Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Firewalls |
|
| Author |
|
Jorge
Joined: 12 Mar 2006
Posts: 376
Location: Belgium
|
 Posted: Mon 09 Oct '06 16:29 Post subject: Firewalls |
 |
|
Hi all,
I use to use Kerio ServerFirewall,
It is now disconiteuned and my lisence expired.
I'm now looking for an alternative. What made Kerio so special to me:
1) I could configure it via the web browser
2) Groping of rules (e.g. 4 rules to allow my webserver) could be bundled
3) settings access policies for rule and groups of rules
4) light impackt on the system |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Mon 09 Oct '06 16:59 Post subject: |
|
|
I would use a hardware firewall. It never expires, unhackable, config able by browser, very light to your CPU usage 
I use 4-Port Ethernet Broadband Router D-LINK DI-604 in my company. Starts at 12 Euros. |
|
| Back to top |
|
Jorge
Joined: 12 Mar 2006
Posts: 376
Location: Belgium
|
| Posted: Mon 09 Oct '06 17:26 Post subject: |
|
|
| Well i have 2 of those, Every thing is linked to a LinkSys WRT56GX and I have a Belkin Pre-N that is now working as a switch. |
|
| Back to top |
|
Brian
Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA
|
| Posted: Mon 09 Oct '06 23:06 Post subject: |
|
|
If you have an older machine, or any system you wish to use as a router you could try a Linux router, something like Smoothwall. It is pretty darn easy to set up and you get far more functionality for the "price" since the software if free.
The disadvantage is it is actually running on a computer. So if you had an older machine, with maybe a 200w ps or smaller, or just run a single HD and keep it as lean as possible, you could UPS it and be relatively safe. Just do backups of the config incase of a disk failure.
Even better, if you had a little SMF sized PC, with RAID 1, then run two HD's with fualt tolerance.
Me, I use a ZyXel, exceedingly well tested and it smokes my old Linksys on stability. |
|
| Back to top |
|
Jorge
Joined: 12 Mar 2006
Posts: 376
Location: Belgium
|
| Posted: Wed 11 Oct '06 9:14 Post subject: |
|
|
Well I'm looking for is a solution to run on the server machine itself, not on a seperate one.
For now I'm using mcAfee Firewall that came with my mcAfee Vscan, its not bad... but it crap compared to what i used to have. |
|
| Back to top |
|
EElyn
Joined: 16 Oct 2006
Posts: 4
|
| Posted: Mon 16 Oct '06 16:08 Post subject: |
|
|
| James Blond wrote: | I would use a hardware firewall. It never expires, unhackable, config able by browser, very light to your CPU usage
I use 4-Port Ethernet Broadband Router D-LINK DI-604 in my company. Starts at 12 Euros. |
Careful about the "unhackable" bit.. The only unhackable firewall in existence today is a disconnected firewall. Granted, a HW based firewall is less prone to hijacking than SW firewalls but that is mainly due to potential flaws in the vast range of other services a host of a SW based firewall offers. Still, it does not negate the fact that a HW firewall can be hijacked.
The DI-604 for example had a major flaw in June 2006, where the classical buffer overflow flaw could allow a badguy to hijack that particular firewall.. http://secunia.com/advisories/21081/ .. Not an easy task I might add, but possible non the less 
The worst firewall setup is actually the default out-of-the-box setup, where all LAN servers/clients can access the Internet unhindered. If you where to setup an SMTP gateway on a LAN box, punching the correct hole in your firewall, and that service is flawed in some ways, then a badguy could "easily" hijack your system even with the firewall in place.. Cheap mainstream firewalls do not offer application level gateway services nor intrusion prevention and detection schemes, so they become in effect powerless to flawed inside services.
Fortunately for us, only a select few badguys understand how to hack a service. Most fools on the net are script kiddies, and they normally exploit vulnerabilities which are 6 months or more old.
Anyways.. HW or SW.. a tight firewall setup with regular log monitoring and a strict patching policy of all equipment makes life difficult for badguys. An unpatched win98 box (yrk) with an old SW firewall is no match even for script kiddies. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Mon 16 Oct '06 16:43 Post subject: |
|
|
| Quote: |
The DI-604 for example had a major flaw in June 2006, where the classical buffer overflow flaw could allow a badguy to hijack that particular firewall.. http://secunia.com/advisories/21081/ .. Not an easy task I might add, but possible non the less
|
I know that issue, that was as the articel tell from inside the network and not from outside. And there is patch for that
| Quote: |
An unpatched win98 box (yrk) with an old SW firewall is no match even for script kiddies. |
you are right! Since this summer M$ does not support Win98 anymore. No more patches. So you can call it "proof". Without that scripting engine like WSH it is more secure than win2k, win2k3 and XP. Vista I'm not sure.
Win98 is fine. But it does not support much RAM! And for my server I need 2 GB! Also the socket from Win98 is worse. |
|
| Back to top |
|
|
|
|
|
|
