Help! I am looking for a firewall I think. If anyone feels that a firewall
is not what I need please let me know and redirect me to the appropriate
place. In fact if anyone can suggest anywhere else I could post this please
let me know as I know there is more to security than just firewalls. I have
no newsreader (only unreliable email and ftp) so any newsgroups please let
me know how to email submissions if you suggest them.
Many thanks in advance . . .
The network.
The company I am working for has a small (less than 25 screens) LAN of PC!s. Most of these run
windows for workgroups, though a few are windows NT advanced servers. The company also has a Sun a
couple of Mac!s and is planning on getting an SCO UNIX box. The most sensitive data is stored on the
sun and can be stored nowhere else.
When I arrived their original plan was to use the sun as their gateway. I have vetoed this (Though if there
are good enough reasons I will reverse myself) as I felt it could not be a good idea to have the company!s
most sensitive data on the gateway node. Any comments on this?
The PC!s above include one which is running as a RAS on NT. Whether this should be inside or outside
the firewall and how relevant it is has not been decided, so any comments here are very welcome too. If
we could combine the security of the firewall with the RAS it would be nice, but if not then I guess that an
unlisted Ecuadorian phone number will be the main security beyond the standard password protection.
This may be sufficient for the moment.
The cost.
The company is small and will not be able to put up a lot of money for this. I have heard all the arguments
about underfunding security, and I agree with them, but practical necessities are going to get in the way
(See below for a more detailed explanation of the situation if you are interested). If I try and say you can!t
do it without money they will simply do it without security at all. It won!t be my responsibility but I don!t
want to think about what would happen to them. At the moment it is my responsibility and I want to get
as much security in there as I can before I go. My time is effectively free (well pre paid) while it lasts, so if
it is possible for me to set up some sort of DIY package this would be one solution. The only other one is a
cheap commercial package. I don!t know what cheap means in this context, but I would be frankly
amazed to see more than $5000 and would not be surprised to see less. Don!t let this stop you suggesting
more expensive packages, as even if I don!t convince them to get one it might mean more money for a
cheaper one. Also miracles can happen so you never know.
The requirements.
They have to run some sort of web server as it is expected by their clients. If they don!t have some sort of
net presence that they can update easily they will start losing clients. This effectively rules out having a
provider provide that too.
They need unrestricted e-mail in and out of the site.
They want (and I believe should have) the ability to ftp information into the site. They do not currently
need to ftp information out. The RAS server mentioned above will be used for working from home, so it at
least will need all the abilities this implies. Ecuadorian phone lines are very unreliable, so an ability to
work off line having downloaded from the RAS may well be essential. If it is advisable I see no problem
with restricting ftp access out to being available from only one terminal.
They want and probably need to be able to browse the web. once again this can be restricted to one
terminal like the ftp above. In effect this terminal would then be an internet resource terminal, from which
they would wander the web. Anything they found would then have to brought onto the LAN somehow. If
it weren!t for the mail needing to flow freely I would suggest this as a physically separate unit connected
as needed. Unfortunately they are adamant that they want mail on everyone!s desk as it arrives. If it is
possible to have ftp and web browse available across their LAN they would like it.
They want to be able to telnet out. While this would be nice it is not currently essential, and could be
squashed if necessary.
In summary:-
>From inside: Web browser, Inbound FTP, Email, possible telnet.
>From outside: Access to WWW homepage, Email.
>From outside via RAS: Working from home; inbound and outbound ftp, telnet, email.
The staff.
They trust their staff not to deliberately pass information out of the site. Many of the staff do not really
understand the need for security, or how to use it. I am trying to remedy this as my top priority. In the
meantime it is a surprising fact that the only people interested in using the internet facilities are those who
I would trust to understand the security risks. While this might change I think we can assume no problems
with outgoing access due to internal staff.
Some background
I am working for a small South American company. I was surprised to discover the level of expertise they
have acquired in some things. Most of their work is in workflows, supported by computer consultancy.
They are connecting to the internet for two reasons. first they need it as a source of information, a way of
stopping them falling behind the rest of the world (Very easy to do in Ecuador). Second they need it
because customers for consultancy expect them to have it (They will go to other countries if they perceive
any sort of technology gap). The company is quite small at the moment and still heavily tied to the parent
company (an import-export company). Given the level of technology I have seen in the rest of South
America I would really like to see the work here continue. I am working for a third of what I would get at
home (if I get it at all), as I realise their money is short. This is obviously going to restrict how much
money they can put into security.
I am in fact here because I am on my way round the world. I met this company through a friend and was
willing to help. Currently I am here until the end of June, which is not nearly enough time. Some effort is
being made to extend my working visa so I may be around a month or so longer. This is really the outside
limit. If I can!t get things set up in that time (wouldn!t that be a surprise) I need to leave detailed
instructions as to what they need to do to set up. If I don!t organise it then no one will. This time
restriction makes turnkey packages look more attractive. I wish there was more chance they would be able
to pay for them. I am Also working on another project for them, so the calls on my time are somewhat
ridiculous right now. (When was it ever otherwise in software?-)
I am a programmer (mainly simulation software) with four years experience and an MA in maths. I have
very little experience with the mechanics of networks, packets, etc... so please bear with me when I seem
stupid. I have had some experience with security, though I have never implemented a fire wall. I have a
reasonably firm grasp of the principles of security, but will be starting from scratch if I am putting
something together. Please imagine that you are talking to your dog (speak very loudly and slowly) during
any technical explanations. Many thanks,
Rufus.
P.S. If anyone is interested I can write up the responses I get as I have not seen much on firewalling a PC
net.
P.P.S. If I don!t respond to mail promptly it is because we are unable to connect again. This happens
sometimes (last time was for 3 weeks!). Please accept my apologies and be assured I will reply to all mail
in time.
P.P.P.S. Thanks again.
The opinions expressed here are my own and I wouldn!t wish them on anyone else.
|
|
