Why have a Software Firewall and a Proxy service
Software Firewall and a Proxy service
Why would you want to have a software firewall when you have a router that has the firewall built in the hardware?
With a hardware firewall you are limited with the 'rules' you can use for connecting in to and out of your network.
Modern commercial small business/home routers (and some cable/DSL modems) have additional options and features that help you keep your internal network from being accessed by an unauthorized (hacker/thief) person that would steal or do your data harm. They are not expensive so consider this: "How much is your family/data's safety worth?"
Where as with a software firewall and a proxy services you have more flexibility in creating your rules.
Software Firewall service:
The problem with a software solution is you need a computer between your hardware router and your client computers. This computer is normally called a Proxy Server.
How would you setup a 'Proxy Server'? Well it really isn't hard just involved.
Of course you will need a computer, the difference is in the network cards or NIC's.
You will need two dissimilar NIC's.
By dissimilar I mean two separate NIC's. Such as a 3Com and a Net Gear. This isn't important on the surface but when you set up the network having dissimilar NIC's make identifying the LAN side and WAN side of the proxy service easier.
I have used Win Gate (by an Australian company QBik) for years and am familiar with it's workings. It has a GUI (Graphic's User Interface) that makes writing the 'rules' easier than some of the other proxy servers I have used.
So how do you setup your software firewall - Proxy service?
You have your computer and your NIC's, you can use any OS for your computer if it supports two NIC's. I normally use a Server OS (Windows workstation such as Vista or Win7 only allow for 10 consecutive connections, if you need more than 10 connections to the Proxy computer then you will need a Sever OS).
Once you have the OS loaded I suggest you name one NIC LAN (Local Area Network) and the other WAN (Wide Area Network) where the LAN is your network on your side of the router and WAN is the connection to the router.
You give the LAN NIC an IP address that is on your local network and you give the WAN NIC an IP address that the router supports. I do suggest that you use static IP addresses.
On the LAN NIC you do not want to put in a gateway IP. On the WAN side the gateway address will be the IP address to the router as assigned by your cable/DSL modem.
Test your connections, connect to the software firewall - Proxy server from one of your computers on the LAN side. From the proxy server connect to a web site. If you have no problems connecting to and out of the proxy server computer you are ready to install the Proxy service software.
Once you have your Proxy service software installed all that is left to do is write the 'rules'. A 'rule' is broken down in to three parts:
Normally you would give all the users on your network access to the World Wide Web, they would connect on the LAN NIC and the connection would go out the WAN NIC. Also there may be additional parameters you can set, such as time of day for the connection, a list of web sites or 'keywords' that are restricted and the length of time for a connection.
A rule would look like this:
This works very well for programs like Net Nanny or business that want to restrict users from surfing while they are at work.
The Gateway IP for the client computers, this is the LAN IP of the Proxy Server. Now on the client computers you need to setup the Gateway IP on the NIC that uses a static IP.
If you have a DHCP server check the DHCP page (it will be called the Router in the Scope) for where to add in the gateway settings.
Add the gateway IP to any software that has an option for the gateway IP and port. IE has this option under the Internet Options / tools / connections at the bottom of the page. Other programs that access the internet will have a Proxy service setting in the options or instructions on how to connect to a proxy server.
This is the main reason a virus can not send your data to the viruses originating computer (thief) or "call home", they are not gateway address aware, having the programming in the virus to check if a browser is using a gateway would make the virus larger and easier to detect.
If you travel you will want to enable the Windows Software Firewall while on the road.