Just so you know - what you're asking, security professionals spend years learning...
What do you mean by "see what's happening from the outside in.."?
My guess is that your "network" is experiencing a lot of script-kiddies rattling your door-knob in search of low-hanging fruit - unsecured networks they can easily penetrate. This is common on retail networks like Comcast/Time Warner/ATT (residential *and* business-class - no difference)...
If you want to "look" and see what's going on, you'll want a machine capable of analyzing your traffic. On Unix systems, the command is tcpdump. On Windows systems, it's called windump (
www.winpcap.org). Stick it between your modem and switch to see what the traffic is.
From a professional standpoint, most security architectures embrace the onion model:
- the network is designed in layers
- firewalls are placed between each layer
- the least secure/most accessible (like web, dns, and mail servers) are on the outside, either in front or immediately behind the front firewall
- most secure is in the least accessible layer, behind all the firewalls. Machines in this layer (like databases housing customer and transaction data) are indirectly accessible from the front, through agent machines - traffic hops layer-by-layer basis. Never directly.
If you value your data or your machine, your file server shouldn't be a firewall. And there should be no firewall rules allowing access to the fileserver from any layer above it.
Yes, your fileserver can have a host-based firewall to prevent access to just that machine. But don't dangle it out there. Because if it's Windows-based, it will be broken into. Not if, but when (within 3 hours is my guess).
Any non-ASIC based machine that acts as a router or firewall will reduce your bandwidth. However, on a home network, this is negligible, as your bandwidth is pretty low compared to enterprise networks. Retail "business-class" bandwidth is still pretty low - the 50Mbps is the burst rate, not the guaranteed rate. And cable is shared - the more people active on a shared line, the slower your bandwidth will be.
You can build a firewall out of anything these days. You can build software-based firewalls with Windows (it'll suck) or any Unix/Unix-like system.
If you aren't experienced, it might be best to buy a ready-made, hardware-based firewall/router like a Linksys/Netgear or whatever. They're kind of lame, but user-friendly.
Just know that the more you spend, the better the network performance. The next step up would be Cisco/Juniper-based systems.
But higher priced doesn't mean better security. It just means better network performance.
Whether you choose hardware or software-based, you should bone up on firewall/security principles so you don't end up with a configuration resembling cheesecloth with a big whole cut out of the middle (i.e what's the point?)
You should understand the following:
Default security stance - default deny and default allow
Traffic flow:
- know the diff between traffic entering an interface and leaving an interface.
- know your protocols - tcp, udp, icmp
- know your ports - 20-21(ftp), 22(ssh), 23(telnet), 25(smtp aka email), 53(DNS), 80(http), 110(pop3 - email), 123(ntp - network time), 137-139(windows NetBIOS), 143(imap - email), 443(https). There are 65,535 ports each for tcp and udp, but the above are the most common.
- you'll need to learn what ports your trading software uses, and allow them access in and out
- you'll need to determine if you need finer-grained access control (user-based instead of IP/protocol/port-based rules) and learn how to implement/configure proxy servers.
All in all, the questions you've asked are more complex than you probably bargained for...
No matter what you decide, do recognize the following security principle:
network security is like locking the doors and windows of your house. It keeps the stupid/clueless people out.
The smart people will find easier ways to get what they want. Mostly through social engineering.
The greatest security risk are people:
- they tend to use the same password everywhere
- they tend to use easily guessable passwords from personal info and relationships.
- they never change their passwords
- they trust others too easily
- they willing give up info to complete strangers (especially "authority" figures who may not be)
- they let complete strangers "case" them under the guise of a vendor/agency/authority - customer relationship
- they reply back to "official-looking" emails
- they click on bad links in their emails that convince them to enter exploitable information
- they click on insecure pictures in emails like
click see Lady Gaga's perky c-cups, etc
