Firewalls

I have questions about software and hardware firewalls.

What do you think about the Norton and Windows Firewalls? If there's something better, why?

I posted this next part in the Hardware forum and I'm not getting any replies, so I thought I'd try in here. I apologize if that's a problem.

I manage a small network of about 13 computers. We use wireless Internet from a local provider. Two computers are at this building.

We then transmit the Internet to a nearby building wirelessly using an wireless access point. The 11 computers at this second building all receive their Internet through CAT 5 from switches wired to the access point.

There is no data transfer or networking between the buildings. All the computers access the Internet and use email.

I would like to set up a hardware firewall at the first building. Would a PIX firewall be a good choice? What model? Can anyone give me advice on this?

Finally, to protect from external intrusion (forget about internal for now) is it necessary to run software firewalls if running PIX or an alternative? I'm guessing the more, the better, but is it too much?

I know it's a lot. Thanks!

P.S. Just to clarify-nothing is transmitted wireless within the buildings. They're all hardwired inside to access the network.

 

I would PM Mada Milty here at Major Geeks, I believe he does the networking apps for his company, and probably has not seen this post, either that or post it in the Networking forum, as you can tell from the lack of response, not to many here in software are that knowledgeable about Networking. I know I am not, hope that helps

 

Thanks for the suggestion. I wasn't sure of the best forum because it covers more than one, so that helps.

Thanks!

 

I'm more than willing to help (and I appreciate the vote of confidence, BCGray), but problems/questions are best left in the open forums so that many people can offer their input/experience.

We use 2 Cisco PIX routers at our two companies. One uses a PIX 5515E for a 40 user setting, and the other uses a smaller model in a 10 user setting. (Can't remember the exact model.)

I can say that I'm pretty happy with them! They seem to take the crappy power in this building with stride. I've never had to so much as power cycle them.

One thing you should know is that it does use Cisco IOS. If you plan on administrating these routers, you should be familiar with Cisco's language. If you've ever made an ACL, it should come fairly easy to you.

Also, the PIX's firewall is a perimeter defense only. While this will protect you from external attacks (if properly configured), you should know that the bigger problem is internal attacks. (ie, DON'T forget about it for now) If your users get infected, the malicious code can (and often will) have a heyday propagating to other users. The PIX can't help you in these cases.

I strongly recommend software firewalls on each client as well. This will stop viruses from propagating across your network, or spyware from sending any sensitive information out on the internet.

 

I have a Cisco class next semester, so I think that will get me started on the right path. I think I will buy the PIX from a local IT company that I use for support above my head. After my class, I can have them train me specifically on our model, and I hopefully will have a decent grasp on it. I can always use them as backup if needed.

Since I was asking so many questions in my post, I thought I should leave internal attacks alone until I got past these questions. I do appreciate your concern, and definitely have it just as high of a priority. I have Norton firewalls installed on every computer, but I hear good and bad about those. I'm not sure if I could make a better choice.

However, I'm probably stuck with Norton. I picked the Norton Internet Security software because of the anti-virus, firewall, and Anti-spam. The anti-spam integrates well into Outlook, which we must use, and it has worked wonderfully. The boss refused to approve funding for anything other than Anti-virus. I was able to bump it up to the NIS package and get the other two things, after a lot of pestering, only because it cost slightly more. They won't approve extra dollars on separate items for each individual thing.

If they cut funding, which is very possible, I may have to drop back down to just anti-virus again. If I have to do that, will the Windows firewall be decent enough?

 

I did have another important question which I can't believe I forgot to ask. I want to run Real VNC on some of these computers I mentioned. By default, it uses port 5900, which can be changed. Will having a PIX installed prevent someone port scanning or anything else from being able to cause damage through that port?

 

Windows firewall is unidirectional meaning that it will stop viruses from coming INTO the individual machines, but does nothing from stopping spyware from sending information OUT. In short, its not as good as a proper bi-directional firewall, but it is better than nothing.

As for VNC, you can configure port forwarding on the router. I'm not certain what kind of security issues this presents, to be honest, but I do know that you can enable MAC filtering on that port, so only the explicitly defined network cards could access it.

 

I have already used Real VNC on my mom's computer and think it's great.

I'm just concerned about that port, and if the PIX will protect. I'll try to see what I can find on it.

Thanks for your time.