|
Arkadia: Real estate listings & homes for sale
International real estate classified ads from homeowners or brokers to
buy, sell or rent your property, house, apartment, business, land.
Worldwide directory of vacation rentals by owner!.
|
Internet
Firewall, Intrusion detection, and Secure VPN
For
a long time any typical NAT router provided reasonable
security via address translation. But the recent wave
of spyware and MS security issues make many of us feel
uncomfortable. Some newer router have additional inspection
capabillities but most of them don't have any kind of
reporting options.
Of
course there are off-the-shelf solutions like Sonicwall,
Watchguard, and Cisco Pix, which can protect networks.
But these packages can leave you with sizable holes
in your pocket.
About
a year ago one of my clients needed a firewall, but
had no budget for it. In the end I found IPcop, a solution
that provides excellent protection and superior features
starting at very low cost. Since then I've installed
IPcop in many places with great results.
IPcop
is a Linux project, and even if you a pure Windows admin
you should read on. IPcop is available as an ISO. That
means it builds itself with very little input on your
side. You're not really exposed to Linux. Just some
basic questions, network configurations, addresses,
and such. It's pretty much the same as you have to enter
in the setup of any firewall. Typically it takes me
about 5-10 minutes to have an IPcop firewall up and
running. It will probably take you only 30 minutes until
your IPcop firewall is up. Once you reboot the system
you can log in from your workstation by typing in http://192.168.1.1:81.
Of course, if your IPcop has a different address, replace
it. But leave the port 81 in place.
IPcop
not only provides a firewall, but it also replaces your
router, has a proxy server, offers VPN host services,
intrusion detection, a DHCP & DNS server, logs,
and statistics. On the hardware side IPcop is happy
with any reasonable PC. I have used several SFF Dell
500Mhz Pentium III boxes with 256 megs of ram and 6
gig hard drives for installations with 40-60 users.
If you expect heavy VPN and proxy loads look for a Pentium
1 ghz and up with 512 megs. In most situation any good
working machine taken out of service will make a good
candidate for an IPcop box.
IPcop
Features
Network
support - IPcop supports all typical zones
and labels them by color. It will be one of the first
questions you have to answer. So be ready. In most cases
you will use a red and green scenario. That will require
2 NIC in the computer. If you want to support a DMZ
and wireless network segment you would need 4 NICs.
I recommend labeling the cards with their respective
color. Also it's much easier to figure out what is what
if you use different NICs. IPcop is capable of detecting
a wide variety of cards.
|
GREEN
|
Internal Network |
a private
address range 10.x.x.x, 172,16.x.x, 192.168.x.x |
 |
|
RED
|
Internet |
Static ip address provided
by your ISP or dynamically assigned (supports DNS
service such as Zoneedit) |
|
ORANGE
|
DMZ |
Web servers and such you
want to place behind a firewall |
|
BLUE
|
WIRELESS |
A separate network for
wireless devices. |
General
Administration - The IPcop is easy to maintain
with an excellent web based interface accessed over
a secure connection.
 |
 |
 |
 |
|
Dynamic IP services
|
Proxy Log
|
Open VPN
|
DHCP server
|
DNS
Server -
The IPcops caching DNS server speeds up you networks
DNS queries. Instead of forwarding all DNS requests
to your ISPs DNS server it creates it's own table and
only forward the unknown queries. In addition you can
manually add host names to correctly route your mail
server if it has an internal and external address..
DHCP
Server - Provides automatically IP addresses
to your internal clients. You can set the lease time
and range.
PROXY
Server - Conserves your Internet bandwidth
by caching web requests. This can reduce traffic in
an office by 25% or more.
VPN
- Allows you to connect your internal network to another
network across the Internet, forming a single logical
network or to securely connect PCs on your BLUE, wireless,
network to the wired GREEN network. IPcop provides VPN
Host services on NET to NET or Net to Client base. For
easier Road Warrior configuration a 3rd party module
(Open VPN) is available. It help in creating the necessary
keys a build certificates for the Clients.
Traffic
shaping
capabilities to give highest priority to interactive
services such as SSH and VOIP, high priority to web
browsing, and lower priority to bulk services such as
FTP.
FireWall
- Built from the ground up with ProPolice to prevent
stack smashing attacks in all applications
 Intrusion
Detection
- An intrusion detection system based on Sourcefire
VRT rules to detect external attacks on your network.
To use the service logon to http://www.snort.org and
sign up. Once you have established and account you will
be able to generate a key. You can plug it into the
Intrusion detection page in the IPCop admin panel.
.
|
