[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Full Distro v Debian 'Stripped Down' for firewall?



On Mon, 17 Jan 2005, Dave Ewart wrote:

I'm planning on building a firewall for three or four subnets.  I'd like
to use Debian because I 'know' it, but am curious to know other people's
opinions on the following:

I use Debian for firewalls all the time.

In this situation, would you use a largely-unaltered stock Debian
installation (e.g. Woody) or would you make drastic changes to it?  At
the moment, my plan is:

Nothing you suggest below counts as varying from stock Debian IMHO but let me make a suggestion...

1. Install Debian (probably Woody);

When I install anything except a very full featured box I avoid tasksel and dselect during the install and only apt-get those components I want when the system is up. I know others do the same.

2. 'apt-get remove' anything which is installed by default that I know I
don't need;

If you've avoid tasksel & dselect as suggested above there is not need to apt-get remove anything. Just apt-get install those components you want.

The system ends up very lean. The use of "deborphan -a" periodically is good also. Evaluate each of those packages and determine if it is needed.

3. Check for all externally-listening services and remove them, with the
exception of SSH;

Or don't install them in the first place :) Review inetd.conf and comment out any unneeded services, including echo, chargen, discard, daytime and time unless you know you need them (for testng or whatever).

4. Configure the firewall as a 'forwarding' firewall, so that it doesn't
actually listen for any services of its own, with the exception of SSH
from a single IP on the 'GREEN' interface.

Best practice has it that no services are run on the firewall (except ssh) to avoid someone being able to get in behind the firewall and bring it down. Do compare this though to the security of letting someone _through_ the firewall. If you are letting people into your internal network it is just asd bad unfortunately. A DMZ is needed for decent security but that may not be viable in a home setup. Security is about assessing risk vs the effort you want to go to (or can afford).

Possible additional measures:

5. Fine-tune kernel for routing and firewall behaviour;

You're unlikely to stress the box enough to warrant it IMHO. Firewalling is packet evaluation and passing. If you are loading the box so much that you need to fine-tune it then getting a bigger box is a good plan.

This is of course different from fine-tuning a box with interactive users. They may notice performance differences long before the box is maxed out.

There are compile time options that effect routing and the use of those is good if you know the box will be mostly routing. Also, I recommend compiling in advanced routing features even if you don't intend to use them. You'll thank yourself one day if you decide to start using those features.

6. Allow firewall to use UDP on port 514 outgoing, to send syslogs to a
host on the GREEN network for logging.

I wouldn't send syslog information outside the network unencrypted if I had a choice. There are ways to encrypt the data once it leaves the network.

Rob

--
Robert Brockway B.Sc.
Senior Technical Consultant, OpenTrend Solutions Ltd.
Phone: 416-669-3073 Email: rbrockway@opentrend.net http://www.opentrend.net
OpenTrend Solutions: Reliable, secure solutions to real world problems.
Contributing Member of Software in the Public Interest (www.spi-inc.org)



Reply to: