IPCop or SmoothWall and a SMC wireless router setup?

[tom0360]

I just was reading on the techimo forums about the smoothwall and IPCop router/firewalls. I presently am running a SMC wireless router connected to a cable modem and 3 computers via rj-45 and 1 via wireless. I would like to setup a firewall to provide extra protection especially for outbound traffic. I would like to setup a extra computer to act as a firewall instead of installing firewall software ( like zone alarm, outpost, etc. ) on each of the machines. Is it possible to setup a machine with something like Smoothwall or IPCop and use that as a Firewall/router also for extra protection? If so what would I need in the machine for networking capabilities, just 2 network cards?

Also is this the order that it would be connected?

Cable Modem
|
SMC Router
|
SmoothWall or IPCOP machine
|
Other Computers


I am also eventually going to set up a web server for testing out my web work before actual publishing to a live site. Would something like SmoothWall or IPCop work with that or is there something maybe better that works as a web server as well.

Thanks
Tom

[Telexen]

Well, it's not going to be any better than your wireless router - as it already has a firewall built into it. By adding a second firewall you're not really adding more security.

Nonetheless, if you want to do it the way you listed if you want to have the routerbox connected wirelessly to the router, and a switch/hub connecting the other systems to the routerbox, OR you could set the default DNS of all the systems to the IP of the Smoothwall/IPCop box.

[tom0360]

Telexen,

The problem is that the my router, like most, is not true a firewall. Although the router has built in firewall protection and seems to do very well at masking my computer's address and ports to outsiders, it does not block outgoing traffic or transmission of information to the internet from programs on my computer. At least I don't think it can. I am just looking for a way to add more security to my network without adding more installed software to my computers.


Thanks for the reply.

Tom

[jmichna]

tom0360,
You may want to give this link a read http://www.broadbandreports.com/faq/4629

Despite it's summary conclusions, I do happen to run a s/w firewall behind our router.

A couple other links:
http://www.dslreports.com/security/

see item #5 link, http://www.dslreports.com/security/sec015.htm

[John Prophet]

you can go here www.grc.com and click on "shields up" and there are tests to click on to see exactly what is being revealed as far as computer name etc etc...also to test which ports are open , closed, or stealthed altogether.

JP

this should be the exact link https://grc.com/x/ne.dll?bh0bkyd2

[Mickwish]

You could do it as you had in your post with IPCop or smoothwall, but as they are basically routers as well as fire walls, it'll be a bit messy, as your LAN will connect through the router and not the IPCop, negaing the benefits of using IPCop for security (I'm assueuning the router you use has port and is being used as a switch as well).

What I would do if possible is not use the SMC as a router, but only as a switch, and build an IPCOp box and route all internet through that (ie use it to connect directly to the cable modem).

There are advantages of IPCop over most home hardware routers (like intrustion detcion, better logging, customisable web proxy).

Also, if you want a webserver. I suggest putting three NIC's in the IPCop box and running the webserver on a DMZ. Much more secure.

If you want any more help or advice on IPCop, I'd be glad to help.

Cheers
Mick

[tom0360]

Thanks for the links and help.

The Security for Cable Networks site brings up a good point about the newbie trying to configure the firewall to be safe and keep out potential hackers who know this stuff like the back of thier hand. Fortunetly I don't really have to much that would interest anybody and am mostly doing this for security against worms, viruses, spyware, script kiddies and I really want to learn more about firewall, router and network security as well as start getting used to Linux. My SMC Wireless router is set up pretty good as I have enabled mac filtering, 128 Wep Encryption and SPI and Anti-DoS firewall protection. It always passes the port scan tests from http://grc.com/intro.htm or http://www.pcflank.com but fails on the leak test.

Mickwash, is it possible to disable a router from routing and only use certain features like the wireless connection?

Maybe I would be better served using a Linux based Firewall on a system instead of router/firewall. Any Ideas. I probably will end up running apache on the same machine. I am still going to drop a couple of nics in a few of these older machines around here and set IPCop or SmoothWall up on it. This has got to be a much better solution for people who want to run a firewall then say Zone Alarm, Outpost, etc.

Thanks Again
Tom

[John Prophet]

hmm, grc says im all stealthed..but flank says port 80 and 130 show as "closed"

who is right?

JP

[tom0360]

Hey John,

Did the pcflank pick up your correct IPAddress before scanning?

Which tests on pcflank did you run? Also try runnning it twice and see if you get the same results. If so try posting in their forum as well, maybe someone there might have an answer. I know from reading thier forum that others are saying that they 2 are not full stealth. I would tend to trust what grc tells you, but there are other online security tests you can check out as well.

check out the sygate site.

Sygate


Tom

[MDdan]

I don't think I agree with some of what was said above.

The design you suggested was the architecture that I used with the smoothwall.

The reason for placing the wireless router/access point in front of the smoothwall is that 802.11b is weak from a security standpoint. The assumption is that the access point will be compromised. By placing the access point in front of the smootwall, you protect your internal systems from wireless threats.

The smoothwall features are not "negated" by placing a router in front of it, they are "enhanced". I say enhanced because I don't care what is bouncing off the perimeter router. however, I really do care if flaky stuff is within the DMZ trying to penetrate the smoothwall.

The issue addressed with this design is "where does the access point go?" Placing it behind the smoothwall would allow a wireless hacker access to the internal systems. Placing it in front of the smoothwall allows you to drop all the chaff that would fill you smoothwall logs. If it can't get through the perimeter router, I don't care to see it in my snort logs.

So...that's the reason for this layout. There are other ways to go. But if you have a smoothwall and a router/access point, I personally would put the router in front. Even a separate NIC as a screened subnet off the smoothwall is weaker IMHO. (still strong enough though)