We are setting up a network as part of one of the final year modules at University and we need some guidance from the networking experts out there!

We have one server (WinServer 2003) and 3 clients (XP Prof). We will be using a standard switch, and CAT 5 etc, within the compounds of our classroom.

We are challenged to set up a secure network, with a VPN (Virtual Private Network) and I have been put in charge of installing, and configuring the firewall(s) (or "a" firewall).

Basicall, can anyone advise me on the following:

What firewall to use?
Best way to go about configuring it?
Any firewall advice/issues that may be relevant?

I am asking a lot here, so any help will be received gratefully :ok:

Any advice on any of the topics you think may be an issuse are welcome.

Many thanks,

Maz ;)

I know firewalls have been discussed before, I am aiming for a more personal viewpoint for the LAN

Not really something I know much about (but when did that ever stop me? :O ), but I'd look at smoothwall (http://www.smoothwall.org/) as a firewall (because it's free, and, I believe, highly configurable - the standard consumer firewalls will probably be a bit limited). Also, for testing it, I'd take a look at nmap (http://www.insecure.org/nmap/). Playing with the latter taught me a fair bit about what my firewall could and couldn't do.

edit: http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html may be a bit old, but it might be useful for the basics. Don't know what level i'm pitching at.

Mazz

Is this VPN all within the same subnet ? or are the clients and server on seperate subnets via the internet ?

Advice changes with the configuration used, for a real VPN I would use Cisco VPN (http://www.cisco.com/en/US/products/hw/vpndevc/index.html)

Recommend Managing Cisco Network Security (http://www.amazon.com/exec/obidos/ASIN/1578701031/bestdamlogger/002-1818019-3637630)

:ok:

The big question is whether you're going to be running one or more servers of any kind, i.e. what level of access do you need IN to your network from outside the firewall?

Ok, there is one server - Imagine a room with 4 computers in, well basically, that's it (3 clients). We also have to connect it to the WAN for internet access, and we need to set up a remote access.

So presumable the VPN will be used across the Internet connection for Remote Access ? Is Remote Access required to all clients or just the Server ?

It is this (the VPN service) therefore, and the Internet connection itself which is is need of being firewalled ?

As you are tasked to do this for collage I suspect you have been provided with all the equipment you need, I therefore have just done a quick search on Microsoft's site and found the following links that may be of use to you.

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_vpn_und13.asp

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbf_vpn_uzuu.asp

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/vpn_server_role.asp

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_vpn_us26.asp

http://www.microsoft.com/seminar/shared/asp/view.asp?url=/Seminar/en/20030424vcon42/manifest.xml

There is more information on the Microsoft site you can trawl through. You may also find some of their patterns ans practices documentation useful.

Ok, there is one server - Imagine a room with 4 computers in, well basically, that's it (3 clients). We also have to connect it to the WAN for internet access, and we need to set up a remote access.

In that case any hardware firewall would do the job. Any software firewall would do it too, running on the 'server' machine with two interface cards; one for the connection to the WAN and one for the internal network's switch. You can (using NAT) assign each of client machines and the internal interface of the server a private address (192.168.X.X) and the WAN interface whatever address is given to you by the upstream connectivity provider. This way you'll have some level of protection from the outside world even without a firewall since nobody will be able to initiate connections to any of the client machines.

If you use NAT then you'll tell your firewall which of your internal machines to forward VPN requests to, which presumably will be the server machine.

There are dozens of ways to do this really; the choice of what is best depends on your precise needs, your inclination towards different types of hardware, whether you've already been assigned certain equipment and/or a budget and so on.

This is real good stuff, all well noted research - many thanks :ok: :ok:

Try a Linux floppy firewall (http://www.zelow.no/floppyfw/floppyfw-ax.html)

:cool:

TOG

Ok here's how it is.

We need to decide on 2 firewalls - and configure them out. I had a look at the above it looks like it's for Linux (any other network dedicated one's?) There is free one's such as Sygate and ZoneAlarm but are these gonna be any good?

We need to set up the VPN - I can google this no problem but if anyone has any guides that would be good.

Thanks again,

Maz

:ok:

Evo - does Smoothwall work on Windows Server?

What about using Sygate, Zonealarm etc? The free ones - would they be any good? I am coming to a conclusion soon so that'll be it :rolleyes:

Try FREESCO http://www.freesco.org/

Been using it for a couple of years to protect my intranet. No worries.

"FREESCO is based on the Linux operating system and incorporates many of the features of a full operating system into software that fits on a single 1.44 meg floppy diskette. With FREESCO, you can make:

* a simple bridge with up to 10 Ethernet segments
* a router with up to 10 Ethernet segments
* a dialup line router
* a leased line router
* an Ethernet router
* a dial-in server with up to 10 modems (with multiport modems).
* a time server
* a dhcp server
* a http server
* a ftp server
* a dns server
* a print server (requires TCP/IP printing client software)

FREESCO also incorporates firewalling and NAT which are resident within the Linux kernel to help protect you and your network. All of these features can be used in conjunction with each other or individually."

Evo - does Smoothwall work on Windows Server?

What about using Sygate, Zonealarm etc? The free ones - would they be any good? I am coming to a conclusion soon so that'll be it

Maz

Smoothwall is Linux based but you do not need any Linux experience to set it up or use it. I setup my first Smoothie before I knew anything about Linux. Zonealarm is a client firewall and will protect one PC only. If you have 10 clients the configuring 10 clients becomes a chore. Smoothwall will protect the entire LAN.

You are welcome to come see my setup anytime.

Is it just me or have you guys just done mazzy's work for a whole term, thus allowing him to perpetuate the myth that all students are lazy and always down the pub ? :D ;)

Is it just me or have you guys just done mazzy's work for a whole term, thus allowing him to perpetuate the myth that all students are lazy and always down the pub ? S*IT my plan is foiled :D

To be honest, not only did I need severe help on this, but I would have used it as a very good reference to my research. Tutor told me today that he is supplying us with a package called CHECKPOINT - never seen it but according to him, it;s the best one to use. Why the to55er couldn't tell us this from the start I will never understand. Lecturers, eh, lazy and always in the pub ................. ;)

Thanks Paul - will probably take you up on that offer at some point :ok:

I do wonder what they teach at Uni, if a final year student can't knock up a firewall/vpn, no matter what subject they are studying. Basic computing/IT skills are a necessity in this day and age. No offence meant, but perhaps your lecturers need a kick up the arse. We, as taxpayers are subsidising this.

I have been waiting for this. Firstly, it aint tax payers who cover it, it's me at £1,150 per term. Third year students are expected to find out their own knowledge via extensive research and learning. Knowing firewall's in-depth is not something covered in previous modules, only the basic's are touched. In this one, we are expected to fully configure a Windows Server 2003, along with VPN (again, never even touched before) and a specialised, LAN designed firewall (again, new to me and the group). We only get basic lectures for the first few weeks to give us a foundation on the subjects we MAY need to look at. Other than that, it's up to us :{ That's why I came on here to get some much appreciated advice, from people who know more than me, in order to help me learn! It is research! Don't moan about tax payers money when students are the professional's of the future. It's layabouts you need to worry about :)

By the way, I agree with the kick up the arse bit !