Do I need another firewall with Security Router in place?

[marko2002]

Hi Guys,

Hope to throw open a bit of debate here - basically I'm running a few servers and clients behind a Netgear Router, the servers (except domain controller) are hosting various services and these are allowed through the router using ports I open.

Currently I have no firewalls installed on servers or PC's and full antivirus protection with regular inspection of all logs, and have never really had any problems or successful attacks (please don't take this as an invitation).

My question is this - would I still be vulnerable (I could probably say 'yes' to this myself unless I close every port - though this isn't an option!). I am currently under the impression that a software firewall installed on the servers or PC's would do much the same job as the security router (block ports, etc) although I realise that software firewalls are much more intelligent and can provide much more in the way of information, etc.

As I say, I have no problems with my current setup, though just wondered if I would be best to protect my LAN further and if so, any recommendations!.

Many thanks as always guys

Marko

 

[vop]

Another layer (SW firewall) is probably not a bad idea. Nevetheless, it is likely going to be mostly redundant on incoming traffic (HW firewall is telling you this already).

With a SW firewall, you stand to gain a lot [highlight]more control (insurance) over outgoing traffic[/highlight].


PROS:

- higher security reliability by locking down specific apps and restrictions.

- 'reviewable' logs.

- realtime alerts.



CONS:

- cost of aquisition and rollout, app maintenance, and learning curve.

- configuration sub-optimization (false security) or complexity.

- log inspection time.



Security is an ongoing reliability and PROCESS effectiveness issue, not a series of half-hearted fixes and new initiatives. What attention to detail and knowledge level is this going to require of you? Are you prepared to do that? Are there better alternate uses for your time? What about a HOSTS file and/or IE-Spyad (outgoing controls) - instead of or in addition; with yet more admin requirements?

Having done all security initiatives that you can do, you, at least, demonstrate that you have intelligently tryed to cover all your bases consistent with the perceived risks and available resources.



Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]

 

[vop]

Additional PROS:


Each app must request and be granted (or denied) specific access rights.

Attempted (unauthorized) outgoing traffic from any Trojans, Keyloggers, or Remote Access Apps would become immediately obvious.



Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]

 

[marko2002]

thanx for the advice vop - the outgoing issue of Trojans, etc is definately an issue I must think about as like many I've became too reliant on Antivirus software - and although I'm constantly on top of this with auto-updates from the AV server, SW firewalling can't be a disadvantage!. Would it be practicle or possible indeed to config 1 client and allow the SW firewall a chance to 'learn' then basically copy 'the' config (if any) file from that SW firewall across to the other clients, giving them the head start?
More importantly from my point of view, what SW firewall would you suggest I introduce to my servers (domain controller with Exchange, web server, ftp server, Live Communications Server, etc) - there's just so many damn variants to choose from!!!

Thanx again for the sound advice.

Marko

 

[vop]

I am not really up on ‘corporate’ software firewall strategies. You might try:

http://www.scmagazine.com/products/index.cfm

Category: Firewalls & Perimeter Security



There have been good advances in intelligent ‘learning’ software firewalls in the ‘personal’ area. A server is not going to have the same profile as a client. Therefore, a generic profile is not generally appropriate. The following two (2) products are able to ‘intelligently’ configure (with updateable databases) individual machines on the unique characteristics of that machine.

What I really need to protect my PC – Article (2nd half)
thread83-908564


There are still hiccups and differences of opinion on efficacy of the ‘personal’ approach. See:

http://firewallguide.com/software.htm#Top

(especially the following links

New ZoneAlarm Disappoints, Mary Landesman, PC World, August 2, 2004
Okay, Now Try It: ZoneAlarm 5.1, Scot Finnie, Scot's Newsletter, August 2004

[highlight]Alternately, you may want to take another approach (more reactive than proactive in nature) on risk assessment and containment. [/highlight] Suggest you do a 14 day trial on a very affordable firewall logging tool know as ‘Linklogger’

http://www.linklogger.com

. It is compatible with Netgear routers – you can track all PCs from one lone PC. Track only the outgoing traffic ‘ALERTs’ of interest and send them to your email every so many minutes as you see fit. I set the reporting interval to every 120 minutes and found the exercise amazingly informative and the reporting options exceptionally helpful in seeing emerging risk patterns, particularly in the case of incoming traffic. Some further observations are documented here:

Is a NAT router secure?
thread1117-914607


Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]

 

[marko2002]

many thanx again vop - this is exactly the kind of info I'm looking for

marko

 

[vop]

See also:

Netgear Router as only firewall device
thread1117-905358


THis serves as a reminder that nasties do sometimes eventually get through. In those cases, you will glad that you had multiple (even seemingly redundant) protective layers in place.

Vince
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]