Re: Linux firewall/IDS/NAT suggestions

"Petty, Robert" <rpetty@DenverNewspaperAgency.com> writes:

[...]

> I want to setup a Linux firewall for a small network of 15 machines

I have a setup similar to this at my house. It works quite well.

> Which kernel would be best? 2.0.x, 2.2.x, or 2.4.x?

2.4.x is supposed to have the best NAT stuff, although I found 2.2.x worked just fine. I believe support in 2.0.x was bad or nonexistent.

>From the simple standpoint of how many security fixes have been
released for 2.2 and 2.4 series kernels, my feeling is they're comparable, although I'm sure a careful look through the kernel change logs or vulnerability reports could give you some more concrete numbers.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

If you're interested in using some of the modules that are supposed to increase the security of your system, they're more likely to be available for 2.4. I don't use any of these patches on my system.

> Should snort be running on the firewall machine or another machine? If on

I would not recommend running snort on the firewall machine. Bottom line is, the more programs you have which interact directly with the outside world, the higher the odds that at least one of these programs will have an exploitable bug. c.f.:

    http://www.securityfocus.com/bid/7178/exploit/     http://www.securityfocus.com/search?category=2&query=snort&rank=&submit=Search

I don't run an IDS at all. If you decide to, putting it on a seperate box in the way you described is definitely the way to go. If it's on the Internet side of your NAT box, if it were compromised the attacker wouldn't have any more access to your network than they did before.

> The Linux box will serve as a secondary NAT layer, any pitfalls with this?

Do you mean that the LinkSys is also providing NAT? That would be an odd setup...

> Should SSH go to the firewall machine or be passed through to an internal

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It's a tradeoff decision. The only time it will affect security is if you have a weak password or another exploitable bug in SSH is found. In that case, you get to decide: would you rather have somebody from the outside world get root on your firewall or a machine inside your network?

I don't have ssh available at all from the Internet.

> Should the NAT and Firewall rules be written and maintained on CD-R media so

I think those are overkill; simply backing the rules up to an offline machine or media (or printing them out, if they're not too long) after making changes should be enough. Putting your rules on a CD doesn't make the system any less vulnerable. If the machine is compromised, the attacker can do whatever they want while it's compromised, including thwarting any protections you've put in place; after you detect it, fix the problem, and re-install the OS from scratch, you'll just restore your rules from your hand-checked backup and be fine.

> Last, but not least, what's a good HowTo that can be used as a

I'm not aware of a good HowTo, but I would start by removing any unnecessary software, in particular services that run on the network and programs which are setuid or setgid. Make sure any services for the internal network only listen on the internal address, so they aren't Internet-accessible. I don't have any listening sockets on the Internet side of my NAT box. If you need programs which are set[ug]id on your system but only root will run them, you can often just remove the set[ug]id bits. The only setuid root program you should need on your firewall is su.

Good luck!

---ScottG. Received on Tue Jun 3 12:42:23 2003

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek