Priming the pump II
Here is a summary of my firewall "plan" for the list:
Firewall Architecture = screened subnet:
bastion
|
|
internet - paket filter A ----------- paket filter B - LAN
-inet vast hordes of evil hackers
-paket filter A Debian bastion system running ipfw.
-perimeter net with Debian bastion host as above
- inner router (another stripped down Debian bastion host machine)
- inner network - my hosts and internal mail hub/DNS server.
Services: DNS, smtp, ftp, telnet and http.
Basic ideas from:
"Building Internet Firewalls" Chapman and Zwicky, O'reilly 1995.
DNS: on bastion host as primary and internal host as secondary.
SMTP: incoming to bastion host using qmail? relayed to internal mail hub,
outgoing to bastion host. DNS MX records pointing incoming mail to
bastion.
FTP: out allow PASV only, in block, No proxy.
Telnet: out allow, in block, No proxy.
HTTP: APACHE http server and cache server running on the bastion host.
OTHER: Not sure how to handle "news"....may just open a hole
using packet filters.
Filters:
***** some modification of the filters from O'reilly firewall book ******
######## Packet filter A (outer router) ##############################
rule Dirct Src Dest Pro Src-P Dst-P Ack Action
______________________________________________________________________
Spf-1 In Intrn Any Any Any Any Any Deny
Spf-2 In Perim Any Any Any Any Any Deny
Tel-1 Out Intrn Any TCP >1023 23 Any Permit
Tel-2 In Any Intrn TCP 23 >1023 Yes Permit
FTP-1 Out Intrn Any TCP >1023 21 Any Permit
FTP-2 In Any Intrn TCP 21 >1023 Yes Permit
FTP-3 Out Intrn Any TCP >1023 >1023 Any Permit
FTP-4 In Any Intrn TCP >1023 >1023 Yes Permit
SMTP-1 Out Bast Any TCP >1023 25 Any Permit
SMTP-2 In Any Bast TCP 25 >1023 Yes Permit
SMTP-3 In Any Bast TCP >1023 25 Any Permit
SMTP-4 Out Bast Any TCP 25 >1023 Yes Permit
HTTP-1 Out Bast Any TCP >1023 Any Any Permit
HTTP-2 In Any Bast TCP Any >1023 Yes Permit
HTTP-3 In Any Bast TCP >1023 80 Any Permit
HTTP-4 Out Bast Any TCP 80 >1023 Yes Permit
DNS-1 Out Bast Any UDP 53 53 * Permit
DNS-2 In Any Bast UDP 53 53 * Permit
DNS-3 In Any Bast UDP Any 53 * Permit
DNS-4 Out Bast Any UDP 53 Any * Permit
DNS-5 Out Bast Any TCP >1023 53 Any Permit
DNS-6 In Any Bast TCP 53 >1023 Yes Permit
DNS-7 In Any Bast TCP >1023 53 Any Permit
DNS-8 Out Bast Any TCP 53 >1023 Yes Permit
Def-1 Out Any Any Any Any Any Any Deny
Def-2 In Any Any Any Any Any Any Deny
######### End Packet Filter A ########################################
######## Packet Filter B (inner router) ##############################
rule Dirct Src Dest Pro Src-P Dst-P Ack Action
______________________________________________________________________
Spf-1 In Intrn Any Any Any Any Any Deny
Tel-1 Out Intrn Any TCP >1023 23 Any Permit
Tel-2 In Any Intrn TCP 23 >1023 Yes Permit
FTP-1 Out Intrn Any TCP >1023 21 Any Permit
FTP-2 In Any Intrn TCP 21 >1023 Yes Permit
FTP-3 Out Intrn Any TCP >1023 >1023 Any Permit
FTP-4 In Any Intrn TCP >1023 >1023 Yes Permit
SMTP-1 Out Intrn Bast TCP >1023 25 Any Permit
SMTP-2 In Bast Intrn TCP 25 >1023 Yes Permit
SMTP-3 In Bast M-Srv TCP >1023 25 Any Permit
SMTP-4 Out M-Srv Bast TCP 25 >1023 Yes Permit
HTTP-1 Out Intrn Bast TCP >1023 80 Any Permit
HTTP-2 In Bast Intrn TCP 80 >1023 Yes Permit
DNS-1 Out D-Srv Bast UDP 53 53 * Permit
DNS-2 In Bast D-Srv UDP 53 53 * Permit
DNS-3 In D-Srv Bast TCP >1023 53 Any Permit
DNS-4 In Bast D-Srv TCP 53 >1023 Yes Permit
DNS-5 In Bast D-Srv TCP >1023 53 Any Permit
DNS-6 Out D-Srv Bast TCP 53 >1023 Yes Permit
Def-1 Out Any Any Any Any Any Any Deny
Def-2 In Any Any Any Any Any Any Deny
######### End Packet Filter B ########################################
* - UDP has no ACK bit.
M-Srv - mail server/hub on internal network
D-Srv - DNS server on internal network
A-Spf-1:2 Block spoofing to perimeter or internal net.
A-Tel-1:2 Allow outgoing telnet.
A-FTP-1:4 Allow outgoing passive ftp.
A-SMTP-1:4 Outgoing and incoming mail inet to bastion.
A-HTTP-1:4 Allow bastion http-proxy to contact inet servers and
inet to contact bastion http-server.
A-DNS-1:8 1:2 - allow inet-DNS-server and bastion-DNS-server to
communicate.
3:4 - allow clients to communicate with
bastion-DNS-server.
5:8 - allow inet-DNS-server and bastion-DNS-server to
communicate
over TCP.
A-Def-1:2 Block everything else not specifically allowed above.
B-Spf-1 Block spoofing of the internal net.
B-Tel-1:2 Allow outgoing telnet.
B-FTP-1:4 Allow outgoing passive ftp.
B-SMTP-1:4 1:2 pass mail from internal hosts to bastion.
3:4 pass mail from bastion to mail server on internal
network.
B-HTTP-1:2 Allow connections from internal hosts to
bastion-http-proxy.
B-DNS-1:6 Allow bastion-DNS-server and internal-DNS-server to
communicate
via UDP and TCP.
B-Def-1:2 Block everything else not specifically allowed above.
Alternate:
Other architectures would of course be a single box or dual homed host
solution and I was wondering why we couldn't set up a linux box with
three NICs, two as a bridge between the inet and your internal net and the
third to attach the bastion host to. This might be an intermediate
solution between my "overkill" and a dual homed host. Although it would
decrease security in the sense that if the packet filter could be defeated
the hacker would have complete access to the internal network on the other
hand it might be pretty hard to defeat a system that cares about nothing
but filtering/swapping packets between 3 NICs.....no other services...not
much there for them to attack. The more complicated stuff goes on the
bastion host. That brings us to just two systems one of which might be
pretty light on ram and disk. What do you guys think?
bastion
206.81.41.4
|
|
hub
|
|
206.81.41.3
internet - pipeline50-----206.81.41.2 packet filter 192.168.1.1 - LAN
206.81.41.1
That's it!!!
Thanks Henry Hollenberg speed@barney.iamerica.net
Henry Hollenberg speed@barney.iamerica.net
--
E-mail the word "unsubscribe" to debian-firewall-request@lists.debian.org
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble? e-mail to listmaster@debian.org .
Reply to: