OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Network Topology / Security Questions
From: Nick Rozema (nickNWF.COM)
Date: Wed Dec 13 2000 - 11:57:17 CST

Hello,
        I would agree with the Win2k Server comment. Unless you plan on having
additional win2k workstations around, or want to run exchange for your
house, whets the need to run server? that's a minor point though.
        You're definitely on the right track... any standard linux distro can do
all of the things you would want to do with your router. However, may I
suggest another alternative to your router ... look into LRP (Linux router
project). Its a mini-distribution of linux that boots from a floppy drive
and handles all of your routing. It has several advantages in a security
sensitive application, including:
        * Small. fits on a floppy, so needless to say a lot of unnecessary binaries
have been removed (less services = less potential holes). Running sendmail
and apache on your firewall (as Redhat and others default to) is probably
not the best of ideas.
        * Read only. By sliding that nifty little tab on the floppy disk, you have
made a read only filesystem. That way, if you ever ARE compromised, a simple
reboot ensures that you're back to step one, where you can trust the
binaries on your machine and fix the hole so that it doesn't happen again.
        * almost as versatile as a full linux distro (at least in the
security/routing sense). There are all sorts of packages available for LRP,
including an IPSEC vpn package, firewall packages, snort, portsentry, even
squid I believe if you want to run a genuine proxy. If all you want the
machine to do is act as a "border router" with minimal services, then it's
one of the better ways to go. look at www.linuxrouter.org and
http://lrp.c0wz.com for more information.

If you want to go with a full linux distro for your router, you may want to
look at immunix (www.immunix.org). It's basically a RedHat 6.2 system
compiled with their StackGuard compiler, that supposedly resists a large
portion of the numerous "buffer overflow" exploits that are so common with
open source programs. That would be a good foundation to start from.
Somebody mentioned Bastille (www.bastille-linux.org), which I've found to be
very helpful in hardening a machine. Get some sort of good firewall script
on the machine such as seawall (http://seawall.sourceforge.net), and go from
there.

As for the other two machines, they wouldn't really *need* their own
separate firewalls, but I'd definitely keep current on the patches for them,
that way *all* of your security isn't focused onto your router.

Hope some of this helps,

Nick
-----Original Message-----
From: Focus on Linux Mailing List
[mailto:FOCUS-LINUXSECURITYFOCUS.COM]On Behalf Of Leon Rosenstein
Sent: Tuesday, December 12, 2000 11:10 AM
To: FOCUS-LINUXSECURITYFOCUS.COM
Subject: Network Topology / Security Questions

First off I just want to warn everyone that this is a long one. Also I sent
this to both Security Basics and Focus-Linux (I am not sure if that is bad
posting ethic.) Well here goes:

I have 3 computers and I would like to design a network when I get my DSL
line. Here is how I thought it would work. Please comment on both the
topology and the security implications. I have a P75 with 72 megs of ram.
I was thinking about having this run Linux and act as a router / proxy /
packet filtering device. I then have a system with 350 P2 with 128 megs of
ram. I was thinking about having this run Linux also (are the distros
important because if not I was thinking Mandrake 7.1). I then have another
machine with 256 megs of ram and a Celeron 700 that I want to run Win2k
Server on (see how I saved all the memory for windows ;).

Here are my questions: First is this possible (the way I am describing it)?
Second would I want to deploy things like a firewall / ids on both the Win2k
server and the 2 Linux Machines? I was thinking for the Win2k Server both
Zonealarm and Blackice or Snort. (Any suggestions or comments?) Would this
make sense if the Linux (router) were acting as a proxy and a
packet-filtering device? Would the router need to have Snort and IP-Chains
on it? Would it make sense to install a firewall (IP-Chains or something
and Snort) on the other Linux machine? If I were using a proxy server on
the router would Windows be able to work with this (since it is running
Linux?) Also would this (setup / topology I just like using the word
topology) perform Nat or some kind of equivalent "IP-Hiding?" If anyone has
ANY comments or suggestions I would totally appreciate them. Also if I am
not being clear on something please additionally let me know that.

Public and private responses are both welcome (flames are welcome but not
appreciated ;).

Thanks in advance,

Leon