A question about a basic security setup...

From: Bill Walls (stauph@hotmail.com)
Date: 12/03/01

• Previous message: Gaurav Bhandari: "Re: ĦĦI NEED HELP!!"
• Next in thread: Keith.Morgan: "RE: A question about a basic security setup..."
• Reply: Keith.Morgan: "RE: A question about a basic security setup..."
• Reply: Aaron Peterson: "Re: A question about a basic security setup..."
• Reply: dewt: "Re: A question about a basic security setup..."
• Reply: Hornat, Charles: "RE: A question about a basic security setup..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Bill Walls" <stauph@hotmail.com>
To: security-basics@securityfocus.com
Date: Mon, 03 Dec 2001 11:40:39 -0900

I have been thinking about a setup for my basic ADSL network at home that
would be somewhat more secure then the usual setup I have seen around for
other users who simply think NAT/Firewalls are the answer. I have yet to
impliment it, but I wonder if someone could critique the abstract idea
before I go through motions of setting up the network.

The reason why I go into so much details is that I am testing my own
knowledge against yours to become a better security minded user. I don't
want my box trying to break into your box. ;)

I have a cisco 678 router (Which I have disabled the telnet as well as web
interface and set the ports to different ports then the default.) Since it
it only interfacable through the management cable, I don't fear a breach for
the router software itself. I do know that if someone where to find the
telnet port, a DoS is possible. And it is using NAT.

I am running a web server (apache) on port 80. The nat addresses this
machine for all port 80 requests. Every machine on the network is running a
form of firewall software, on windows zone alarm, on linux either ipchains
or iptables.

I am thinking of putting a dual-homed host to make the basic network look
like thus:

+----------+
| Cisco 678|
+----------+
     |
+--------------+
|Dual-Home Host|
+==============+
      |
+---------------+
|USR Totalswitch|
+===============+
       |
Other boxs including web server.

I know the USR Totalswitch is completely insecure. On my firware, I cannot
turn off the telnet managment port and I cannot protect against the debug
attack found in the securityfocus archives. Is there a firmware verison that
allows for more security? I have yet to find it. Anyway...

I was thinking of running iptables on the dual homed host, and snort. I am
researching snort heavily at the moment to make sure I understand it's
capibilites. I am more of an ipchains kinda guy, and have just delved into
iptables.

What I want to do is make it so only legit GET requests get to my web server
machine. I.e. GET / HTTP/1.x etc etc and to drop all other kinda of
requests. My feeling on the subject is if I can filter out all other
malformed requests or unrealistic requests, apache will be "saved" from the
majority of attacks.

Should I use snort or iptables to accomplish this? Is it possible with
either? I know I should RTFM...and believe me, I am. But I was wondering
what kind of input I could get from the list as a whole as how to proceed.
I have also been toying with the idea of using LIDS on the server machine to
throw even more modification into the mix...

I guess this is just a call for comments. Thank you for considering this
issue...as it will determine some of my future turns in study for security
as a whole.

"Buffer Overflow in /dev/stomach due to vodka.o!"

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

---

• Previous message: Gaurav Bhandari: "Re: ĦĦI NEED HELP!!"
• Next in thread: Keith.Morgan: "RE: A question about a basic security setup..."
• Reply: Keith.Morgan: "RE: A question about a basic security setup..."
• Reply: Aaron Peterson: "Re: A question about a basic security setup..."
• Reply: dewt: "Re: A question about a basic security setup..."
• Reply: Hornat, Charles: "RE: A question about a basic security setup..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: A question about a basic security setup... ... > I have been thinking about a setup for my basic ADSL network at home that ... > before I go through motions of setting up the network. ... > I am running a web server on port 80. ... > machine for all port 80 requests. ... (Security-Basics) Re: iptables question ... I run an internal NFS server that's available to all internal ... the same kind of fine-grained control with iptables? ... location versus if I run it from within the network. ... scenario is the only time I want to see that the nfs port is open. ... (Fedora) Re: IPTables to restrict an IP address to certain ports ... > files and use network printers but nothing else. ... I have never addressed an issue like this with IPTables. ... You also would need port 445 as well. ... (Fedora) Re: [SLE] lock emule ... > I need to block the port 4662 of emule. ... > How can I do it on iptables? ... to drop it from being forwarded to other machines on the network ... (SuSE) Re: slimserver and firewall ... want to run an Internet radio, which would mean opening the port on ... port (presuming you only run iptables) as root: ... This will allow only people on your network to reach slimserver. ... is a server listening on that port. ... (Fedora)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)