Re: Linux firewall/IDS/NAT suggestions
From: Scott Gifford (sgifford_at_suspectclass.com)
To: "Petty, Robert" <rpetty@DenverNewspaperAgency.com> Date: 30 May 2003 19:35:39 -0400
"Petty, Robert" <rpetty@DenverNewspaperAgency.com> writes:
> I want to setup a Linux firewall for a small network of 15 machines
> connected live to the internet via broadband. I don't want to put something
> in place that has a glaring hole I don't know about that makes the
> installation more insecure with a false sense of security.
I have a setup similar to this at my house. It works quite well.
> Which kernel would be best? 2.0.x, 2.2.x, or 2.4.x?
2.4.x is supposed to have the best NAT stuff, although I found 2.2.x
worked just fine. I believe support in 2.0.x was bad or nonexistent.
From the simple standpoint of how many security fixes have been
released for 2.2 and 2.4 series kernels, my feeling is they're
comparable, although I'm sure a careful look through the kernel change
logs or vulnerability reports could give you some more concrete
If you're interested in using some of the modules that are supposed to
increase the security of your system, they're more likely to be
available for 2.4. I don't use any of these patches on my system.
> Should snort be running on the firewall machine or another machine? If on
> another machine, should I put the firewall and IDS box on a hub as the first
> hop so they both see the same traffic? The customer's router is not
> manageable (linksys) and they have no budget for a Cisco Router or PIX.
I would not recommend running snort on the firewall machine. Bottom
line is, the more programs you have which interact directly with the
outside world, the higher the odds that at least one of these programs
will have an exploitable bug. c.f.:
I don't run an IDS at all. If you decide to, putting it on a seperate
box in the way you described is definitely the way to go. If it's on
the Internet side of your NAT box, if it were compromised the attacker
wouldn't have any more access to your network than they did before.
> The Linux box will serve as a secondary NAT layer, any pitfalls with this?
Do you mean that the LinkSys is also providing NAT? That would be an
> Should SSH go to the firewall machine or be passed through to an internal
> Linux box?
It's a tradeoff decision. The only time it will affect security is if
you have a weak password or another exploitable bug in SSH is found.
In that case, you get to decide: would you rather have somebody from
the outside world get root on your firewall or a machine inside your
I don't have ssh available at all from the Internet.
> Should the NAT and Firewall rules be written and maintained on CD-R media so
> a malicious attacker cannot hide rule changes? Should the firewall be
> re-initialized on a schedule to ensure the live rules are those from the
> read-only media?
I think those are overkill; simply backing the rules up to an offline
machine or media (or printing them out, if they're not too long) after
making changes should be enough. Putting your rules on a CD doesn't
make the system any less vulnerable. If the machine is compromised,
the attacker can do whatever they want while it's compromised,
including thwarting any protections you've put in place; after you
detect it, fix the problem, and re-install the OS from scratch, you'll
just restore your rules from your hand-checked backup and be fine.
> Last, but not least, what's a good HowTo that can be used as a
> basis? I would prefer one that starts off a little more strict so I
> can simplify rather than have to bone up on all of the current
I'm not aware of a good HowTo, but I would start by removing any
unnecessary software, in particular services that run on the network
and programs which are setuid or setgid. Make sure any services for
the internal network only listen on the internal address, so they
aren't Internet-accessible. I don't have any listening sockets on the
Internet side of my NAT box. If you need programs which are set[ug]id
on your system but only root will run them, you can often just remove
the set[ug]id bits. The only setuid root program you should need on
your firewall is su.