Re: Linux firewall/IDS/NAT suggestions

From: Shawn Duffy (pakkit_at_codepiranha.org)
Date: 05/31/03 

Date: Fri, 30 May 2003 19:07:09 -0400 (EDT)
To: "Petty, Robert" <rpetty@DenverNewspaperAgency.com>

See comments inline... may not answer all of them but will give my $.02
where I can....

shawn
pakkit at codepiranha dot org

On Fri, 30 May 2003, Petty, Robert wrote:

> Which kernel would be best? 2.0.x, 2.2.x, or 2.4.x?

Personally, I would go with 2.4.x... A vulnerability could pop up
anywhere that you'll have to patch so you might as well go with the
latest.
>
> Should snort be running on the firewall machine or another machine? If on
> another machine, should I put the firewall and IDS box on a hub as the first
> hop so they both see the same traffic? The customer's router is not
> manageable (linksys) and they have no budget for a Cisco Router or PIX.

Depends on the speed of your uplink and what kind of box will be the
firewall I would think... If you can separate them, why not? Also, I
would go with a switch instead of a hub... and then put the snort box on
the monitor port of the switch, no IP for one NIC in the snort box and the
other connected to a private net logging to a db that only has a private
interface...

> Should SSH go to the firewall machine or be passed through to an internal
> Linux box?

Well... I could go either way on this... but as long as it is restricted
to your IP, it shouldn't be a problem on either box... though some may
disagree.

> Should the NAT and Firewall rules be written and maintained on CD-R media so
> a malicious attacker cannot hide rule changes? Should the firewall be
> re-initialized on a schedule to ensure the live rules are those from the
> read-only media?

That's not a bad idea... I have never tried it so I don't know what
problems you may run into.

>
> Last, but not least, what's a good HowTo that can be used as a basis? I
> would prefer one that starts off a little more strict so I can simplify
> rather than have to bone up on all of the current vulnerabilities.

There are a couple of different subject areas you are asking about so I
don't know of any one place where you can find all this info.. I would
check out both snort.org and netfilter.org for docs on snort and iptables
respectively...

> Thanks for any replies!

You are very welcome... I hope I was able to help...

Relevant Pages

  • Re: Dynamic Firewall/IDS System
    ... > (firewall, IDS, etc.) and reacting appropriately could be a good thing. ... > I don't think this is a description of snort. ... the network guys from the colo -- that they get or got attacked. ... we deploy packet filter log rules that indicate the attack. ...
    (FreeBSD-Security)
  • Re: Snapgear and SNORT
    ... >> using Snort with a firewall. ... > firewalls and they both use Snort. ... Thank you, John! ... dedicated server machine now, Apache, Email, DNS... ...
    (comp.security.firewalls)
  • Re: Need help, ask for your advice
    ... All Snort can do is alert. ... blocks the IP in question (much like BlackIce does). ... And snort is not a firewall it's an NIDS. ...
    (comp.security.firewalls)
  • IDS and Firewall on the same =but> POWERFULL BOX
    ... deploying Firewall (such as ipchains/iptables or Checkpoint FW & IDS ... lets say checkpoint and snort together. ... they can not make use of both CPU at the same time, ...
    (Focus-IDS)
  • Re: IDS Setup
    ... > I suffer from a logic deficiency and I've been tossing an idea around ... I have a firewall between my network and the world ... That Snort station reports to ARIS. ... > in the outside Snort ARIS logs AND NOT in the firewall logs got ...
    (Security-Basics)