Linux firewall/IDS/NAT suggestions

• Previous message: Small, Jim: "RE: process accounting"
• Next in thread: Shawn Duffy: "Re: Linux firewall/IDS/NAT suggestions"
• Reply: Shawn Duffy: "Re: Linux firewall/IDS/NAT suggestions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Petty, Robert" <rpetty@DenverNewspaperAgency.com>, focus-linux@securityfocus.com
Date: Fri, 30 May 2003 09:54:37 -0600

I am a seasoned admin, working with Solaris, AIX and the fluffy penguin now
for 8 years or so....

I have learned quite a lot about the trade, including to be very cautious
about proclaiming a system to be secure if I don't absolutely positively
kinda believe it is....

Thus my question:

I want to setup a Linux firewall for a small network of 15 machines
connected live to the internet via broadband. I don't want to put something
in place that has a glaring hole I don't know about that makes the
installation more insecure with a false sense of security.

Which kernel would be best? 2.0.x, 2.2.x, or 2.4.x?

Should snort be running on the firewall machine or another machine? If on
another machine, should I put the firewall and IDS box on a hub as the first
hop so they both see the same traffic? The customer's router is not
manageable (linksys) and they have no budget for a Cisco Router or PIX.

The Linux box will serve as a secondary NAT layer, any pitfalls with this?

Should SSH go to the firewall machine or be passed through to an internal
Linux box?

Should the NAT and Firewall rules be written and maintained on CD-R media so
a malicious attacker cannot hide rule changes? Should the firewall be
re-initialized on a schedule to ensure the live rules are those from the
read-only media?

Last, but not least, what's a good HowTo that can be used as a basis? I
would prefer one that starts off a little more strict so I can simplify
rather than have to bone up on all of the current vulnerabilities.

Thanks for any replies!

Robert

• Previous message: Small, Jim: "RE: process accounting"
• Next in thread: Shawn Duffy: "Re: Linux firewall/IDS/NAT suggestions"
• Reply: Shawn Duffy: "Re: Linux firewall/IDS/NAT suggestions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Linux or BSD alternative to Windows Home Server ... My questions were about Gentoo vs. Linux for a sever, ... I will probably eventually have a dedicated firewall ... if you were to have a file server which is accessible ... I'm aware that I could probably create scripts to regularly backup ... (comp.os.linux.misc) Re: OT - Desktop Linux ... I've got both windows and linux boxes. ... But are there any desktop operating systems out there which enjoy a dis- ... software firewall, have a good and up to date ... (alt.sports.basketball.nba.la-lakers) Re: Which Linux OS best for beginner to setup as Web / Mail server / Internet sharer and firewall? ... >>I don't want to start a flame war, but in my experience OpenBSD is best ... >>boxes if you must run linux for applications. ... > linux inside the firewall? ... web server? ... (comp.os.linux.networking) Re: [fw-wiz] Recommendation needed for a firewall appliance ... >>I was unsuccessful in getting an IPSec VPN going with a Win2K ... >There are several firewall specific linux distros, Astaro, Coyote ... >There are some small firewall units, and there are small Managed Security ... >> for Windows, OSX and Linux. ... (Firewall-Wizards) Re: Internet Sharing - Security ... > router had to stay in A's computer room. ... > Now that we successfully have gained the desired internet connection, ... replace the router with a good firewall; ... >>inexpensive Linux 2.4.x firewall with Netfilter and ISC DHCP is fine. ... (comp.security.firewalls)