Re: Firewall and Mailserver questions - suggestions wanted.
k .. i'll bite !!
On Wed, 6 Aug 2003, [iso-8859-1] Bengt Thurée wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hej Guys,
> I am in the processes of designing/building up a new
> firewall and mailserver for my family's use, and yes
> I am a beginner on Debian and building my own network.
> But really looking forward to it. Will be lots of fun.
> I am thinking of getting two firewalls, and having a DMZ
> in between.
> (Internet -> Outerfirewall -> DMZ -> Innerfirewall -> local)
some pretty dmz pics
> Security: snort, acidlab, tripwire, logcheck, harden,
> bastille, iptables
hardening of the servers
> web server: apache
> miscelaneous: dns, ntp, seti
> security updates: cron-apt
> I would very much like to know what your recommendations are.
> 1) Is this a good setup? Or overkill? total maybe 10 persons
> to use mailserver in the beginning.
> 2) My thoughts are to have absolute minimum installed on the
> firewalls, especially the inner firewall.
minimum installed on the outer firewall -- that's what they
will attack first
no user logins on any fw or gw machines
> 3) On which computer should the squid, privoxy, and apt-proxy be
> running? On outerfirewall or on webserver? Or should I
> have a dedicated computer for this?
i'd put proxy's on the inside fw
anything that requires user logins should be on an "insecure"
machine ... and secure machines disallow all logins except
ssh from certain ip# or console login-only is even better
> 4) Is there any idea of having a dedicated logserver?
put that on a machine by itself inside the fw ... no logins under any
circumstance .. just local root console login only
but than again, if all the dmz machines are forwarding log
messages to inside the lan ... it also defeats the purpose
of a secure inside lan and loghosts :-)
leaving the loghost on the dmz is okay but it too is susceptable
to break-ins an erasures of logs
> 5) Mail server and web server? Should this be in the same
> computer, or separate? More secure if they are in separate?
if you can afford it ( machines, space, power, maintenance ) ... keep
mail ... people/users need to send outgoing mail
web .. nobody needs to login except to send web updates
and even that can be 100% automated, no user login needed
check that the web server is secure ...
> 6) Should I have the security stuff also on the dmz area?
yes ... always ... pretend that the dmz is tightly secured
as your local LAN... if they break into your dmz... they
can certainly break into your local LAN too
you want the dmz to be your first wall of defense, andif they
get thru it... it's time to change your security policy
> 7) Is it recommended to configure cron-apt to run once a day,
> and only install the security updates?
test your security patches offline BEFORE applying it to your
production servers ...
- but most likely, its not an issue
and might not matter if there is an accidental oops
once every once in a while ..
- apply updates as often as you like
- other security options
- if its working ... leave it alone :-)
- how many times did you/i break stuff, in the name of
"prevention" and took the production server down by accident ...
( ie... we broke it... the [cr/h]acker didnt break it )
- apply all security patches to new boxes to be deployed asap
and let it be the guine pig ...