Wireless Networks Thread, Can anyone recommend a good firewall? in Technical; Hi everyone,
We are looking to purchase a hardware firewall to place between our separate Admin and Curriculum networks to ...
17th January 2008, 11:36 AM #1
- Rep Power
Can anyone recommend a good firewall? *Updated* - Smoothwall Help please!
We are looking to purchase a hardware firewall to place between our separate Admin and Curriculum networks to allow Senior staff access to Admin resources from the curriculum network.
Can anyone recommend something that is reliable and fairly easy to setup and manage?
What do those of you that have separate networks do?
Last edited by rusty155; 21st January 2008 at 12:08 PM.
17th January 2008, 11:47 AM #2
I personally use an old P4 with a bunch of network cards in running Linux tailored to my requirements. However I expect you want something a little more friendly and easier to setup?
Have you looked at the comerical offerings? Maybe smoothwall? Tom is probably somewhere nearby. Or how about Microsoft ISA server?
17th January 2008, 11:55 AM #3
I second smoothwall. The free version sounds ideal for what you need.
17th January 2008, 12:26 PM #4
Ah go on then another vote for smoothwall.
17th January 2008, 12:46 PM #5
Perhaps I'm a bit out of my depth here but surely you're not so much after a firewall as setting up proper trust relationships between your domains as I assume you'd benefit from staff being able to login on to curriculum PC's and access the admin domain.
Originally Posted by rusty155
Course that opens a whole host of password security and other issues but I suspect you may not be considering all options to achieve what you're after.
17th January 2008, 01:22 PM #6
- Rep Power
Ok - Thanks for the replies.
I'm feeling tired and remarkably stupid today and I'm having difficulty working things out in my head. I'll try and explain what I need in a bit more detail. Smoothwall sounds like a good option if I can get it to do what I need. I have a redundant Dual Processor PIII 1100 Server lying around with 2 onboard GB Nic's so that could do the job.
Basically we have two separate Networks / Domains here - one Admin and One Curriculum. The staff and student accounts and shares are all on the Curriculum network. The Admin Domain is home to Sims, Bromcom (E-Registration) and all of the Admin staff user accounts and shares.
The Bromcom Server has 2 network cards so that the registration app (on the Curriculum side) can send registration data back to the server on one port.
The SLT need access to resources on both networks, and I would like to be able to map network drives from both domains if possible. The SLT have accounts on both domains but with different usernames and passwords. How would I go about the authentication issues?
Would I need to use something like Smoothwall in conjunction with Domain Trust Relationships? I have never setup Trust Relationships before but have heard that they can be quite a headache.
Also, our Mail server which currently resides on our Curriculum PDC also has two network cards in so that both Domains can access E-Mail (we are migrating to Exchange soon).
Furthermore, the Bromcom Server has a web-based feature whereby staff can access detailed attendance and behaviour information. Staff on the Admin Domain can access this as it uses Domain authentication, but I need Curriculum staff users to be able to access it also.
Sorry for the essay, I've probably left things out as well! Can anyone offer any further advice? Do you have similar setups and needs?
17th January 2008, 01:27 PM #7
First off, there's our freebie product; SmoothWall express (www.smoothwall.org). That's *definitely* worth a shot.
Secondly, you could try something like our commercial range, which offer all sorts of bells/whistles. For example, schoolguardian is an AD integrated perimeter firewall which offers internal network segregatin and has web filtering into the bargain.
Have a nose round, see what you think, and drop me a line if i can be of assistance.
17th January 2008, 11:01 PM #8
I can recommend the FreeBSD based ones being as I'm a bit of a freeBSD fanboy There's m0n0wall. That's nice and simple to configure etc. pfSense has more options, add-ons and features than m0n0wall so can take some time to configure if you're going for the full whack.
Both are FreeBSD based as I've already mentioned and I always find it very stable. They will run on the lower end machines such as you might have lying around to use (as will Smoothwall, being linux based). Both support vlans which is good if you have a separate networks for maybe student laptops or admin etc. There's also a captive portal on both which would be quite good for student laptops etc.
You'd have to have a look on the respective websites for a comprehensive plugins/feature list.
18th January 2008, 08:01 AM #9
- Rep Power
Have you considered migrating your two networks into one?
18th January 2008, 10:38 AM #10
- Rep Power
I am in the process of giving Smoothwall a go and have a quick question. I have installed it and have it running but feel I may have made a mistake already!
I set the admin network as the green zone, and curriculum network as red zone. When I log into the smoothwall web interface it shows the local connection as my curriculum primary dns server and the remote connection as my curriculum default gateway to internet. Is this correct?
I was expecting something more like:
Local= Admin Ip Address of Smootwall
Remote= Curriculum Ip Address of Smoothwall
I'm going to have a dig around but thought I'd raise this first.
18th January 2008, 01:37 PM #11
- Rep Power
I'm getting there - I can get access from the Admin network (green zone) to everything on the Curriculum network (red zone).
I have opened up a couple of ports from the curriculum (red) to admin (green) for file sharing for my desktop pc as a test and this works. I cannot ping anything though although ICMP Ping is not disabled on the smoothwall.
Also, what is the best way to go about the routing? The two networks are on completely different subnets, and the only way I am able to connect between them currently is by manually modifying the route table on the individual machines. I could setup some scripts to add in the relevant routes at logon but is there a better way of doing this? Is there anyway within smoothwall itself? I'm guessing not as unless I modify the route table on the machine, it will try and pass all traffic through the default gateway (internet) which obviously won't get through. Can I setup Routing and Remote Access on Server 2003 for both networks?
Any guidance greatfully received!
Last edited by rusty155; 18th January 2008 at 01:41 PM.
18th January 2008, 01:57 PM #12
Ping - you will have to forward ICMP explicitly
Routing - add static routes of your default gateway(s)?
18th January 2008, 02:21 PM #13
- Rep Power
Thanks for the reply Tom, but please can you be a bit more specific
21st January 2008, 09:48 AM #14
- Rep Power
I seem to be slowly grasping Smoothwall now. I have a few rules set up and functioning correctly. My next step is to try and set up a Domain Trust between the two networks and so need to open the relevant ports on Smoothwall.
I found this article from Microsoft:
So do I need to open the listed server ports for each DC or just the Forest Root? Also, I assume that I need to open ports 1024-65535/TCP for each client that will need to access resources on the trusting domain?
Is there any way that I can set up groups of machines by IP Addresses in Smoothwall? I have had limited experience with Symantec Raptor Firewall and I know that I could with that. Would certainly make things easier and make the rule table a little less cluttered!
BTW, I am hoping to set up a two-way trust but with only selected clients and users from the curriculum domain able to access selected resources on the Admin domain.
By crc-ict in forum Hardware
Last Post: 7th January 2008, 02:39 PM
By tosca925 in forum General Chat
Last Post: 12th October 2007, 07:15 PM
By woody in forum Windows
Last Post: 1st February 2006, 01:02 PM
By OverWorked in forum *nix
Last Post: 3rd November 2005, 04:31 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)