Why have a Software Firewall and a Proxy service

Why would you want to have a software firewall when you have a router that has the firewall built in the hardware?

With a hardware firewall you are limited with the 'rules' you can use for connecting in to and out of your network.

Note: Having the router with a firewall on the outside of your network has it's advantages, mainly the rule to "Block WAN requests", which most software solutions do not have, and it isn't hackable!

Modern commercial small business/home routers (and some cable/DSL modems) have additional options and features that help you keep your internal network from being accessed by an unauthorized (hacker/thief) person that would steal or do your data harm. They are not expensive so consider this: "How much is your family/data's safety worth?"

Where as with a software firewall and a proxy services you have more flexibility in creating your rules.

Software Firewall service:

The problem with a software solution is you need a computer between your hardware router and your client computers. This computer is normally called a Proxy Server.

How would you setup a 'Proxy Server'? Well it really isn't hard just involved.

Of course you will need a computer, the difference is in the network cards or NIC's.

You will need two dissimilar NIC's.

By dissimilar I mean two separate NIC's. Such as a 3Com and a Net Gear. This isn't important on the surface but when you set up the network having dissimilar NIC's make identifying the LAN side and WAN side of the proxy service easier.

The 5 Steps to high quality and cheap DIY Computer Repairs Get It Today...

I have used Win Gate (by an Australian company QBik) for years and am familiar with it's workings. It has a GUI (Graphic's User Interface) that makes writing the 'rules' easier than some of the other proxy servers I have used.

Note: If you decide to use a program called Zone Alarm be aware that the program is very invasive. It is an "All-In-One" type security program and once installed it takes a lot of work to remove. In addition the program is not as robust in that a single set of separate programs would provide. If you like conflicts in your software programs this one is for you. Other wise don't waste your time and money. Just sayin'...

So how do you setup your software firewall - Proxy service?

You have your computer and your NIC's, you can use any OS for your computer if it supports two NIC's. I normally use a Server OS (Windows workstation such as Vista or Win7 only allow for 10 consecutive connections, if you need more than 10 connections to the Proxy computer then you will need a Sever OS).

Once you have the OS loaded I suggest you name one NIC LAN (Local Area Network) and the other WAN (Wide Area Network) where the LAN is your network on your side of the router and WAN is the connection to the router.

You give the LAN NIC an IP address that is on your local network and you give the WAN NIC an IP address that the router supports. I do suggest that you use static IP addresses.

On the LAN NIC you do not want to put in a gateway IP. On the WAN side the gateway address will be the IP address to the router as assigned by your cable/DSL modem.

Where the firewall comes in is the two network cards. The two networks are physically separated with the two network cards. Data has to flow from one network card to the proxy server to the other network card. You still need the router for the hardware firewall that the software can not provide specifically the Block WAN Request and will provide services for other protocols like: IPSec, PPTP,  and L2TP Pass Through, or maybe a DMZ [Digital Media Zone] for a web server or a FTP server. These are not necessary protocols unless you are setting up a VPN for your users/employees to connect while on the road.

Test your connections, connect to the software firewall - Proxy server from one of your computers on the LAN side.  From the proxy server connect to an external web site. If you have no problems connecting to and out of the proxy server computer you are ready to install the Proxy service software.

Once you have your Proxy service software installed all that is left to do is write the 'rules'. A 'rule' is broken down in to three parts:

• Who can connect
  
• Where they can connect to
  
• The interfaces they can connect on.
  

Normally you would give all the users on your network access to the World Wide Web, they would connect on the LAN NIC and the connection would go out the WAN NIC. Also there may be additional parameters you can set, such as time of day for the connection, a list of web sites or 'keywords' that are restricted and the length of time for a connection.

A rule would look like this:

• Rule name
• Sessions (Users): all
  
• Mappings: www.websitea.com
• Port: 1010
  
• Bindings (LAN): 10.10.10.3
  
• Interfaces (Wan): 140.155.14.191
  
• Time: 00:00
  
• Restrictions: none
  

Note: These settings are fictitious.

This works very well for programs like Net Nanny or business that want to restrict users from surfing while they are at work.

The Gateway IP for the client computers, this is the LAN IP of the Proxy Server. Now on the client computers  you need to setup the Gateway IP on the NIC that uses a static IP.

If you have a DHCP server check the DHCP page (it will be called the Router in the Scope) for where to add in the gateway settings.

Add the gateway IP to any software that has an option for the gateway IP and port. IE has this option under the Internet Options / tools / connections at the bottom of the page. Other programs that access the internet will have a Proxy service setting in the options or instructions on how to connect to a proxy server.

This is the main reason a virus can not send your data to the viruses originating computer (thief) or "call home", they are not gateway address aware, having the programming in the virus to check if a browser is using a gateway would make the virus larger and easier to detect.

If you travel you will want to enable the Windows Software Firewall while on the road.