[ previous ] [ next ] [ threads ]
 
 From:  Hilton Travis <Hilton at QuarkAV dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] 2 Firewalls, and one big problem
 Date:  Fri, 05 Mar 2004 10:43:45 +1000
Hi All,

On Wed, 2004-03-03 at 06:00, David Kitchens wrote:

> -----Original Message-----
> From: Khaled Dakakni [mailto:dakakas7 at hotmail dot com] 
> Sent: Tuesday, March 02, 2004 2:24 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] 2 Firewalls, and one big problem
> 
> 
> > Hello all,
> > 
> > I have 2 firewalls one is Isa 2000 server and the monowall, When i 
> > disable my Isa 2000 firewall my internet connection speeds up and 
> > smtp and ftp and yahoo messenger work.. but when i enable the isa 
> > 2000 firewall smtp and ftp and yahoo messenger doesn't work as 
> > well as the internet connection gets soooo slow.. Now is there any 
> > rule i can place in mono in order to forward smtp and ftp and 
> > yahoo cam and keep my other firewall disabled.. This is an urgent 
> > question so someone help :)
> > 
> > Monowall is the perfect solutions to your problems although it is 
> > a problem in the begginging but things tend to clear up cause of 
> > your wonderful help..
> > 
> > special thanx to Adam Nellman
> > 
> I had similar problems when using Smoothwall and ISA together, something
> about ISA does not like having another firewall in front of it. I found it
> to be a large waste of time to configure ISA, thus I disabled it and have
> never looked back. ISA in my opinion is a useless, bloated, typical piece of
> M$ software. I know it has some positive benefits in reporting and such but
> I stay away from it at all costs.
> 
> Dave 

First, let me say that I would personally never be able to sleep were I
to recommend that someone solely use a Windows-based firewall to protect
their corporate (or home) LAN, whether it is a BlackIce, Outpost, Zone
Alarm or MS ISA Server.

That said, these products DO have their places.  Outpost includes quite
decent filtering, including ActiveX, Flash, Java, VB Scripts, animated
GIFs, as well as popup blocking and web content filtering.  I don't know
about BlackIce and Zone Alarm as I haven't used them lately.  On a small
LAN, such as a home network or a SOHO network, then maybe one of these
products could be used on each Windows PC to supplement the security
that m0n0wall provides - not to *replace* m0n0wall by any means.

MS ISA Server, on the other hand, is aimed at the small to medium
business and/or enterprise - just look at its licensing conditions and
pricing.  MS ISA Server 2000 is something I'd never leave exposed
directly to the Internet as it needs to run on top of either Windows
2000 Server or Windows Server 2003.  And we all know how many security
vulnerabilities these operating systems have been susceptible to.

MS ISA Server is a security product that would fit in extremely well
with Active Directory networks where users need to have controlled
Internet access - including control by protocol/port, time, destination,
and machine that they are attempting access from - as it integrates with
AD quite nicely, allowing access controls to be implemented on a per
user and per computer basis.

Aside from this rather granular access control, it also offers some
quite decent reporting on Internet usage.  Reporting that pointy headed
bosses appreciate.  Even reporting that System Administrators can use. 
:)

One thing that MS ISA Server can do is act as a secondary firewall and,
through UPnP, configure the primary firewall.  This assumes that the
primary firewall has UPnP support - m0n0wall does not have UPnP support,
unfortunately (or fortunately?) at this time.

Even if the primary firewall DID have UPnP support, I'd ALWAYS ensure
that I checked the configuration changes that MS ISA Server.  This is
not because I don't trust MS ISA Server and/or UPnP, but... ok, damnit,
it IS because I don't trust them.  However, having UPnP support on your
primary firewall will definitely result in less b0rked firewall rule
configurations, as it eliminates one point of human error.  Confirming
the changes were all made correctly is, of course, something that I
cannot stress enough.

So, basically, what I'm trying to say is that MS ISA Server is
appropriate in certain circumstances, and SHOULD work fine with m0n0wall
even though m0n0wall doesn't support UPnP configuration directly by MS
ISA Server.  Unless restrictions have been enforced globally in MS ISA
Server, I cannot see why implementing it would *significantly* slow down
WAN traffic.

Also, for particular traffic that fails to work, you'll find that - more
then likely - one of two things has/hasn't happened:

1. You haven't opened and/or forwarded the required ports and/or
protocols on both firewalls correctly.  You may have configured only one
firewall and not the other, or you may have configured only one firewall
correctly.

2. The traffic you find that fails cannot pass through 2 * NAT
firewalls.  This happens a lot with certain traffic, such as the H.323
protocol that is used by Gnome Meeting, Net Meeting and many other voice
and video chat applications.  I don't know what protocol Yahoo Voice
Chat uses, nor if it can traverse multiple NAT connections.

I'd guess that the first point is appropriate for your regular traffic -
smtp, pop, ftp, web, secure web, and so on.  I'd suspect that either
point 1 or 2 is applicable for the Yahoo traffic.  Again, I have no idea
why the traffic would be slowed significantly except for an incorrectly
configured MS ISA Server install.

Hope this helps,. or is at least informative in some way.  :)

-- 

Regards,

Hilton Travis                   Phone: +61-(0)7-3343-3889
Manager, Quark AudioVisual      Phone: +61-(0)419-792-394
         Quark Computers         http://www.QuarkAV.com/
(Brisbane, Australia)            http://www.QuarkAV.net/

Open Source Projects:		http://www.ares-desktop.org/
				http://www.mamboband.org/

Non Linear Video Editing Solutions & Digital Audio Workstations
 Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
  Conference and Seminar AudioVisual Production and Recording

War doesn't determine who is right. War determines who is left.