Re: Linux firewall/IDS/NAT suggestions

From: Jimi Thompson (jimit_at_myrealbox.com)
Date: 06/02/03

  • Next message: Alex Russell: "Re: Linux firewall/IDS/NAT suggestions" 
    Date: Sun, 1 Jun 2003 21:52:38 -0500
To: "Petty, Robert" <rpetty@DenverNewspaperAgency.com>, focus-linux@securityfocus.com

    At 9:54 AM -0600 5/30/03, Petty, Robert wrote:
    >I am a seasoned admin, working with Solaris, AIX and the fluffy penguin now
    >for 8 years or so....
    >
    >I have learned quite a lot about the trade, including to be very cautious
    >about proclaiming a system to be secure if I don't absolutely positively
    >kinda believe it is....
    >
    >Thus my question:
    >
    >I want to setup a Linux firewall for a small network of 15 machines
    >connected live to the internet via broadband. I don't want to put something
    >in place that has a glaring hole I don't know about that makes the
    >installation more insecure with a false sense of security.
    >
    >Which kernel would be best? 2.0.x, 2.2.x, or 2.4.x?

    As a general rule, the newer kernels are better. There are usually a
    lot of corrections, patches, etc. that are automagically included in
    the later kernels that you won't find in the earlier ones. The
    corrections and patches are primarily stability related and security
    related.

    >
    >Should snort be running on the firewall machine or another machine? If on
    >another machine, should I put the firewall and IDS box on a hub as the first
    >hop so they both see the same traffic? The customer's router is not
    >manageable (linksys) and they have no budget for a Cisco Router or PIX.

    If you need routing gear, check out an open source project called
    Freesco. Under normal circumstances for the network you are
    describing, having snort on the firewall isn't horrible.

    >
    >The Linux box will serve as a secondary NAT layer, any pitfalls with this?

    Make sure that what you need is NAT and not really a proxy.

    >
    >Should SSH go to the firewall machine or be passed through to an internal
    >Linux box?

    FreeSWAN offers some nice VPN functionality if you are trying to set
    that up. Not really sure what your purpose is with this. If it's to
    tweak the firewall, it should be only to the firewall. If you need
    to manage the network, I'd look at other solutions, like some simple
    2 factor authentication using public and private key pairs.

    >
    >Should the NAT and Firewall rules be written and maintained on CD-R media so
    >a malicious attacker cannot hide rule changes? Should the firewall be
    >re-initialized on a schedule to ensure the live rules are those from the
    >read-only media?

    sysadmin magazine had an article a while back about running a halted
    firewall. Since the system is halted, no changes can be made to
    anything in the kernel space - i.e. the firewall rules. I've seen
    people put the firewall on a write protected floppy in order to keep
    any changes from being made. Anything fishy, just reboot. Your CD
    would be a newer version of that.

    >
    >Last, but not least, what's a good HowTo that can be used as a basis? I
    >would prefer one that starts off a little more strict so I can simplify
    >rather than have to bone up on all of the current vulnerabilities.

    What ever you set up the default should always be "deny all". Only
    the traffic you want should be passed in either direction. Again, I
    would refer you to sysadmin magazine. Their back issues are on their
    web site and are freely searchable. I have found them to be a good
    resource. Another place to look would be techrepublic.com. They
    have a lot of check lists and other such resources that you can
    download once you create an account (free).

    > 

    -- 
Thanks,
Ms. Jimi Thompson, CISSP, Rev.
"Those who are too smart to engage in politics are punished by being 
governed by those who are dumber." --Plato
  • Next message: Alex Russell: "Re: Linux firewall/IDS/NAT suggestions"

    Relevant Pages

    • Re: NAT is not a mechanism for securing a network.. but.. HELP!
      ... For years I have heard people claim that NAT could be circumvented ... > packet is routed. ... but the only outside network I have access to right now ... > Firewall is a term, most people use other than it was intended. ...
      (comp.security.firewalls)
    • Re: How to get my Dads Win2k system to access internet through my FreeBSD 6.2 system
      ... Windows 2000 machine with a network card but does not have a connection ... establish that there exists basic network connectivity between your ... you will want to configure your FreeBSD machine as a NAT gateway. ... of NAT functionality is usually a function contained within a firewall. ...
      (freebsd-questions)
    • Re: Using a Linksys router, should I also use Zonealarm? Internet Acceptable Use Policy
      ... my browser's access to the Internet is restricted. ... I thought it was the company's firewall extending a slap on my ... > public internet to access corporate network. ... > NAT is Network Address Translation. ...
      (microsoft.public.security)
    • Re: Firewall Questions
      ... No firewall. ... > sketch their idea of what they saw as a new network plan. ... > They want this firewall to be in NAT mode where everything in the LAN ...
      (comp.security.firewalls)
    • RE: can ping but not browse
      ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
      (Fedora)