i agree with labnuke99 that hardware firewalls are really the way to go. i was just part of a new firewall installation at my firm and we are extremely pleased with the results. we are using nokia ip390 firewall appliances and i would highly recommend them.

Don’t forget to lock down your hosts as well. All it takes for an outsider to get into your environment is a poorly-configured wireless AP, a missing patch on an exposed system that’s exploitable via Metasploit, SQL injection on a Web site, or some other unprotected entry point (i.e. Windows Terminal Server or VPN with a weak password). You’re going to have to find out where you’re weak to really get things under control.

The following article I’ve written may be of help to get started:

Securing the Internal Windows Network

Also check here and here.

Thanks for the advice guys. I have some more issues.
1. I really don’t have a lot of budget right now, what would be the best opensource firewall to your recommendation and what would be its recommended platform/ OS?
2. Assusming I already have set-up my firewall and its in-place, how would i know which workstation or server in my network have already been infected prior to my installation of a solid firewall.
3. Is it safe to just have a firewall or do I need to set-up also IPS, if so, what is the best IPS (opensource again) that would be available.
4. What about honeypots?

All your adivices are highly appreciated here. Thanks again.

There’s so much here that we don’t know such as your specific security requirements, the type of systems you’re trying to protect, and so on that it’s going to be tricky to specify a “best fit”. Outside of iptables, I really don’t come across too many open source firewalls. There are a lot of options – just Google “open source firewall”. Unbuntu and OpenBSD might be good options for you.

You could do an IPS and possibly a honeypot but, at this point, you might be best off focusing on the basics. Get your basic network and firewall configuration in place, let things settle down, and then start building it out.

Knowing what’s been infected will require you scanning your systems for malware and vulnerabilities. Do you suspect some foul play? Can you tell us more about your environment?

Thanks kevinbeaver for the advice. We’re into windows, totally, but I wanted to learn also LINUX coz I’ve heard a lot of good stuff from other IT managers about it. Yeah, I suspected some irregularities in our network. I thinks we’ve experienced DoS but the malware keeps on jumping to other PCs. I’ve caught one workstation that tried to suffocate the network and bring down the services, this lead me to reformatting that system as the last resort to remove the malware. I think there are more kinds of attacks that have got into us but we have detected it yet. Any advice? Thanks.

You mention that your (financial) resources are limited, and that you’d like to learn Linux…

I’m basically a PC / MAC desktop, Windows network guy, but there is on no or low cost item which you may find useful: Astaro Security Linux. This can be configured as a security “appliance” (ie: a standalone firewall) and is available both as a free download (community support only) and as a paid program/installation (with commercial support)…

I realize your financial concerns but the firewall is not where you want to skimp on money, forget the software firewall and go with the hardware firewall approach. As far as finding what is corrupted now, run virus scans and or malware scans. The firewall can point you to the ip originating the packet request, but you would then have to know what ip’s belong to which machines again not easily done with DHCP set.

JuneC: I’ve had on my to-do list to add one more bit of info to this and I let it slip by so pardon my delayed response. You may want to consider getting a free vulnerability scan from a vendor such as Qualys or signing up with a consultant or vendor who provides a one-time or ongoing security vulnerability scan service like what I do.

Using a reputable security scanning tool will give you a good idea of how the world sees your network and hosts, show you what’s currently exploitable (and being exploited), and they can provide insight into what holes need to be plugged. It’s not everything since additional manual analysis will often uncover other issues and can validate what the scanners find but these scans are WAY better than doing nothing at all. Best of luck!

Thanks for all the advices guys. I’m glad there are people like you in the world.