Re: Linux firewall/IDS/NAT suggestions

on "5-30-2003" "Petty, Robert" writ:

... ciao:

: has a glaring hole I don't know about

    that is your first pirority; ongoing security vigilence. get on the maillist at 'securityfocus.com'.

: Which kernel would be best? 2.0.x, 2.2.x, or 2.4.x?

    i would suggest the 2.2.25 kernel. it's stable, runs like a champ, and at this point in time, pretty secure. the 2.4.x kernel has just seen a security problem up-to-and-including 2.4.20. the suggested fix for that is the latest 'release-candidtae'. on a production machine, i don't think so.

: Should snort be running on the firewall machine

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

    i like to put all the 'security' stuff on the box that's most exposed. then, elinimate any services that are not ABSOLUTELY required, and make sure the ones that are , are kept secure.

: Should SSH go to the firewall

    ssh is a known, and current attack vector. if you have to run ssh, make sure there are no problems wiht it. a search at securityfocus.com is worth every bit of time it takes.

: NAT and Firewall rules ... a malicious attacker cannot hide rule changes

    if an attacker has gotten that far, you're hosed. that suggests either the rules less than effective, or other security problems exist. ro media a good idea though; saves a lot of time if you ever do get compromised.

: be used as a basis? I would prefer one that starts off more strict

   let me suggest "http://www.bastille-linux.org". this is a hardening script that (a) does a great job setting user defined firewall rules, and perhaps more importantly, (b) offers a very informative tutorial in the process.

    however:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

    bastille has gotten a lot more 'sophisticated' in that, it's trying to be "all things to all people". i much prefer the earlier versions, 1.1 and 1.2. the latest and greatest 'demand' a gui for installation, and that a limitation i prefer not to embrace. either way though, it is the way to go.

    with regard to 'linux'.

    if your firewall has no need for a 'desktop', be "warned" that the default install of RH-8.0 has UTF-8 encoding. this fucks up the command line interface, and causes all sorts of ugly promlems with ncurses. i am 'told' this problem does not exist in RH-9.0. they both however, have the 2.4.x kernel series. some decisions on your part seem probable ...

-- 
... i'm a man, but i can change,
    if i have to , i guess ...