Firewall, Network or Local ?

[rle-grand]

Hello;

"Network or Local ?". It's not a question, that's différent ways to security in a network.

I have to deploy a solution to the security in a school network on all the computers ( 80 PC's )

It's a local deployement ( we have already firewall at the head of the network ) and i want to do a silent install of software.

I test with success Kerio, Zone Alarm, Jetico but only on my PC's.

Is there someone who has tried this sort of installation in a network ?

I don't know if I will have problems with profiles, users, configuration ...

Thanks and Kenavo ( as we say in Britanny )

[submix8c]

rle-grand :

If I understand you correctly, you want to secure the individual PC's in your local intranet network from the WWW.

In my case, I have a firewall on my primary computer (the "head"). In it I have two NICs, one connected to the WWW, one connected to my intranet (other PC's). I share the WWW NIC using Internet Connection Sharing (it "hooks" to the local NIC). I found that the "head" computer firewalls the others in the same way that it is firewalled. You would naturally have to manually assign IP addresses to the intranet NIC and all PC's connecting to it (via a hub/hubs) using a common IP submask. The primary "head" PC's firewall would have to allow accesses for that group of manually assigned intranet IP's.

Another way would be to use a physical router (hardware) with firewall built in. Anything connected behind it will be firewalled. Of course the firewall setup would have to be done in a similar fashion to a software firewall.

I would assume that the "head PC" is some sort of server operating system From there you would control other PC's accesses via local policies and individual users/groups (intranet).

Therefore, no need for a firewall on every single PC, just the "head PC" hooked directly to the WWW.

The above is a rather loose description. There are a number of things that would need to be done/set-up depending on your needs/requirements, as you are aware.

Anyone else, please correct me if I'm wrong. My statements are based upon my own learning experience and could be globally inaccurate.

[rle-grand]

There is a hardware firewall ( an european product : Netasq , the "head")in the school network. It's a physical router. It's make real-time intrusion prevention, network and application firewall, advanced content filtering, , antispam, antispyware, URL filtering, IPSEC and SSL VPN .

So, as you said, there is no need to deploy on each PC.

But, in France, The Politic in the Education and Internet is too prevent every sort of mistakes about Internet ( log to site of Violence, Racism, Terrorism, .... ) or local intrusions.

So, I have to install on computers ( in + of the hardware solution ) Firewall, antispyware and tools ( like ccleaner ).

With over than 80 PC's in the network, I work on a silent install of these applications.

But I don't know if the deployement of the applications is possible ( in silent install ) with multiple users ( administrator, teachers, studients ) and without I have to configure the firewall, the antispyware for each user.

I hope you understand.

Kenavo

[submix8c]

Ouch!!!

Not sure if you can just "silently deploy" in such an environment. You will probably have to pick the best firewall to suit your needs, dig into the documentation, then install. Note the dates of files, etc., that are "defaults" for the date/time of intall, set up the firewall per your requirements (all users and/or usergroups), check dates/times again noting those that are "newer", and maybe "clone" those files to all other machines (after install, of course). This is the closest I can come to a potential "silent install" (various methods being utilized).

What you describe could be considered "parental controls", which should allow settings based upon the level of "who is allowed to get what" (consider this when selecting your firewall). Each listed user whould have to be placed into the associated group and "generically" assign accesses for each group, including whether they can change the settings (I assume only the Administrator should be allowed). I have set up just such a scenario on a friend's single computer, but know of no easy way (other than described) to deploy to multiple PC's.

Hope you are getting paid enough... Network Security can be a bear! If you are doing this as a "favor" or you are being "volunteered" for this task, bite the bullet and dig in! Logically lay out what you "need" and "need to do on paper", then try it until you get the result you want (may require complete install of a "clean machine"; get them to allocate one to you).

[rle-grand]

Yes, it's like a parental control on the computers of the network. A local protection against the ingenious studient who want to crack the system.

Precision : I work on a high school ( aged betwenn 15 and 18 years ) with 800 studients who have a personnal access to the network ( script of connexion for each with access rights to the windows composants ).

I can configure some programs but not for all of these and particularly the startup programs

( It's not easy to describe this network configuration in details )

Efficiently, I will be careful before deploying the solution.

Why trace date of files, of installs ? It's important ? Why ?

The principal problem will be about the users and the privileges.

A battery of tests in situation is necessary. I will start with primary tests on a PCof the network with different users ( and different privileges ).

Another precision, I only use freeware.

About the parental configuration, I think about :

- Kerio is a good firewall in this case ( protection with password ). + tests on configuration of the network. Jetico is too restritive. ZA : no password. I don't find the silent install of Outpost personnal firewall ( only for pro version )

- spywareguard or avorax shield ( i try silent install, that's dont work and i will try with AutoIt ).

- CCleaner is at my opinion not sure in this configuration . Do you know similar tool with password protection ? I think if I install in administrator mode and configure the software( password ), another user can't open it. Right or wrong ? To be test.

many many work in readiness.

You answer me about remuneration. Yes, I've only two hours by week to the network's administration. It's not enough.

The problem in France is that It's deploying technical solutions in schools but with no technicians.

Personnally, i take on my time and money ( partial time of work ) to give a informatics degree..

What's the situation in USA's school ? in the education system ?

[submix8c]

What's the situation in USA's school ? in the education system ?

probably the same here...

The suggestion for tracking files (on a separate test computer):

--Start from re-install Windows after reformat HDD

--Install chosen firewall

--Set up groups (Admin, Teacher, Student, however firewall works)

--Assign "dummy" user for each (Dummy1 for Admin, Dummy2 for Teacher, etc.)

--Add rules for each group and test to confirm does what you want

--Add ALL users to each appropriate group

--Install firewall on ALL computers

--Copy any files NOT Windows (the firewall and its "rules", e.g. any changed files) to ALL computers

Last two steps would have to be however you can (or want to) "roll out" the setup. The reason for this is to ensure any user can get on any machine and it will be the same.

When I worked for the Air Force, they tried to have all PC's the same so they could "push" changes to all PC's from the main server. Anyone needed special changes on their PC had to make a special request.

Anyone else got a better way of doing this? Chime in anytime...

p.s. also a file on Win2K/XP called HOSTS in WINDOWS\SYSTEM32\DRIVERS\ETC that you can put "bad site" addresses that will cause the system to NOT allow outgoing internet access to those sites. "Spybot - Search & Destroy" will put many/most of those there for you. It is free also.

Edited May 10, 2007 by submix8c

[rle-grand]

Hello

I begin the tests on my PC with users and local privileges to see if at this level only the administrator can modify the software configuration.

I reformat the HDD and install Kerio personnal firewall.

The protection with password is enough. No user until administrator can open Kerio.

All the log files are in a directory : C:\Program Files\Sunbelt Software\Personal Firewall\logs. I will probably let this files on the local machine.

The free version don't make the network save of the logs.

The HIPS service ( host-based intrusion prevention system ) is not useablle.

No Web filter ( I know the file HOST and it's a good idea )

But, Kerio offer the possibility to import or export a basic congiguration : name.cfg. I will use this to deploy the same config on the network.

That's will be a good beginning.

What's a "dummy" user ?

If i want to use a network deploiement, i will have to change my choice.

Is there a free firewall with this option ?

I know the file HOST and it's a good idea .

Thanks.

[submix8c]

Sounds like you are getting the idea. Good...

"name.cfg" might be the only file needed for implementation on all PC's. Am not familiar with Kerio (I use another), so unsure.

"Dummy" UserId's are just for the purpose of testing any given real UserId for any given Group.

Example Groups: Admin's have full priveledges, Teachers (Supervisors) can can do less, and Students even less!

Add a "dummy" user to a given Group (DummyX), set up priviledges for that Group and test by logging on for that DummyX/Group combination and see if that setup fulfills the requirements for that Group. Once confirmed, Remove DummyX from the group, add real UserId's that should go in that group.

Now do the same for the next Group.

Example breakdown:

[font="Courier New"]Group Admin: UserId: You
                     Backup
                     (whoever is an admin; Principal?)
Group Teach: UserId: Math-Teach
                     History-Teach
Group Studn: UserID: (all the students Users)[/font]

If you can manage the above breakdown and it is stored in the single "cfg" file, you may be "good to go". Just copy/import that single file by whatever method you choose to all the PC's after install of F/W. Remember to keep a Master Copy that can/should be modified at a single PC for whenever modifications are necessary (e.g. add/remove user, change Priviledge level, etc.). The HOST file can be done the same way, but it will be effective for all users, regardless of group.

I probably won't be of much help after the above if you have the basic idea. Perhaps someone more familiar with Kerio can help further (e.g. does it allow for that type of breakdown?; how does it detect attempted accesses to restricted material and how can it be set up to restrict it?). Perhaps you only need two groups, Admin and Not-Admin (teachers are restricted the same way, but they cannot investigate subjects of violence/racism/etc. for their duties as teachers).

As for your potential choice of Kerio and what Free Firewall will allow such a setup, I cannot say since I use a Commercial Corporate firewall and the Commercial Firewall I had installed on a friend's PC had the basic setup "built in" (selected by subject matter and not by modifiable keywords). Try browsing the Forum for topics that give that information. One such place you might try posting your requirements is the "Which Firewall" thread. Those folks seem very knowledgeable and may be able to suggest a more suitable choice, or even better assistance. I'm tapped out as for any other suggestins; sorry...

Happy Firewalling!