[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall and Mailserver questions - suggestions wanted.

k .. i'll bite !!

On Wed, 6 Aug 2003, [iso-8859-1] Bengt Thurée wrote:

> Hash: SHA1
> Hej Guys,
> I am in the processes of designing/building up a new
> firewall and mailserver for my family's use, and yes
> I am a beginner on Debian and building my own network.
> But really looking forward to it. Will be lots of fun.
> I am thinking of getting two firewalls, and having a DMZ 
> in between.
> (Internet -> Outerfirewall -> DMZ -> Innerfirewall -> local)

some pretty dmz pics

> Security:			snort, acidlab, tripwire, logcheck, harden,
> 				bastille, iptables

hardening of the servers

> web server:			apache
> miscelaneous:		dns, ntp, seti
> security updates:		cron-apt
> I would very much like to know what your recommendations are.
> 1) Is this a good setup? Or overkill? total maybe 10 persons 
> 	to use mailserver in the beginning.

looks good 

> 2) My thoughts are to have absolute minimum installed on the
> 	firewalls, especially the inner firewall.

minimum installed on the outer firewall --  that's what they
will attack first

no user logins on any fw or gw machines
> 3) On which computer should the squid, privoxy, and apt-proxy be
> 	running? On outerfirewall or on webserver? Or should I 
> 	have a dedicated computer for this?

i'd put proxy's on the inside fw 

anything that requires user logins should be on an "insecure"
machine ... and secure machines disallow all logins except
ssh from certain ip# or console login-only is even better

> 4) Is there any idea of having a dedicated logserver?

yes ...

put that on a machine by itself inside the fw ... no logins under any
circumstance .. just local root console login only

but than again, if all the dmz machines are forwarding log
messages to inside the lan ... it also defeats the purpose 
of a secure inside lan and loghosts :-)

leaving the loghost on the dmz is okay but it too is susceptable
to break-ins  an erasures of logs

> 5) Mail server and web server? Should this be in the same
> 	computer, or separate? More secure if they are in separate?

if you can afford it ( machines, space, power, maintenance ) ... keep
it separate

mail ... people/users need to send outgoing mail 

web .. nobody needs to login except to send web updates
	and even that can be 100% automated, no user login needed

check that the web server is secure ...


> 6) Should I have the security stuff also on the dmz area?

yes ... always ... pretend that the dmz is tightly secured
as your local LAN... if they break into your dmz... they
can certainly break into your local LAN too

you want the dmz to be your first wall of defense, andif they
get thru it... it's time to change your security policy

> 7) Is it recommended to configure cron-apt to run once a day,
> 	and only install the security updates?

test your security patches offline BEFORE applying it to your
production servers ...
	- but most likely, its not an issue 
	and might not matter if there is an accidental oops
	once every once in a while .. 

	- apply updates as often as you like 

- other security options
	- if its working ... leave it alone :-)

	- how many times did you/i break stuff, in the name of
	"prevention" and took the production server down by accident ...
	( ie...  we broke it...  the [cr/h]acker didnt break it )

	- apply all security patches to new boxes to be deployed asap
	and let it be the guine pig ...

c ya

Reply to: