Can someone explain to me what a DMZ is? What do I need to know about it if I'm trying to setup a hosting service from within an office network?

Can comeone please explain to me what the exact definition of a firewall is? I have a vague idea of what it is, but something a little more precise would help. Specifically, in an office network, is it something that sits outside the router to the office network, on the router, between the router and the other computers, or is there one firewall on each computer in the network? How can I check to see if we have one running on our computers or network?

Hi Gibby - these two questions are related, so I merged them together.

A firewall is something which prevents unauthorised access between networks. Certain network protocols (like HTTP or TCP/IP) are assigned port numbers by international standard, and the firewall blocks or allows traffic through those ports depending on how you set it up.

A simple firewall is the free software one that now comes with Windows XP. There is a problem with software firewalls, though - as your actual network connection to your PC is completely open - plus you have to configure and administrate each computers firewall...

Hardware firewalls are better - it's a single device for admin on a network and stops any potential attackers at the door, rather than in the hallway...

Your best bet is to get a combination firewall/router.



A DMZ - Demilitarised Zone - is used to allow public facing servers to be placed on an office intranet, but without the office network being made public as well.

Basically, you have an external firewall between the DMZ and the internet, and you only allow those ports necessary for the internet access - say port 80 for HTTP, and 20 and 21 for FTP.

Then you have another firewall between the DMZ and the private network. On this one you would enable ports for performing admin of the web server which is sandwiched between the two firewalls.


HTH

I see. So how do I check to see if I have a firewall setup on my network? I know how to log into my router. Where would it tell me about any firewalls installed on it?

Yes,
agreed a "hardware firewall" is much better.
One you have less application overhead(software firewall installed on each computer) cause the inspection is done on network device.

Two it can do Statefull packet inspection where as most routers can only do protocol inspections. If you have a broadband connection or DSL I would recommend the Cisco PIX 501, this is really a nice unit for under $400

As far as checking the router... Your router is really not a "Firewall" and should not be dependent on being the only source of Security. Security like most others things in the networking world should be done in layers.

1)Router on the end of the network(connected to the internet) should do protocol reject ie( no ftp request, no inbound snmp request, no telnet etc._) coming from outside the network.

2) Firewall - doing much more indepth inspection of the packets, the Firewall can do protocol also, but would increase overhead on the device and network

3)IDS- for much larger companys and networks

4)virus scanners, baseline checks, traffic sniffers etc.

One mistake of Security is not building it in layers and relying on one unit to do everything, once the one unit is compromised the network is done.


One note I want to make, is most router on the market are not even very good at being NAT-PAT/Firewalls- They dont allow you to build your own ACL's or IP Tables, you can only get this option from higher end routers like Cisco's 800 Series for broadband connections...

Sorry I may have gone alittle over board here

I see. Is it possible to configure a software firewall to accept ftp connections as well as http? What about hardware firewalls?

FTP is just a protocol identified by two ports (20 and 21) for incoming and outgoing... all you have to do is tell the firewall to open those two ports.

FTP??? Are you sure you want to open that port in a office enviroment..... It is ok to do so if it is within a DMZ. You were told earlier what a DMZ is by definition but that does not tell you how it works... Here, think of it this way.

On your router, you foward any and all FTP handshake request's to a pre-defined address on the network ( Your FTP server) lets say 10.1.2.3 for example. That is creating a DMZ. Dont put anything worth taking on this server and also make sure too disable Anonymous and/or guest account's to the server, but remember all usernames and passwords are passed in clear text.

what kind of router do you have?

My router is a Linksys (model: BEFSR41 v.2).

If FTP is not recommended in an office network, how do hosting companies do it? I'm trying to set up a server within this office network to host websites, so I definitely need HTTP access from the outside world. In my experience, hosting companies who own their own servers also allow their clients to have FTP access to their accounts on the same servers their websites are hosted on. Therefore, these servers must have HTTP and FTP access enabled. Is there something else to this?

I'm guessing you guys don't have any SSL (Secured Socket Layer) servers up and running (or servers with SSL, I guess I should say)?

If not, you can open up FTP and not be suspect to attack as long as it is well secured (logins and passwords stored within something like LDAP). If you're not sure how to secure that sort of line to a decent degree, then it is best to maybe take a couple of classes or something on it.

Opening up things without the proper knowledge as to how to secure them is very dangerous because that means the guys attacking you know as much (if not more) about your system than you do - not a good situation to be in. Oh, and they will find their way in. :(

Yes, just as Putts said,

Most hosting companies use SSL with certificates being issued to end-users for secure transmissions of data. You can use a third party certificate (which is more trusted) or a Self-signed cert which is also commonly used on hosting companies.
For Apache2 users, OpenSSL in widely used, cant help you on ISS, sorry....

I just recently got OpenSSl configured on an Apache2 server, when the user went to, lets say www.somesite.com/admin, they are presented with a pop-up asking to accept the certificate. Then they are allowed to login, beign that the session has already started the user and pass are not sent in clear text but encrypted text.

After login, rights are given.. ftp and so forth. Anything done during this session is secure. I would recommend using MySQL database for the site and for storing usernames and Passwords...