Re: firewalls

On 19/12/2010 15:28, Supersleuth wrote:
Hello

I need to set up a firewall for our office.

On outgoing traffic i want to be able to block certain ports and
URL's per MAC address

So that on certain machines ONLY i can allow sites like facebook
(required by our CEO) while blocking it from other employees
also I have only 3 employees that need ftp so would like to block ftp
for the rest


I also need it to be a VPN gateway for employees working externally
and to be able to open certain ports on incoming traffic


Will Cisco ASA 5500 series do this, or does anyone else know a better
solution - hardware or software


Many thanks

The ASA 5505 is a nice cheap box if your needs are modest. It is
fanless and diskless and doesn't burn many watts - all good. It's a
shame the rackmount kit costs extra, but the licensing costs will be
more significant if you need lots of users.

I would strongly consider using 802.1x port authentication on your
switches in order to assign different user groups to different VLANs
based on their roles, with each user's PC supplying different 802.1x
login credentials.

Place printers and phones into statically allocated VLANs with heavy
egress filtering.

Place unauthenticated PCs into a guest VLAN, and depending on policy,
either shut that VLAN down completely, or firewall it off from your
internal networks and give it low-speed internet access.

802.1x makes it reasonably difficult for staff and visitors to go
plugging their virus-infested home laptops into your main LAN, or
creating unauthorised Wi-Fi hotspots. Not infallible, but fairly
effective in practice.

I would probably use multiple security devices, each with a limited
number of functions - giving a simple configuration on any one device.

I would do any URL filtering or other Layer 7 stuff on a dedicated box.
The main firewall should do as little as possible, in order to minimise
its attack surface.

I wouldn't rule out open-source firewall appliance distributions,
perhaps in concert with a Cisco ASA on the outside. E.g. pfSense &
Monowall run very sweetly on old rackmount servers that are otherwise
too slow to be useful.

Hope this is useful,

- Martin
.

Relevant Pages

  • Re: Root exploit for FreeBSD
    ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
    (freebsd-questions)
  • Re: Root exploit for FreeBSD
    ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
    (freebsd-current)
  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
    (comp.security.firewalls)
  • Re: iptables configuration
    ... >> that if a 'virus/trojan' initiated a connection to the net, the firewall ... >> would not protect the LAN. ... The LAN is NATed with private IPs to one public IP. ... the ports that are used by services running on linux. ...
    (comp.os.linux.security)
  • Re: How to stealth against ping/echo requests?
    ... I just started using the Online-Armor firewall. ... Some ports are even open. ... Are you behind a router? ... Every time it founds a new LAN, it asks if you want to trust it ...
    (comp.security.firewalls)