offer application level gateway services nor intrusion prevention and detection schemes, so they become in effect powerless to flawed inside services.

Fortunately for us, only a select few badguys understand how to hack a service. Most fools on the net are script kiddies, and they normally exploit vulnerabilities which are 6 months or more old.

Anyways.. HW or SW.. a tight firewall setup with regular log monitoring and a strict patching policy of all equipment makes life difficult for badguys. An unpatched win98 box (yrk) with an old SW firewall is no match even for script kiddies.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Mon 16 Oct '06 16:43    Post subject: Reply with quote

Quote:

The DI-604 for example had a major flaw in June 2006, where the classical buffer overflow flaw could allow a badguy to hijack that particular firewall.. http://secunia.com/advisories/21081/ .. Not an easy task I might add, but possible non the less Smile

I know that issue, that was as the articel tell from inside the network and not from outside. And there is patch for that Wink

Quote:

An unpatched win98 box (yrk) with an old SW firewall is no match even for script kiddies.

you are right! Since this summer M$ does not support Win98 anymore. No more patches. So you can call it "proof". Without that scripting engine like WSH it is more secure than win2k, win2k3 and XP. Vista I'm not sure.

Win98 is fine. But it does not support much RAM! And for my server I need 2 GB! Also the socket from Win98 is worse.
Back to top


Reply to topic   Topic: Firewalls View previous topic :: View next topic
Post new topic   Forum Index -> Hardware & Networking