Re: Linux firewall/IDS/NAT suggestions

From: Scott Gifford (sgifford_at_suspectclass.com)
Date: 05/31/03

  • Next message: carrion_at_ravel.ufrj.br: "Re: Linux firewall/IDS/NAT suggestions"
    To: "Petty, Robert" <rpetty@DenverNewspaperAgency.com>
    Date: 30 May 2003 19:35:39 -0400
    
    

    "Petty, Robert" <rpetty@DenverNewspaperAgency.com> writes:

    [...]

    > I want to setup a Linux firewall for a small network of 15 machines
    > connected live to the internet via broadband. I don't want to put something
    > in place that has a glaring hole I don't know about that makes the
    > installation more insecure with a false sense of security.

    I have a setup similar to this at my house. It works quite well.

    > Which kernel would be best? 2.0.x, 2.2.x, or 2.4.x?

    2.4.x is supposed to have the best NAT stuff, although I found 2.2.x
    worked just fine. I believe support in 2.0.x was bad or nonexistent.

    From the simple standpoint of how many security fixes have been
    released for 2.2 and 2.4 series kernels, my feeling is they're
    comparable, although I'm sure a careful look through the kernel change
    logs or vulnerability reports could give you some more concrete
    numbers.

    If you're interested in using some of the modules that are supposed to
    increase the security of your system, they're more likely to be
    available for 2.4. I don't use any of these patches on my system.

    > Should snort be running on the firewall machine or another machine? If on
    > another machine, should I put the firewall and IDS box on a hub as the first
    > hop so they both see the same traffic? The customer's router is not
    > manageable (linksys) and they have no budget for a Cisco Router or PIX.

    I would not recommend running snort on the firewall machine. Bottom
    line is, the more programs you have which interact directly with the
    outside world, the higher the odds that at least one of these programs
    will have an exploitable bug. c.f.:

        http://www.securityfocus.com/bid/7178/exploit/
        http://www.securityfocus.com/search?category=2&query=snort&rank=&submit=Search

    I don't run an IDS at all. If you decide to, putting it on a seperate
    box in the way you described is definitely the way to go. If it's on
    the Internet side of your NAT box, if it were compromised the attacker
    wouldn't have any more access to your network than they did before.

    > The Linux box will serve as a secondary NAT layer, any pitfalls with this?

    Do you mean that the LinkSys is also providing NAT? That would be an
    odd setup...

    > Should SSH go to the firewall machine or be passed through to an internal
    > Linux box?

    It's a tradeoff decision. The only time it will affect security is if
    you have a weak password or another exploitable bug in SSH is found.
    In that case, you get to decide: would you rather have somebody from
    the outside world get root on your firewall or a machine inside your
    network?

    I don't have ssh available at all from the Internet.

    > Should the NAT and Firewall rules be written and maintained on CD-R media so
    > a malicious attacker cannot hide rule changes? Should the firewall be
    > re-initialized on a schedule to ensure the live rules are those from the
    > read-only media?

    I think those are overkill; simply backing the rules up to an offline
    machine or media (or printing them out, if they're not too long) after
    making changes should be enough. Putting your rules on a CD doesn't
    make the system any less vulnerable. If the machine is compromised,
    the attacker can do whatever they want while it's compromised,
    including thwarting any protections you've put in place; after you
    detect it, fix the problem, and re-install the OS from scratch, you'll
    just restore your rules from your hand-checked backup and be fine.

    > Last, but not least, what's a good HowTo that can be used as a
    > basis? I would prefer one that starts off a little more strict so I
    > can simplify rather than have to bone up on all of the current
    > vulnerabilities.

    I'm not aware of a good HowTo, but I would start by removing any
    unnecessary software, in particular services that run on the network
    and programs which are setuid or setgid. Make sure any services for
    the internal network only listen on the internal address, so they
    aren't Internet-accessible. I don't have any listening sockets on the
    Internet side of my NAT box. If you need programs which are set[ug]id
    on your system but only root will run them, you can often just remove
    the set[ug]id bits. The only setuid root program you should need on
    your firewall is su.

    Good luck!

    ---ScottG.


  • Next message: carrion_at_ravel.ufrj.br: "Re: Linux firewall/IDS/NAT suggestions"

    Relevant Pages

    • RE: can ping but not browse
      ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
      (Fedora)
    • Re: Using a Linksys router, should I also use Zonealarm?
      ... public internet to access corporate network. ... In the "old days" when people used to use Dial-In instead of VPN you ware ... protected by corporate Firewall -- since there was no public Internet ...
      (microsoft.public.security)
    • RE: Hidden Ports
      ... this is done by the firewalls to prevent authenticated files from being replaced by trojans and connecting to the internet. ... kerio firewall ... or a program that already had network access attempted to ... > Depending on the Access setting for a component, ZoneAlarm Pro ...
      (Security-Basics)
    • Re: Entire Network
      ... Internet access is different and just because a firewall isn't ... Second, if it isn't the firewall, then often it is a case of the system ... any way a network guru. ... > The network connection works just fine from both computers for internet ...
      (microsoft.public.windowsxp.basics)
    • Re: Using a Linksys router, should I also use Zonealarm? Internet Acceptable Use Policy
      ... my browser's access to the Internet is restricted. ... I thought it was the company's firewall extending a slap on my ... > public internet to access corporate network. ... > NAT is Network Address Translation. ...
      (microsoft.public.security)