On 8 Oct 2002, at 19:32, Paul A. Shippert wrote:
> First, I am not sure of the 'order of attachment' of the cable modem, router,
> firewall computer (Is it a client or just a big electronic "filter"?), hub, and server.
> I could use some enlightenment on this as a beginning. Is the order cable ->
> cable modem -> firewall computer -> router -> hub? How would the firewall
> computer be configured in such a setup (what O/S, hardware, software, settings
> would be used--I've never set such a thing up.) Also, what kind of changes
> might be necessary in the DHCP area? Would the 192.168.0.2 through 192.168.0.13
> range/scope need to be "redone", or would that be hidden behind whatever
> IP address the cable folks see/assign at the router? firewall? Obviously, I'm
> very unclear on a number of these issues. . . .
cable -> cable modem -> (firewall / router) -> (hub / switch) -> client nodes
Most firewalls do routing as well, so you don't need two separate boxes
for those jobs. A switch will generally provide better LAN performance (and
a little security) than a hub; some routers incorporate a switch, so this
might all be one "network access" box.
There are a couple of different ways that a firewall can be structured.
The most common approach is a "packet filter", a router which allows somw
traffic but not all. In order to be effective, it must fit into the
topology such that all traffic must flow *through* it.
There are some good "appliance" firewall boxes on the market for a few
hundred dollars, or it is possible to use a standard PC running Windows
(NT/2K/XP strongly recommended) or Linux, and a firewall application. It is
strongly recommended that, if this route is taken, the OS installation be
"hardened" -- stripped of all components not needed for this job, as any
vulnerable software might allow the firewall to be compromised.
> Second, can certain routers also serve as firewalls? If so, are they
> sufficiently secure? This could become an issue, as, to this point, the
> LAN and its server have been 'cloistered', or in-house only. This network
> is used by the administration of a rather large Property Owners
> Association, and the property management software, as well as certain
> confidential documents, resides on its server. Protection of data on the
> server is a MUST.
Most routers include at least some rudimentary ability to do packet-
filtering, and that *might* be sufficient for your needs. But on a router,
the default behaviour is to allow traffic to pass, and security is an
afterthought. On a properly-designed firewall, the default is to block any
unrecognized traffic, and allow only explicitly permitted traffic to flow.
Since you have confidentiality and legal concerns, I'd pay a little extra
for a real firewall.
("Appliance" firewalls, such as the Netscreen-5, cost slightly more than
installing Linux on an old 486, but the OS is already hardened so that all
the administrator needs to do is specify the addresses to be used and the
traffic to be allowed.
David Gillett
The NOSPIN Group provides a monthly newsletter with great
tips, information and ideas: NOSPIN-L, The NOSPIN Magazine
Visit our web site to signup: http://freepctech.com
|