Re: bastion

To: Christoph Lameter <christoph@lameter.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: bastion
From: Henry Hollenberg <speed@barney.iamerica.net>
Date: Wed, 4 Mar 1998 11:32:17 -0600 (CST)
Message-id: <[🔎] Pine.LNX.3.95.980304110717.1682N-100000@barney.iamerica.net>
In-reply-to: <[🔎] Pine.LNX.3.96.980304085346.9752A-100000@lameter.com>

	Henry Hollenberg     speed@barney.iamerica.net 

On Wed, 4 Mar 1998, Christoph Lameter wrote:

> I just looked through the original concept.
> 
> Thoughts.
> 
> 1. There is no way someone can break into a debian system given you
> configure it right. 

I'm sure you are correct.....with the present day known forms of attack.

However, who knows what is coming down the road.  In that sense It bcomes
a useful exercise to go over even a well thought out system very carefully
from top to bottom.  Not only does it help to catch those little gotchas
that tend to slip your mind.....but it also aids tremendously in learning
your system.  I have not found any documentation that goes thru a
distribution top to bottom securing it....that's what this exercise is
about.

Once the steps are thought thru and documented perhaps we can automate!

It sounds as if you are balking at the three machine setup and feel two
machines are enough....one packet filter and one bastion....am I correct
in this assumption?

I have proposed such and it's been discussed a bit between:

Hubert Weikert <weikert@muninn.cube.net>, Bernd Eckenfels
<ecki@lina.inka.de>, Michael Meskes <meskes@topsystem.de> and  
leutloff@sundancer.oche.de

before the list was formed but seems to be on the back burner for a little
while.  I guess I'm intrested in going for the most secure setup first and
then working into less secure variants for my own selfish reasons, I want 
to get mine done, or started at least.  I've been trying to follow the
guidelines set down in the O'reilly Firewall book.  They call this defense
in depth....ie the hacker has to succesfully penetrate multiple layeres to
gain access to your internal network......they have to get thru the
external packet filter then attack the bastion host, or perhaps gain a
shell on the external packet filter and attack the internal packet filter
from there.

I'd love to simplify the setup when it can be done without a loss in
security.....it will give me one of my machines back!  So, i'm very
intrested in setting up a linux system to be a 3 ported router as the
O'reilly book describes on page 73 Fig. 4-7.  Building Internet Firewalls
Chapman and Zwicky.

 > 2. The use of Linux should be as an advanced firewall.

Exactly.

> Thus you can protect your legacy systems. You need to have lots of tools
> on the "bastion" in order to do effective packet filtering, logging of
> violations etc.

Which ones do you consider essential that are missing?

--
E-mail the word "unsubscribe" to debian-firewall-request@lists.debian.org
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble?  e-mail to listmaster@debian.org .

Reply to:

References:
- bastion
  - From: Christoph Lameter <christoph@lameter.com>

Prev by Date: bastion
Next by Date: Re: ?-able packages for a firewall.
Previous by thread: bastion
Next by thread: Last call on ? able _nec-build_ packages
Index(es):
- Date
- Thread