Re: Building a bastion host using Debian.
On Sun, 22 Feb 1998, Henry Hollenberg wrote:
> On 22 Feb 1998, Christian Leutloff wrote:
> > Henry Hollenberg <speed@barney.iamerica.net> writes:
> > > Has anyone written up a howto for stripping down a Debian system for
> > > service as a bastion host?
> > A firewall out of the box - great!!!!
> A good start at one anyway.
There is no HOWTO, which could seriously be called a FW-HOWTO.
I like your concept very much, I am thinking about it since mid of 1997.
But, there's no time to do it ;-)
> If Debian folks felt like adding this information into an optional field
> in there excellent pkg descriptor database....then alot of the setup of a
> bastion host could be "automated". That is a partially stripped system
> could be an installation option and the "firewall builder" could go
> straight to work on setting up packet filters, and bastion services. Then
> when things look good, they could invoke a purge that resulted in a fully
> stripped system, removing the build tools.
My concept looked like a super-package, with conflicts for packages to
remove, and an override for the to be changed configuration files. I am
not familiar enough with the details of packaging system to be sure that
this is the right way to do it.
> > > Firewall Architecture = screened subnet:
> > You mean something like that:
> >
> > bastion
> > |
> > |
> > internet - paket filter A ----------- paket filter B - LAN
> >
> Exactly.
I would prefer a IMHO better configuration. Please make the bastion host
dual homed. You could be able to use kernel packet filters, an the
firewall modules. In addition this system does not need additional
routers, and you could use masquerading (aka NAT, Network Address
Translation).
> > The most difficult part is to make the setting of the filtering rules
> > foolproof. This configuration should be made with the framework COAS
> > provides.
I saw a (browser based) tool to do it at
http://www.fen.baynet.de/~ft114/FCT/firewall.htm
It's impressive, the developer has preconfigured rules for nearly all
services. He's missing real application proxies, but you should find
filtering rules nearly for all protocols. This tool is IMHO a very good
base to start with, and it should be ported to other management
platforms (e.g. COAS).
Another new feature I would to see in a firewall is the extension/rewrite
of kernel-fw-code and a replacement for ipfwadm. See the page at
http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html
for informations about ipfw-chains.
Another functionality for a firewall is the support for crypted VPN's, and
the ability to support Mobile-IP.
I think the best way could be to start with a firewall base system, which
supports some topologies (like the proposed screened subnet and a dual
home single box system for the beginning). Based on this we could add
additional modules like
- VPN's,
- several functions like transparent proxies,
- remote, possibly centralized management and monitoring,
- accounting systems based on fw-logs
- user based authetication (S/Key or OPIE, other third party systems)
- virus checking
- blocking of unwanted contens, like SPAM or ActiveX/Java
and so on.
My main problem ist how this could be incorporated in the debian packaging
system. The changes (only if really needed) should be minimal, prefered
none.
Regards,
Hubert
------------------------------------------------------------------------------
Hubert Weikert DB1MQ Member of DARC (www.darc.de) and FITUG (www.fitug.de)
Email: weikert@cube.net weikert@compuserve.com http://www.cube.net/~weikert/
Book: Kryptographie mit dem Computer (PGP Praxis) ISBN 3-7905-1503-5 DM 19,80
Key = 21978C61 fingerprint = 99 38 A5 83 C8 76 F4 E1 A7 9C B9 70 9A A7 70 10
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: