AOA Forums

AOA Forums (http://www.aoaforums.com/forum/)
-   General Hardware Discussion (http://www.aoaforums.com/forum/7-general-hardware-discussion/)
-   -   Shared Broadband (http://www.aoaforums.com/forum/general-hardware-discussion/26802-shared-broadband.html)

GrahamGarside 14th September, 2004 06:22 PM

Shared Broadband
 
I'm currently awaiting delivery of my adsl modem and plan on sharing the conection between mine and my parents computers. I'm going to setup a linux based firewall (http://www.smoothwall.org/) which will be conected to the modem and then conect my computers to this. This is where I'm uncertain of the best method. If all the computers are conected to a switch will the 2 windows based computers be able to access the net conection from the linux box? Or will I need to use a router and conect the linux box to a WAN port? Any advice would be greatly apreciated

Aedan 14th September, 2004 06:43 PM

In the case of smoothwall, the linux system acts as a router. You only need a hub or a switch to connect your machine, your parent's machine and the linux system together.

cadaveca 14th September, 2004 06:52 PM

i use an athlon xp based system for a firewall, and have every pci slot occupied with ethernet cards. motherboard has gigabit ethernet as well. the machines on the pci ethernet get somewhat reasonable connections, unless they are all being used at once, while the machine connected to the gigabit ethernet gets a connection as fast as the one connected to the modem. The modem is pligged into one of the pci ethernets, and windows does the connection management. Because i'm paranoid, there is a hardware based firewall somewhere there's too.

Aedan 14th September, 2004 06:56 PM

Quote:

Originally Posted by cadaveca
there is a hardware based firewall somewhere there's too.

Most hardware based firewalls are just computers running some firewalling software. Very few firewalls are implemented in hardware! Netscreen is one of the few that I know of.

Smoothwall uses Linux's IPTables firewall, which is pretty good. Not quite as good as OpenBSD's PF, but still secure.

cadaveca 14th September, 2004 07:23 PM

was not knocking smoothwall at all....have not tried it myself yet, but i had downloaded it before as i was planning to use a pII as a firewall, because, like you said, Aedan, a router is just a simple pc anyway, really. i decided to not use the pII, as it did not seem to have enough power to manage the 5 connections, and windows, at the same time. Maybe this smoothwall is the answer!

GrahamGarside 14th September, 2004 07:28 PM

I did read a guide on smoothwall where they used multiple nic's in the one machine but I figure a switch will give more scope for adding more machines. Also I'm only starting with smoothwall for the time being and I'm going to configure my own firewall in the near future probabally using slackware or debian but I'll look into openbsd. finally I think this may be a stupid question and I'm pretty sure they will but the 2 windows machines will see each other won't they using a switch?. thanks a lot

cadaveca 14th September, 2004 07:33 PM

i use cross-over cable...works just the same, and lowers latencies a bit.

Gizmo 14th September, 2004 07:41 PM

Quote:

Originally Posted by Áedán
Most hardware based firewalls are just computers running some firewalling software. Very few firewalls are implemented in hardware!

What's more, most of them are running some variation of a Linux kernel, unless I am mistaken. :)

cadaveca 14th September, 2004 07:45 PM

unix based i believe maybe? that's what led me to smoothwall.

GrahamGarside 14th September, 2004 11:29 PM

I've looked around and I'm thinking of getting a Netgear FS108 8 Port Switch is this wise or can anyone recomend something else?

Aedan 15th September, 2004 09:27 AM

To be honest, most of the small switches are pretty similar, so there's not really much to choose between them, other than the manufacturer and any warrenty.

As far as smoothwall and network interfaces go, usually the reason for multiple interfaces is to provide physical seperation between networks that have differing security requirements.

Aedan 15th September, 2004 09:33 AM

Quote:

Originally Posted by cadaveca
unix based i believe maybe? that's what led me to smoothwall.

Check Point's Firewall One runs on top of a number of platforms. The most popular variants are probably Nokia's IPSO (BSD Based), and Solaris; However, Check Point also have their secure platform which is Linux based. Note that the Firewall One firewall is not based on IPTables, but propriatary code.

Cisco's PIX is a bit of an unknown. Juniper's Netscreen range appears to be based on some form of UNIX, but packet processing is done in hardware on an ASIC. A number of other commercial firewalls run on Solaris.

Many of the smaller wired home 'routers' run VxWorks. For the wireless home 'routers', seeing a form of Linux is getting more common.

GrahamGarside 15th September, 2004 03:34 PM

Quote:

Originally Posted by Áedán
To be honest, most of the small switches are pretty similar, so there's not really much to choose between them, other than the manufacturer and any warrenty.

As far as smoothwall and network interfaces go, usually the reason for multiple interfaces is to provide physical seperation between networks that have differing security requirements.

I'm not gonna be using a dmz for the time being and I need the 2 windows (plus any future additions to the network) to see each other. Thanks for the help, eeh it's costing me a small fortune getting this lot my parents best be grateful I tell thee :thumbsup:

Kaitain 15th September, 2004 09:04 PM

My wireless "router" is VxWorks based

Aedan 15th September, 2004 09:29 PM

Quote:

Originally Posted by GrahamGarside
Thanks for the help, eeh it's costing me a small fortune getting this lot my parents best be grateful I tell thee

Indeed! I'm personally running my own OpenBSD based firewall on a mini-itx board, but I know (and help) people who also run Smoothwall on machines like an old pentium 120 machine. A lower performance machine is fine, as a basic firewall doesn't need lots of horsepower.

Daniel ~ 15th September, 2004 10:35 PM

Ok, it's time to help Daniel again!

I "thought" (probably to fine a word for it) that a router was a "hardware firewall" also was under the impression that it was as good as using a computer to perform the firewall function...

Here I'm getting the impression that none of this is so?

cadaveca 15th September, 2004 10:42 PM

oh boy...
there's a fun question to answer...
router....routes packets...reads headers and ensures they reach the right spot. A firewall is something else. Router's have a firewall effect because of the IP change...packets sent from behind the router get sent under the router's ip. A firewall actually inspects the packets to ensure integrity, and that they are actually supposed to be going to the right place, usually using Stateful Packet Inspection.

A software firewall provides no real safety, as the offending packet has already reached some sort of buffer on the machine that can then exploited. however, if you use a "hardware" firewall, the packets get inspected before they ever reach your harddrive, and hence the added security.
so, as long as the "firewall" pc/router/ whateva you want to name it, does not have say, an OS to manipulate, things are good, because you can also capture packets and store them for later inspection should something go wrong.

i guess you could get way more technical, butthat's any easy way of looking at it. i'm sure someone wuill expand on my words

GrahamGarside 16th September, 2004 12:04 AM

I could probabally have gotten away with a simple adsl router but the geek in me just couldn't resist setting up a linux based firewall.
I'm gonna be using a celeron 400 with 128mb of ram that I picked up from a refurbished pc dealer for £18 and the switch I'm getting costs £35 so it costs around the same as a broadband router except I get 8 ports instead of 4.

Aedan 16th September, 2004 10:43 AM

Quote:

Originally Posted by cadaveca
A software firewall provides no real safety, as the offending packet has already reached some sort of buffer on the machine that can then exploited. however, if you use a "hardware" firewall, the packets get inspected before they ever reach your harddrive, and hence the added security. so, as long as the "firewall" pc/router/ whateva you want to name it, does not have say, an OS to manipulate, things are good, because you can also capture packets and store them for later inspection should something go wrong.

All "hardware" firewalls, have an OS on them, including true hardware firewalls such as the Netscreen! For home use, the OS is typically VxWorks. However, host based firewalls ("software") can be just as effective as network based firewalls ("hardware"). Indeed, usually there's very little difference between them, other than a host based firewall only protects the host it's running on.

A router is a device that routes packets from one interface to another. A NAT device is a device that translates one set of IP addresses to another set of IP addresses. A firewall is a device that can apply rules to the packets, and accept/deny them according to it's rules.

There are several fundimental technologies for firewalls. Firstly, there is the "packet filter". It has a list of ports and IP addresses that are allowed or disallowed. Hence, if a packet comes from A going to B, and A isn't on the allowed list, the packet is rejected. However, a packet filter isn't aware of state, and can be conned into allowing packets that should not be allowed. This is the most basic firewalling, and doesn't take much CPU.

Stateful inspection remembers the state of connections. If it sees a packet that claims to be part of an existing communication between machine A and machine B, it checks to see if it knows of any existing communication. If there's no existing communication, it throws the packet away. That way, it can open up a hole to allow communication when required, and then close it when the communication has finished. However, stateful inspection doesn't know anything about the data that's being passed in the connection, so doesn't know if it's valid or not. This is a bit more sophisticated, so requires a bit more CPU and memory.

Going one step up from that, there are application layer firewalls that examine the data stream in a communication. For example, some application layer firewalls can examine a request from a webbrowser, validate that it's sensible, and then pass it on. Should the application layer firewall see a request that is suspicious, it can then throw the request away and return a generic error. This is sophisticated, and requires a reasonable level of CPU, and a whole bunch more memory.

The NAT device, by it's very nature, provides a basic firewall. When your computer makes a request to the internet, the NAT device has to remember where the request came from, so that when the reply comes back, it knows where to send it. If the NAT device sees a reply when no request was sent out, it doesn't know where to send it, as it never saw the request. Hence, it throws the reply away, as it doesn't know what to do with it. This is the way that many of the home devices work. This is very similar to stateful inspection.

Daniel ~ 16th September, 2004 07:20 PM

Thank you. I've read this three times - after reading it another three times I should have a better idea of what I'm thanking you for! ":O}

( just a matter of learning new definitions and functions.)


All times are GMT +1. The time now is 11:11 AM.


Copyright ©2001 - 2010, AOA Forums


Search Engine Friendly URLs by vBSEO 3.3.0