Re: Linux firewall/IDS/NAT suggestions
From: Jimi Thompson (jimit_at_myrealbox.com)
Date: Sun, 1 Jun 2003 21:52:38 -0500 To: "Petty, Robert" <rpetty@DenverNewspaperAgency.com>, email@example.com
At 9:54 AM -0600 5/30/03, Petty, Robert wrote:
>I am a seasoned admin, working with Solaris, AIX and the fluffy penguin now
>for 8 years or so....
>I have learned quite a lot about the trade, including to be very cautious
>about proclaiming a system to be secure if I don't absolutely positively
>kinda believe it is....
>Thus my question:
>I want to setup a Linux firewall for a small network of 15 machines
>connected live to the internet via broadband. I don't want to put something
>in place that has a glaring hole I don't know about that makes the
>installation more insecure with a false sense of security.
>Which kernel would be best? 2.0.x, 2.2.x, or 2.4.x?
As a general rule, the newer kernels are better. There are usually a
lot of corrections, patches, etc. that are automagically included in
the later kernels that you won't find in the earlier ones. The
corrections and patches are primarily stability related and security
>Should snort be running on the firewall machine or another machine? If on
>another machine, should I put the firewall and IDS box on a hub as the first
>hop so they both see the same traffic? The customer's router is not
>manageable (linksys) and they have no budget for a Cisco Router or PIX.
If you need routing gear, check out an open source project called
Freesco. Under normal circumstances for the network you are
describing, having snort on the firewall isn't horrible.
>The Linux box will serve as a secondary NAT layer, any pitfalls with this?
Make sure that what you need is NAT and not really a proxy.
>Should SSH go to the firewall machine or be passed through to an internal
FreeSWAN offers some nice VPN functionality if you are trying to set
that up. Not really sure what your purpose is with this. If it's to
tweak the firewall, it should be only to the firewall. If you need
to manage the network, I'd look at other solutions, like some simple
2 factor authentication using public and private key pairs.
>Should the NAT and Firewall rules be written and maintained on CD-R media so
>a malicious attacker cannot hide rule changes? Should the firewall be
>re-initialized on a schedule to ensure the live rules are those from the
sysadmin magazine had an article a while back about running a halted
firewall. Since the system is halted, no changes can be made to
anything in the kernel space - i.e. the firewall rules. I've seen
people put the firewall on a write protected floppy in order to keep
any changes from being made. Anything fishy, just reboot. Your CD
would be a newer version of that.
>Last, but not least, what's a good HowTo that can be used as a basis? I
>would prefer one that starts off a little more strict so I can simplify
>rather than have to bone up on all of the current vulnerabilities.
What ever you set up the default should always be "deny all". Only
the traffic you want should be passed in either direction. Again, I
would refer you to sysadmin magazine. Their back issues are on their
web site and are freely searchable. I have found them to be a good
resource. Another place to look would be techrepublic.com. They
have a lot of check lists and other such resources that you can
download once you create an account (free).
-- Thanks, Ms. Jimi Thompson, CISSP, Rev. "Those who are too smart to engage in politics are punished by being governed by those who are dumber." --Plato