better network setup security wise

I have another question

I am reconfiguring my network, so as to make the internet connection I
have at home available to all machines without a single point of
failure. The current setup is

Internet --> adsl router --> FW machine --> local network

the FW machine also works as a ad hoc machine, including as a game
machine. This setup forces the fw machine to be up all the time. But the
reason I chose this setup is that I trust the linux firewall much much
more than the typical firewalls you find on any router. For example I
can see in my FW logs that even though the adsl routers firewall is
turned on, lots of requests from internet scanners reach the firewall
machine, which they really should not.

Additionally, the second network interface on the FW machine runs some
services I need at home, such as samba. I don't want any internet
scanners to find and access these services, because I don't want to
spend time adding a lot of extra security to these services.

So my question is, are router firewalls safe to use? I assume that the
firewalls would need some reconfiguring from the factory/isp default to
make them safer, but would that be safe enough?

I realise that it is difficult to answer that question and that it
depends on the level of the default isp configuration. But my suspicion
is that generally router firewall are of mediocre quality and easy to
bypass in contrast to the linux firewall. Actually more generally, that
any commercial security product is at best of mediocre quality. Tests I
have read about it, indicated that.

tom

Really all the hardware routers can do (normally) is provide NAT, port
forwarding and block ports. There's no protocol examination and they
won't connection attempts like a portsentry/iptables combo. it's a lot
better than relying on a host based firewall as most Microsoft Windows
XP users do. That said, while you shouldn't rely on it I think it
provides another layer of protection and you have fewer worries about
it being corrupted or altered. You should of course disable remote
administration of the device.

Tom Forsmo wrote:
> I have another question
>
> I am reconfiguring my network, so as to make the internet connection I
> have at home available to all machines without a single point of
> failure. The current setup is
>
> Internet --> adsl router --> FW machine --> local network
>
> the FW machine also works as a ad hoc machine, including as a game
> machine. This setup forces the fw machine to be up all the time. But the
> reason I chose this setup is that I trust the linux firewall much much
> more than the typical firewalls you find on any router. For example I
> can see in my FW logs that even though the adsl routers firewall is
> turned on, lots of requests from internet scanners reach the firewall
> machine, which they really should not.

Even so, I would not recommend you use an everyday-use machine for
critical functions like network routing and firewalling.

If you have any spare hardware lying around, from a Pentium-100 on up,
you could do yourself an enormous favour by installing a dedicated *nix
firewalling solution - there are at least half a dozen of those.

My personal favourite is ipcop, not in the least because it has:

- support for up to 5 interfaces: dial-up, WAN, LAN, DMZ and WiFi.
- very tight security by default
- easy web administration
- extensive logging and monitoring capabilities
- SNORT intrusion detection, fully configurable
- Squid caching http proxy
- support for multiple IPsec VPN tunnels

And a few dozen 3rd party plugins available to add even more functionality.

It will run on any system, 100MHz and up w/64MB or more.

www.ipcop.org to find out all about it.

> Additionally, the second network interface on the FW machine runs some
> services I need at home, such as samba. I don't want any internet
> scanners to find and access these services, because I don't want to
> spend time adding a lot of extra security to these services.
>
> So my question is, are router firewalls safe to use? I assume that the
> firewalls would need some reconfiguring from the factory/isp default to
> make them safer, but would that be safe enough?

TRhat depends a lot on the exact make and model of the device; there is
as much difference between their security as there is between their
prices, boxes, and features.

Some of them have absolutely no clue at all what network security is.

> I realise that it is difficult to answer that question and that it
> depends on the level of the default isp configuration. But my suspicion
> is that generally router firewall are of mediocre quality and easy to
> bypass in contrast to the linux firewall. Actually more generally, that
> any commercial security product is at best of mediocre quality. Tests I
> have read about it, indicated that.

I would amend that to read "any *consumer* commercial product".
I don't think our Cisco firewalls are inherently insecure :)

J.

One other option, esp if you are worried about noise or power
consumption is a Linux based router such as the WRT54GL or any other of
a number of devices supported by Open - WRT or DD-WRT. These devices
are tiny processors which run Linux by default and may be updated with
a number of open source replacement firmware configurations to include
real firewalls such as ip-tables with logging to a remote computer. Of
course there's less worry about corruption of the file system with such
devices and they are easy to reflash. You should remove remote
administration of course. I use one as the first off the net device and
then run another Linux computer with iptables running behind it. The
second one has no logins but has Samba running and serves as a file
server and secondary barrier for the internal network.