Some work to do

To: Debian Firewall List <debian-firewall@lists.debian.org>
Subject: Some work to do
From: Hubert Weikert <weikert@muninn.cube.net>
Date: Wed, 4 Mar 1998 21:54:11 +0100 (CET)
Message-id: <[🔎] Pine.LNX.3.96.980304205213.1119C-100000@muninn.cube.net>

Following the discussion in this list some thoughts popped up.

How about working groups for different parts of a firewall system?

There are some different architectures of firewalls with different
functionalities. 
Starting with single box systems with two or three network-interfaces
ending with high end HA-systems with several boxes for every task (i.e.
some for mail, some for proxies, some for ...).
All of these architecture types could implement different security
policies. Depending on this policy it could be a requirement to be able to
forward alarms, to run consistency checks on the systems, to have the
posibility to remote manage this systems, or even to monitor the systems.

For my understanding a Debian based firewall architecture could fit into
every level. The base is a striped down system with a minimum set of
programs. This is Henry's job, he's doing it very well.

Besides of this base system we have some things which must also be done:

- First, and IMHO most important.
  How be could describe the stripped down system to the packaging system?
  Set-selections is not all we need, but it is a start. From some packages
  we need only some parts, and many configuration files must be changed.
  For the files we need some
    a) 'install package xxx and remove some files afterwards'
  and
    b) 'if package1 and package2 and package3 is installed then
        install new configuration files'.
  a) is a new requirement, but could be done by some sort of postinstall
  b) introduces a concept I call a 'superpackage'. Could be done by a
    package which must be installed as the last one. During installation
    this package installs the files, makes diversion and runs installation
    scripts. But how about the problem to be able to update the system
    with standard packages?

- Second: debianizing some of the tools which are presently not part of
  Debian. Things like FCT (Firewall Configuration Tool), ssyslog, smtpd
  (from Obstuse/Juniper), udprelay, pop3 gateways, logsurfer, ...
  (for URL's see the Page http://www.weikert.de/debwall/)  

- Third: Find or define/implement tools for application filtering, like
  SPAM defense, Java/ActiveX/JavaScript filtering (based on certificates),
  mail-header rewriting (e.g. build a MTA configuration for a multi
  DNS-domain firewall with different internal and external mail-names),
  true split DNS (not a forwarding internal DNS thru the firewall),
  checking for permission to use mail, traffic accounting system (yes, we
  in Germany have this problem), user authentication and management, ...

- Next (yes, I can only count to three): How to handle kernel patches with
  the packaging system. Some needed patches could be IP firewalling chains
  or sf-firewall or some from 'Secure Linux'.

- Next, the second: Monitoring systems. This starts from simple
  ping-monitors to automated watchdogs with take-over of function from
  failed systems to other systems, possible transparent to the
  applications. Included are log-analysis and alerting. This package is my
  favourite an I take it freely ;-)

- Intrusion dedection: a wide field, one of the pointers to this is
  http://www.nfr.net. Also a favourite of me, but the guys at NFR are
  doing a pretty good work and have build a nice commercial system. But
  you could have the source code...

- Remote management. Not every firewall admin could sit the whole day and
  night in front of his box. This is only needed for some systems build in
  Redmont. A Debian-box is the best base for a remotely managed firewall.
  We could use ssh, and tunnel some other applications (like cfengige or
  rsync) through it. Could such a thing be incorporated into the Debian
  management framework?

There is no need to start with everey package now. I only tried to
separate some of the functional requirements of a firewall system. If
somebody likes to coordinate or to work on one of the subjects, please
start with it on this list.

Thank you for your time,
Hubert


------------------------------------------------------------------------------
Hubert Weikert   DB1MQ   Member of DARC (www.darc.de) and FITUG (www.fitug.de)
Email: weikert@cube.net  weikert@compuserve.com  http://www.cube.net/~weikert/
Book: Kryptographie mit dem Computer (PGP Praxis) ISBN 3-7905-1503-5  DM 19,80
Key = 21978C61  fingerprint = 99 38 A5 83 C8 76 F4 E1  A7 9C B9 70 9A A7 70 10


--
E-mail the word "unsubscribe" to debian-firewall-request@lists.debian.org
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble?  e-mail to listmaster@debian.org .

Reply to:

Prev by Date: Re: Last call on ? able _nec-build_ packages
Next by Date: Re: Down to 10 ?able packages.
Previous by thread: Re: Down to 10 ?able packages.
Next by thread: Start up scripts
Index(es):
- Date
- Thread