Re: Firewall

To: <debian-firewall@lists.debian.org>
Subject: Re: Firewall
From: Adam William Lydick <awlydick@bulldog.unca.edu>
Date: Thu, 23 Aug 2001 18:56:09 -0400 (EDT)
Message-id: <[🔎] Pine.OSF.4.31.0108231830240.205962-100000@bulldog.unca.edu>
In-reply-to: <[🔎] 20010823101514.A8710@hobbes>

On Thu, 23 Aug 2001, Manu Heirbaut wrote:

> What advantage would a 3-NIC setup have over a dual setup ?
> I'm sorry if this is a dump question, but I just started out on
> following these security issues because now I finally have DSL the
> need for securety is not a luxery any more.
>
> --manu.

3-NIC allows you to have maintain a (physically) seperate subnet for (1)
your trusted internal network, (2) your exposed servers (generally called
a DMZ), (3) and finally the rest of the world.

Logically seperate network segments are acceptable / useful in some cases
(as illustrated in an earlier post), but don't provide the same level of
security as a truely subdivided network. If one of your machines is
'rooted', the attacker can forge raw packets (or simply alias a new
address) making the logical "seperation" fairly meaningless in terms of
security.

If you're on a cable network, a "one-armed" setup still allows the
injection of nasty packets into your network: a cable network (or at least
your segment of it) looks like a switched ethernet segment -- it even uses
ARP, and unless your cable modem does ingress filtering (doubtful, but I
haven't tested mine - I'm away at school) it should be possible to inject
nasty things into your network (aimed at addresses you thought were private).

If this actually works, depends on the exact settings of the cable modem -
bridging mode vs. routing mode, its route table, etc.

So, even if you are not worried about attacks from your neighbors (heh),
you should keep in mind, do you trust your security to their security?
(mmmm. Code Red, IIS, etc -- I wouldn't ;-)

This may also apply to DSL - I don't know as much about the specifics
but I remember reading somewhere that some providers did similar things.

I recommend following bugtraq (or at least skimming it), I've found it to
be a wonderful security resource. You should probably read the various
firewalling/security HOWTO's (and other more generic resources) : they can
provide a greater amount of information then the list, then follow up here
if you are confused on an issue -- hopefully someone will be able to help
you out.

My initial suggestion (without knowing your needs):
One firewall machine - 2 NICs. (486, P1)
- one NIC -> DSL modem
- one NIC -> to an internal hub/switch

* Remove all running services
* run sshd bound to the internal NIC. (or just do your maintence from the
console.)
* do ipmasq for your internal network
* portforward any services you want exposed (they will look like they are
running on the firewall machine, but are passed through to a internal
machine) Keep that service patched well. (If it gets compromised, your
whole network is)
* if you are feeling fancy - run SNORT on the firewall box, and watch all
the interesting packets fly past

I'm sure wiser folks then I will have corrections and other suggestions.

-- Adam Lydick

Reply to:

References:
- Re: Firewall
  - From: Manu Heirbaut <manu@heirbaut.com>

Prev by Date: Re: FW: Firewall
Next by Date: Re: Firewall
Previous by thread: Re: Firewall
Next by thread: Re: Firewall
Index(es):
- Date
- Thread