Re: Building a bastion host using Debian.
On 22 Feb 1998, Christian Leutloff wrote:
> Henry Hollenberg <speed@barney.iamerica.net> writes:
>
> > Has anyone written up a howto for stripping down a Debian system for
> > service as a bastion host?
>
> A firewall out of the box - great!!!!
A good start at one anyway.
>
> > I have been fiddeling with this for awhile and have developed a list of
> > packages that I think are needed.
>
> Why don't you mount the files needed for maintaince temporarly from a
> machine that can be destroyed or is normally not connected to the net.
>
> IMHO there's no need for programs to build packages on the
> bastion. That can be done elswhere.
I'm running out of machines! Seriously, to date most of my experience
with Linux has been with Caldera....but I thought using Debian would be
more appropriate for a firewall. So I only have "one" Debian machine
available at a time, although I should end up with at least two, making
up the bastion and inner paket filter of the firewall. Therefore, I was
hoping to come up with a "method" that could be used "in place", that is
a method that would rely on as little outside help as possible, for
people/companys like myself with limited resources. So, one machine, one
install per firewall "segment" with steps that lead to a complete
bastion. Thought this info could be passed on to the Firewall
Howto and help folks get set up as painlessly as possible too. Of
course whatever forum felt appropriate is fine with me.
If Debian folks felt like adding this information into an optional field
in there excellent pkg descriptor database....then alot of the setup of a
bastion host could be "automated". That is a partially stripped system
could be an installation option and the "firewall builder" could go
straight to work on setting up packet filters, and bastion services. Then
when things look good, they could invoke a purge that resulted in a fully
stripped system, removing the build tools.
The only thing left would be giving the startup files and inetd.conf a
going over....and possibly removing a few binaries. Tips for these few
remaining tasks could of course be developed...with the obligatory
disclaimers. With only a little effort a maintainer ought to be able
to easily keep this info up to date for Debian....and this would be a
great service to the Linux and internet community. Sure would've saved me
alot of time, and I've had inquiries from others looking for the same
info.
>
>
> > Firewall Architecture = screened subnet:
> >
> > -inet
> >
> > -outer router (pipeline 50 running secure access software for flexible IP
> > filters)
> >
> > -perimeter net with bastion host as above (I guess I'll need to subnet my
> > class C in half to make the IP filter rules work for the three networks.
> >
> > - inner router (another stripped down bastion host Debian linux machine)
> >
> > - inner network - my hosts and internal mail hub/DNS.
>
> You mean something like that:
>
> bastion
> |
> |
> internet - paket filter A ----------- paket filter B - LAN
>
> paket filter A - outer router
> paket filter B - inner router
Exactly.
>
>
> > Plan on allowing these services to start with: DNS, mail, news, outgoing
> > ftp and telnet and http, No incoming telnet or ftp for now.
>
> Why don't you put a ftp only machine befor the outer router or
> parallel to the bastion!? Use the same machine for WWW.
I had read in the O'reilly firewall book, that if you could make passive
mode ftp work in your environment that that was a solid solution in a
security sense....and by the same token outgoing telnet was OK also.
>
> > HTTP: APACHE http server and cache server running on the bastion host.
>
> IMHO squid is the better proxy for HTTP ...
I've had that suggestion from several folks, I'll take a look at it.
>
> > That's it!!!
>
> sounds good.
>
> I'm missing ssh to be able to login to the machines safely. rlogin and
> telnet should be disabled.
I was planning on commenting everything out of /etc/inetd.conf except
smtp, time, daytime and discard.
>
>
> The most difficult part is to make the setting of the filtering rules
> foolproof. This configuration should be made with the framework COAS
> provides.
I have modified the rules out of the O'reilly firewall book. They seem
to be fairly comprehensive and well thought out. Do you have a pointer
to the COAS firewall rules, I'd like to check them out too.
Thanks for the input.
Henry Hollenberg
speed@barney.iamerica.net
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: