Firewalls for DMZ

Hi geeks,
New to using firewalls but If I wanted to set up a DMZ at home Please give me advise on some good ones and where a great place to go for instructions. I dont want to install a firewall on every pc and I dont have a firewall router, but I do have a spare P3 hanging around. I want all computers to use that pc for the firewall while that firewall PC is plugged to the Nat Router.

 

Well from what I understand, it would be better to just buy a new router with a hardware firewall w/dmz feature. It would be cheaper, easier to configure, and not as much of a hassle. That is of course if I understand what you meant correctly.

BTW, DMZ means Dematerialized Zone, and is a firewall feature that turns off the firewall for a certain computer, I think.

 

Xflat, you are correct, I want to have additional security outside (or inside) the NAT cable router I have now. But I was wondering on just having one computer providing this for the other 4 workgrouped computers I have.

 

Hi,

As was mentioned above, most inexpensive NAT/routers have hardware firewall capabilities that are more than adequate for home network security. You could harden the PCs further by installing ZoneAlarm on them, I suppose - I tried it and wasn't impressed. I bought ZoneAlarm Pro and tried it on one PC behind a Netgear NAT/firewall/router/switch, thinking that it would enhance security, but I ended up uninstalling it. Once I had set it up for all of my applications, it never triggered because the hardware firewall was sufficient, so there wasn't any point in using it.

If you're looking for intrusion detection systems in appliance or server form, I doubt you'll find anything cost-effective for home network use, most dedicated security appliances/servers are intended for large networks, and are priced accordingly.

Snort (http://www.snort.org/) might be you're looking for if you want to roll your own IDS, don't mind spending the time to do it, either know or are willing to learn how and have the hardware to do so.

A DMZ (http://www.webopedia.com/TERM/D/DMZ.html) by definition is less secure than an internal network by its very nature - it's a place to put servers that are available to the public.

There are a number of things that you can do to on the PCs themselves that will help secure them.

1. Get a good anti-virus program for all PCs, install it and keep it current.

2. If you're running Windows 2000 Professional or Windows XP Professional, don't login as Administrator unless necessary, and don't make normal user accounts Administrator equivalent. Remember, any program that you run (intentionally or not) has exactly the same privileges as the user it runs as.

The problem with restricting user privileges is that there are a lot of programs that will break unless they have access to Windows' system files or the directories in which they reside; they are single user Win32 applications that were general ported as is from Windows 9x, and were never re-written to "know" about Windows 2000/XP security.

3. If you're using Outlook Express or Outlook, consider switching to another email client that is more secure.

4) If you're using Internet Explorer, consider switching to another web browser that is more secure.

5) Don't run server type applications or unncessary services on user PCs.

6) Backup critical systems and verify the backups.

7) Don't open email from people you don't know.

8) Don't open email attachments, either... I've never had a virus infect any of my home PCs, although I've had infected attachments get as far as my mailbox.

I don't accept email attachments even from friends. They email links to neat things, and if I find it interesting enough to download, then I assume the risk in doing so. And, I do the same when I find something interesting.

If you absolutely have to receive some attachments (for example, word processing files), have them sent in generic formats whenever possible (RTF instead of DOC for Word files, for example).

Network security can't be accomplished just by installing a device (I wish it were that simple!), and although it is important to have firewalls, etc., it is just as important that users of your network exercise "safe computing practices" .

Regards,

dj

 

Thanks dijllowe, that was quite a lesson. I just wanted to avoid bogging resources on the other pc's running a firewall. I have a netgear MR814 using wired instead of wireless. I know I am stealthed real well, but someone got in and changed my accounts and passwords once. I would like to have a more secure central system without running firewalls on all PC's. But if none were left on an account with Admin rights, I suppose that would not of happened. But I guess my best bet would be a hardware firewall if I dont want to install on all PCs Right??? Thanks for the help

 

Hi,

Yes, if you don't want to use personal firewall software at each PC, you'd need to put a hardware firewall between the MR814 and your PCs.

I looked up its specs on Netgear's site, and it doesn't have any firewalling features in hardware, but comes with personal firewall software for up to 8 PCs instead (/em scratches his head and wonders why Netgear did that).

I also looked up the firewall software that comes with it on Zero-Knowledge Software's product site at http://www.freedom.net/products/firewall/ - it appears that it is a yearly subscription service much like ZoneAlarm Pro.

This FAQ on Netgear's site: http://kbserver.netgear.com/kb_web_files/n100826.asp says that the MR814 comes with a one year subscription for 8 users to the Freedom Personal Firewall software, so if you use it and want to keep it current, you'll need to renew it once the subscription lapses.

The current price for it is $39.95/year, and they don't appear to offer anything other than single user subscriptions, so you'd have to pay that per year per PC that you wanted to keep protected using their software - something to keep in mind when you're deciding whether to use it or to buy a hardware firewall.

I use an old Netgear FR314, and have been quite pleased with it. My only gripe is that they removed the serial port and Telnet from all of their products, it seems. My RT314 had both, and they were nice features to have.

Regards,

dj

 

Hi,

I forgot to put this in my last post.

If you're not using the wireless capabilities of your current router, you should still secure them if you haven't yet by enabling the access control list. Enabling the access control list but leaving the list empty should act as a "deny all" via the wireless interface.

Regards,

dj