Need firewall advice

I got attacked this weekend.  I run a small business network set up thusly:  DSL router (static /24 DSL service) to hub.  Real IP address servers for mail, dns, web. All internal servers, workstations, etc. behind Linksys running VPN endpoint to my static DSL at home so I can do remote admin, work, etc.  My linux servers on the outside, several were compromised, from what looks like a ssh vulnerability.  Rebuilt servers with Trustix, running NO network services but the daemon doing the servers job (DNS, etc.).  I feel I need something between the DSL router and hub that feeds the external servers and the linksys.  Considering WatchGuard and SonicWall.  Need advice on which, and on specific configuration.  Thanks!!

Hi there,


It is advised to have at least a firewall between your router and DMZ.
You can filter things with routers, but most only allow very basic filtering.

I don't have any experience with Watchguard or Sonicwall, so I can not  
give any meaningfull advice avout those.


I would also like to point out it is not a good idea to use a hub for  
your externally available servers.
In case of a compromise of only 1 system, all networktraffic on could  
be sniffed and valuable information obtained.
Although not 100% hack proof, a switch is a much better alternative.
A switch with private VLANs would be the next step...


Best regards,

Johan.




Quoting mattknows@...:

Matt

It seems strange to go from none to spending a fair bit of cash on a FW.
As you seem to know your way around Linux why not use one of the open
source FWs.  

I personally use Smoothwall:  Smoothwall.org,  note that smoothwall.net
is the non open source corporate version - worth a look if the free one
is too limited for you.

I like Smoothy, because it is very extensible and with some of the mods
available can be made to have open source content filtering and snort
based IDS that dynamically blocks attacking ip addresses.  

I put post here http://www.logicallysecure.com/forum/viewtopic.php?t=42
about the better mods and what they do (I have used all of the ones
listed).

All you need is a reasonable box (I use an old P3 750 with 512 ram and a
30 gb HDD) 3 nics and you are off!  You can still do DNS and vpn access
in - but check the forums as there is a known problem that requires a
change to a files or the external listener will not pass off GRE (vpn)
packets to the internal lans.  

Also bin the hubs - they should only be used for capture the flags and
honeynets - never production systems and never in DMZs

Hope this is of some use.

Steve A



-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of mattknows@...
Sent: 24 September 2006 20:31
To: firewalls@...
Subject: Need firewall advice

I got attacked this weekend.  I run a small business network set up
thusly:  DSL router (static /24 DSL service) to hub.  Real IP address
servers for mail, dns, web. All internal servers, workstations, etc.
behind Linksys running VPN endpoint to my static DSL at home so I can do
remote admin, work, etc.  My linux servers on the outside, several were
compromised, from what looks like a ssh vulnerability.  Rebuilt servers
with Trustix, running NO network services but the daemon doing the
servers job (DNS, etc.).  I feel I need something between the DSL router
and hub that feeds the external servers and the linksys.  Considering
WatchGuard and SonicWall.  Need advice on which, and on specific
configuration.  Thanks!!