IT guy's I have a question

[mvaughn]

Originally Posted by ynneb I just wonder what to block though. Its hard to know what is a legit access to the internet and what is spyware. I have tried zone alarm in the past and have had all sorts of difficulties with my network afterwards. Are other firewalls more network friendly?

Most hardware firewalls have a hard time distinguishing what is allowed outbound and what is not allowed out. Spyware can be very sneaky and use the same outbound ports as say http traffic. The main purpose for a firewall is to protect a private network from the internet, not from itself.

Zone alarm can be a huge headache just due to the fact that it is an application based firewall. It allows inexperienced end users to control it, bypass it and break it.

Hardware firewall are MUCH more friendly to all parties involved.

[mvaughn]

Originally Posted by Ferenczyg Best bet and better performance vs. money is linux+iptables. You can deploy more than one security subnet (i.e external, DMZ-service, Internal) any as NIC cards you have. Any equipment above PII-500 will be OK if you do not install X, you do not need lot of HD except if you want lot of space for logs and 256-512 MB of ram will be ok. You can -if you dare- deploy IDS (snort) or proxy (squid) in the machine if you need it too. If you want a pure appliance I'm with mvaughn for watchguard, prices are below 400$ for the entry products: http://www.securehq.com/vendors.wml&...21&vendorid=53

I will agree with Ferenczyg about everything except using a common linux distribution for a stand-alone firewall. There are distributions specifically customized to be a firewall and only a firewall, with a little ids, dns, dhcp, and proxy caching on the side it you want.

I can't say enough nice things about the smoothwall firewall distro. http://www.smoothwall.org I've been running it on a machine in my home for the last five to six years and It's been rock solid. It uses either ipchains or iptables, I'm not posititive at the moment.

The best thing is that it has a web based interface that you manage it with. It saves a lot of resources by not running X or any other nonsense services like sendmail that you would get with a modern distro.

[mvaughn]

Originally Posted by Ferenczyg Zone Labs and 350K desktops? Umm.. I think both of us are working for the same company

350,000 desktops with ZoneAlarm..... I'd know I had died and gone to hell if that were me.

[kong]

Back in my Linux days I used to swear by smoothwall, so I guess I will just second that! never used the stand alone distro though, sounds good Another linux freebie that springs to mind is IP-cop, can't remember it too well, but may be worth a look - http://www.ipcop.org/

[mvaughn]

Originally Posted by kong Back in my Linux days I used to swear by smoothwall, so I guess I will just second that! never used the stand alone distro though, sounds good Another linux freebie that springs to mind is IP-cop, can't remember it too well, but may be worth a look - http://www.ipcop.org/

IPcop is good too. After all, it's only a fork of an older version of smoothwall. They haven't released an updated version in a while... although I hear there is one coming.

[mvaughn]

Actually, I take that back. It looks as if IPcop released a new version this month.

[mvaughn]

Hey Kong,

Are you still making and selling those fan grills with your CNC router? You the reason I found and got into this site. I loved your CNC thread on the bit-tech site.

[kong]

Unbelievable, I have infected hundreds of people right across the world! Nah, no more fan grills, too much effort for too little money. I still get people emailing me requests though!

[svenakela]

Smoothwall has for sure made a progress, looks really nice now!

--Sven

[Ferenczyg]

Originally Posted by mvaughn 350,000 desktops with ZoneAlarm..... I'd know I had died and gone to hell if that were me.

Well, Zone Labs changed a bit from where purchased by checkpoint. And the use of a "pure standalone user fw" in a mandatory basis is a good practice. Of course this must not be the only fw in the chain between the end users and the non trusted network.