Firewall help for my network

Hello and thanks for any help or advice...

I have a small network in my office. I'm connected to a DSL
via a Linksys router. One port connects to my main "office" computer
that has my email client, billing system, etc. This is loaded with
Zonealarm and Superantispyware Professional so that machine
if covered as best as can be.

I also have 6 other small Dell GX150 machines connected together
via a Linksys 8-port switch. That switch is also connected to one
of the ports on the router.

One of the 6 machines has internet access in that I have Firefox
and Zonealarm on it. The others are used for rendering video
files, only. There is also a 2T network-capable hard drive connected to
the switch to archiving large files from any of the 6 machines.

How vulnerable are these other 5 machines (and the HD) to hackers in
that they are all on the network with only the Linksys firewall to
protect them?

Can (should) I install a second NIC card in that 6th "internet" computer
and connect that to the router rather than connecting the 8-port switch
and would that do anything to isolate the 5 other computers? Can this
even be done?


Thanks,
George

Phillip
Mon Apr 14 13:08:20 PDT 2008

"scooterspal" <tfg1@mindspring.com> wrote in message
news:3XoMj.2604$h75.2011@newssvr27.news.prodigy.net...
> How vulnerable are these other 5 machines (and the HD) to hackers in that
> they are all on the network with only the Linksys firewall to protect
> them?

The Linksys is already blocking *everything* inbound unless you have went
out of your way to make something particular available to the outside. Zone
Alarm is pretty much pointless and is more likely to get in your way and
interfere with the normal functionality of the LAN than it is to do
something usefull. It is probably spending most of its time blocking ports
that are not even active to begin with,...because if they were active and it
was blocking them,...something would be broken and not working. So it is
probably gaurding a door that doesn't exist,..that has no path to the door
even if it did exist because the Linksys isn't providing a path to the door
that doesn't exist anyway.

The Linksys's weak point is not security but is dependability,...it is a
Home User product,...they "die",...they need rebooted somethimes,...etc.
Another weakpoint is lack of features,...particularly on outbound
filtering,.meaning your users are one of your greatest threats by where they
go on the Internet when they are screwing around instead of working.

> Can (should) I install a second NIC card in that 6th "internet" computer
> and connect that to the router rather than connecting the 8-port switch
> and would that do anything to isolate the 5 other computers? Can this even
> be done?

No point in that at all. I would rather have all of them on a separate
switch with only one cable from the switch going to the Linksys. Then if
the Linksys "dies" at least your LAN will continue to function,..at least
until the DHCP Lease expires.

Isolate the computers,..from what? Network Level Access Controls is not the
only place the battle is fought. Just because someone has network level
access to a machine (like maybe pinging) does not mean they have "access" to
the machine. It just isn't that simple...

1. Firewalls and ACLs on LAN Routers control access to IP Segments and to
some extent Hosts

2. File System Permissons and Share Permissions control access to the File
System on Hosts

3. Service & Applications control access to Application provided services on
Hosts "above" the File System.

It only takes *one* of those 3 to stop you from getting what you want.

Hope that makes some sense,...I made myself dizzy there for a minute. :-)

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

scooterspal
Tue Apr 15 07:13:42 PDT 2008

Phillip Windell wrote:

> The Linksys is already blocking *everything* inbound...

Thanks, Phillip, for the detailed reply. It is much appreciated.

You are correct in that Zonealarm is always in the way when it comes
time to change something on the network. Perhaps I should just delete
it altogether... but then I think what can it hurt as long as I know
it's there and to shut it down BEFORE doing any kind of network
related work.

BTW: Can you recommend something more suitable than the Linksys
router that is not too expensive. I have not had any issues with mine
but I can always be on the lookout on Ebay.

Thanks,
George

Phillip
Tue Apr 15 08:14:31 PDT 2008

"scooterspal" <tfg1@mindspring.com> wrote in message
news:qK2Nj.1877$7Z2.1280@newssvr12.news.prodigy.net...
> Phillip Windell wrote:
> You are correct in that Zonealarm is always in the way when it comes time
> to change something on the network. Perhaps I should just delete
> it altogether... but then I think what can it hurt as long as I know
> it's there and to shut it down BEFORE doing any kind of network
> related work.

Fair enough.

> BTW: Can you recommend something more suitable than the Linksys
> router that is not too expensive. I have not had any issues with mine
> but I can always be on the lookout on Ebay.

Cisco, Watchgaurd, and SonicWall,.. just to name a few,.. all have entry
level firewall devices in the $400-$500 +/- that are more solid than the
home user products. But you have to study the "deals" closely,..there are a
lot of hidden costs in the form of "subscriptions" that "never end" for
Support and/or additonal Features that you want added. Most of them also
have limits on the number of devices on the LAN that can use them, and the
nunber of users in other ways. Most all of the resellers have these, CDW,
PC Connections, etc.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------