Re: Security, Distributed firewalling application...long ;-)
- From: Joachim Schipper <j.schipper@xxxxxxxxxx>
- Date: Wed, 30 Nov 2005 00:05:01 +0100
On Tue, Nov 29, 2005 at 06:03:56PM +0530, Sanjay Arora wrote:
> List:
>
> We are a small company with a (very short) shoe-string budget running
> CentOS 4.2. I am a newbie sys-admin and am planning securing the Network
> as follows, please comment on design and if known suggest a GUI & policy
> based ruleset generator that can additionally (preferably rsync the
> ruleset over ssh) to the target machine & reset the ruleset.
>
> WAN: A DSL link firewalled by an IPtables firewall, currently running
> IPcop on this...may shift to monowall or pfsense..or maybe add
> additional rulesets to the IPcop box itself. ssh, http, pop3, imap, smtp
> redirected to internal IP space (192.168.) DMZ server running web-apps
> and is the vulnerable target.
There's a case to be made for encrypted versions of pop3, imap, and
possibly http, but this is otherwise fine.
Do note that that's a lot of services to offer inside the LAN (instead
of in a DMZ).
> DMZ: Want to close all ports (in/out) on the DMZ server except for the
> above services, with logging of all attempts from inside the lan or
> outside.
The first idea is a good one. Logging stuff from the LAN might also be
useful. Logging outside attacks usually isn't - a packet filter will
stop so much that reviewing the logs takes ages, and there's usually
very little sense in pursuing it. (Or, as with all 'don't log this'
comments in this post, you may choose to log them but be aware that you
will likely not be able to review them.)
> LAN: 4 Servers running various services according to their jobs. Want to
> explicitly close all ports (in/out) except the required ones with
> logging of all attempts.
Okay, a lot of servers on the LAN. Might be worthwhile thinking if any
can be moved to a less priviliged area, possibly a second DMZ (note:
IPCop doesn't support this out-of-the-box - some hacking, or manual
firewall configuration, can be used to 'persuade' it to).
> Other things to be done:
>
> 1. Running an IDS on the local network (Snort).
Only makes sense once you have done all else. An IDS takes gobs of time,
and since - IMNSHO - no system with known vulnerabilities should be
allowed on the network, it will only catch false positives and failed
attacks.
Mind, an IDS can be very useful - but it, again, costs a lot of time.
> 2. Block all outgoing mail except from the official mailserver & running
> anti-spam & antivirus on all in/out mails, with a copy of all logged for
> archival/forensics purposes.
Make sure that this is allowed under your jurisdiction, not everyone may
like it. It will also take quite a bit of space.
Running anti-spam on outgoing e-mail might or might not be required.
> 3. Block all outgoing ports except as required and log all attempts to
> connect to blocked ports from inside or outside.
I'd only log outgoing blocked connections, but otherwise a good idea.
> 3. Install an application to get all iptables logs from all servers
> including the perimeter firewall, into a database.
Ok, though I've never understood why people want to use a database - the
log parser should have given you the relevant data, and grep can easily
sort out the extra information if you need it.
> 5. Get data from the perimeter IDS & LAN IDS into the database.
Ok.
> 6. Extrapolate the database on regular basis for re-evaluation.
Not too useful, as this is unlikely to get done. Rather, run automated
nightly (or more often) log parsers.
> Comments are invited on the above. Also suggestions of open source &
> free projects that can help my deploy the policy based firewalling and
> all the above.
>
> Why I need a GUI & policy based framework for implementing my firewalls,
> when my requirements are static? Well, I may need to add additional role
> to a server on the LAN, if any other server fails. In fact, I intend to
> keep the services prepared on alternate servers, only not deploy them
> redundantly. Secondly, never know when needs change and something that
> is easily configured and deployed would adapt better.
No clue how to do this, I've never cared for anything like this.
> Also, I have a question that needs answer. How do I allow IMs like
> yahoo, msn, icq and transparently proxying & logging all business
> chats...staff will be aware from IT policy that all email/IM are
> recorded. We plan to run a Jabber server for Enterprise IM but how to
> control the IMs?
Unencrypted instant messaging can be dealt with by simply sniffing the
wire. I am not familiar enough with the protocols, but maybe Snort can
be persuaded to do this.
> Please critique..bang my head on floor & caution on the drawbacks of the
> approach...advise...provide links/learning resources...share
> experiences...and help me get it right.
>
> With best regards.
> Sanjay.
Looks good. The most important thing I miss is a way to quickly patch
lots of machines when MS releases the next update or somesuch.
Joachim
- Follow-Ups:
- Re: Security, Distributed firewalling application...long ;-)
- From: Samuel R. Baskinger
- Re: Security, Distributed firewalling application...long ;-)
- Next by Date: Re: Security, Distributed firewalling application...long ;-)
- Next by thread: Re: Security, Distributed firewalling application...long ;-)
- Index(es):
Relevant Pages
|
