[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Building Debian firewall

> On Mon, 28 May 2001, Arne P. Boettger wrote:
> * Mounting as many partitions RO, including /etc, /usr etc.. and thus
> * Having two modes of boot,
>         maintenance mode - which lets you edit the files
>         production mode - which is used for actual run
> * Setting Append only attribute for /var/log
> * Having ssh xinetd syslog-ng etc configured instead of insecure
>   alternatives
> * Fully locking down the ports
> * Configured firewall and snort by default
> * Automatic log analysis and reporting on a secure web page. (so that any
> one with the username and password can look at the summary and details of
> the logs by visiting a page on the machine)
> * Removal (non installation) of all but very essential programs.
> * Use of encrypted protocols instead of plain text ones ie the daemons
> used should use encryption if the clients support them
> But I want to mount bare minimum of file systems RW. The /var/log can be
> made append only so that the logs can be appended only. The distribution
> should have only minimum of utilities that are required for the work in
> hand. The box is designed to work with minimal intervention.

I would suggest working on a CD-ROMable distribution, and to forget the idea
of modes on the production system.  An upgrade of utilities, and/or kernel
would be done by testing on disk based system, and then burning the ISO's.
As many exploits depend on being able to alter the underlying filesystems in
sneaky ways, many security fixes would not actually need to be applied.  For
software that is less stable, and needs a way of patching it, you could use
a small program to exec the real copies on disk, based on a table stored on
RO floppy.  An update of unstable programs could be done, by having 2
'patch' partitions, which are installed over the network mounted rw. The
updated one would be remounted ro before use, and then a switch could be
made by swapping to a new floppy.

syslog supports logging over the network, so use that and log to a secure
system in a private network, rather than inherently modifiable local disk on
systems in the DMZ.

Obviously this idea is simpler for dedicated firewall/routing systems.  But
I believe it could be adapted to your secure web/DNS server idea.  You'ld
need to seperate out config files which may need to be changed, could you
remount them rw and ro just for updates, or perhaps again use the 'patch'
idea using a table?

The actual source for things like websites, and master zone files, should be
managed on a machine in the internal network, and then copied in using
rsync(1) with an ssh(1) pipe.  Thus any breakins or defacements, to the disk
areas that have to be rw can be wiped out easily.


Reply to: