Re: Debian Full Distro v Debian 'Stripped Down' for firewall?
On Mon, 17 Jan 2005, Dave Ewart wrote:
I'm planning on building a firewall for three or four subnets. I'd like
to use Debian because I 'know' it, but am curious to know other people's
opinions on the following:
I use Debian for firewalls all the time.
In this situation, would you use a largely-unaltered stock Debian
installation (e.g. Woody) or would you make drastic changes to it? At
the moment, my plan is:
Nothing you suggest below counts as varying from stock Debian IMHO but let
me make a suggestion...
1. Install Debian (probably Woody);
When I install anything except a very full featured box I avoid tasksel
and dselect during the install and only apt-get those components I want
when the system is up. I know others do the same.
2. 'apt-get remove' anything which is installed by default that I know I
don't need;
If you've avoid tasksel & dselect as suggested above there is not need to
apt-get remove anything. Just apt-get install those components you want.
The system ends up very lean. The use of "deborphan -a" periodically is
good also. Evaluate each of those packages and determine if it is needed.
3. Check for all externally-listening services and remove them, with the
exception of SSH;
Or don't install them in the first place :) Review inetd.conf and comment
out any unneeded services, including echo, chargen, discard, daytime and
time unless you know you need them (for testng or whatever).
4. Configure the firewall as a 'forwarding' firewall, so that it doesn't
actually listen for any services of its own, with the exception of SSH
from a single IP on the 'GREEN' interface.
Best practice has it that no services are run on the firewall (except ssh)
to avoid someone being able to get in behind the firewall and bring it
down. Do compare this though to the security of letting someone _through_
the firewall. If you are letting people into your internal network it is
just asd bad unfortunately. A DMZ is needed for decent security but that
may not be viable in a home setup. Security is about assessing risk vs
the effort you want to go to (or can afford).
Possible additional measures:
5. Fine-tune kernel for routing and firewall behaviour;
You're unlikely to stress the box enough to warrant it IMHO. Firewalling
is packet evaluation and passing. If you are loading the box so much that
you need to fine-tune it then getting a bigger box is a good plan.
This is of course different from fine-tuning a box with interactive users.
They may notice performance differences long before the box is maxed out.
There are compile time options that effect routing and the use of those is
good if you know the box will be mostly routing. Also, I recommend
compiling in advanced routing features even if you don't intend to use
them. You'll thank yourself one day if you decide to start using those
features.
6. Allow firewall to use UDP on port 514 outgoing, to send syslogs to a
host on the GREEN network for logging.
I wouldn't send syslog information outside the network unencrypted if I
had a choice. There are ways to encrypt the data once it leaves the
network.
Rob
--
Robert Brockway B.Sc.
Senior Technical Consultant, OpenTrend Solutions Ltd.
Phone: 416-669-3073 Email: rbrockway@opentrend.net http://www.opentrend.net
OpenTrend Solutions: Reliable, secure solutions to real world problems.
Contributing Member of Software in the Public Interest (www.spi-inc.org)
Reply to: