Re: Linux firewall/IDS/NAT suggestions
From: Alex Russell (alex_at_netWindows.org)
Date: 05/31/03
- Previous message: Jimi Thompson: "Re: Linux firewall/IDS/NAT suggestions"
- Maybe in reply to: Scott Gifford: "Re: Linux firewall/IDS/NAT suggestions"
- Next in thread: David Nichols: "Re: Linux firewall/IDS/NAT suggestions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Petty, Robert" <rpetty@DenverNewspaperAgency.com> Date: Fri, 30 May 2003 19:01:46 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 30 May 2003 10:54 am, Petty, Robert wrote:
> Thus my question:
>
> I want to setup a Linux firewall for a small network of 15 machines
> connected live to the internet via broadband. I don't want to put
> something in place that has a glaring hole I don't know about that
> makes the installation more insecure with a false sense of
> security.
>
> Which kernel would be best? 2.0.x, 2.2.x, or 2.4.x?
2.4.x. The 2.4 series introduces a stateful packet filter (netfilter)
as opposed to the ipchains firewall available under 2.2. While
ipchains is still available under 2.4, you'll definantly want
iptables for any serious work.
> Should snort be running on the firewall machine or another machine?
Depends on how ballsy the machine is and how much hardware you have to
spare. The last thing you want is for something/someone to DOS snort
and take down the connection with it (should the snort box be
in-line). The fewer things you have in-line while being able to do
the job correctly, the fewer points of potential failure.
> If on another machine, should I put the firewall and IDS box on a
> hub as the first hop so they both see the same traffic?
IDSen are designed to help you figure out when malicious activity is
taken against one of your machines. To do this with any facility, you
should likely place the IDS machine logically behind the firewall at
some point so you don't see attacks that are just going to be being
dropped anyway.
Your setup might look like:
+----------+ +-----+
outside >----+ firewall +---+ hub +---< DMZ >---< inside
+----------+ +--+--+
|
+--+--+
| IDS |
+-----+
where the IDS is listening on the uplink port of the hub/switch.
> The customer's router is not manageable (linksys) and they have no
> budget for a Cisco Router or PIX.
>
> The Linux box will serve as a secondary NAT layer, any pitfalls
> with this?
>
> Should SSH go to the firewall machine or be passed through to an
> internal Linux box?
That's your call. Does your client need SSH provided to an internal
machine?
If so, you can put your SSHd on the firewall on a different port or
have it listen only on the internal interface.
> Should the NAT and Firewall rules be written and maintained on CD-R
> media so a malicious attacker cannot hide rule changes? Should the
> firewall be re-initialized on a schedule to ensure the live rules
> are those from the read-only media?
will you _ever_ need to change them?
> Last, but not least, what's a good HowTo that can be used as a
> basis?
Linux Firewall's 2nd Edition from New Riders is a good place to start.
> I would prefer one that starts off a little more strict so
> I can simplify rather than have to bone up on all of the current
> vulnerabilities.
Have you checked TLDP (http://tldp.org) ?
I'm sure it's teeming with such things.
- --
Alex Russell
alex@burstlib.org
alex@netWindows.org
alex@SecurePipe.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQE+1/DqoV0dQ6uSmkYRAtWKAJ48z6Pctvtik6CrhoZpHAV/zAg0IQCfR45E
iV4b/WtIG7hWpW0lPnoNZTM=
=XCYk
-----END PGP SIGNATURE-----
- Previous message: Jimi Thompson: "Re: Linux firewall/IDS/NAT suggestions"
- Maybe in reply to: Scott Gifford: "Re: Linux firewall/IDS/NAT suggestions"
- Next in thread: David Nichols: "Re: Linux firewall/IDS/NAT suggestions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
