Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Linux Software

How do you Configure a Secure DSL Network? 9

Posted by Cliff from the starting-points-and-hints dept.
MorganGoeller asks: "I have an old Pentium 200 w/128 MB of RAM that just got a new 6.4 GB disk, but doesn't have anything on it. I would like to set the new machine with RH 6.1 for either: a standalone file/network backup/pop/nntp/web server (mostly for internal use); a firewall/proxy server; or both. However, I am an intermediate Linux user and am not sure where to begin." Anyone with somehelpful hints or starting tips? Click below for the details.

"I have a home network consisting of 1 linux box (RH 5.2, too chicken to upgrade as I can't have it go down for an extended period); 1 win 98 box (for my wife to use AOL and MS-Office, don't ask) connected to the internet through a persistent 640K DSL connection through US West. I am concerned that my network may be at risk and would be willing (but not excited) to spend some time securing the system if necessary.

My questions:

1. With DSL and DHCP going through USWest's gateway is my system reasonably secure?
2. What is the difference between a firewall and a proxy server? What is the best one to use considering all network data MUST come through my DSL modem before any processing can be done?
3. Is it a bad idea to put other features (file server, etc.) on a system that is a firewall and/or proxy server?
4. How dificult is it to set up a firewall and/or proxy server? I rather like having the mail/news server on my linux box and don't want to give it up (particularly) but I don't often log in from outside the network ...
5. What kind of configuration would you use for this situation? Keep in mind that my wife needs her Win98 machine for work and I need at least one linux box for me (for email, shell scripting, running Matlab, Maple, g++, PERL, Web Programming, etc.)

Thanks,

Morgan"
This discussion has been archived. No new comments can be posted.

How do you Configure a Secure DSL Network? More

How do you Configure a Secure DSL Network?

Comments Filter:
  • The more features in the firewall the more dangerous it is. Look at things like the Linux Router Project [linuxrouter.org], dig an old 386/486 out of the trash, and put three cheap NICs in it. You don't need hot stuff to keep up with less than 1Mbps/second.

    Configure the firewall with no services, one NIC for the Internet, one NIC for your DMZ where your Internet-visible servers is, and one NIC for your local LAN with your IP-Masqueraded access.

    1. Well.. you don't really have a choice. You have to get your DHCP from USWest, no two ways about it. As far as security, the only thing anyone could gain by messing with DHCP transmissions to and from your computer is a useless denial-of-service attack. Nothing to worry about there. DSL in general is as secure as any other internet connection - it's less secure than a dialup line just because you're not connected all the time, but it's not much different than T1 or any other full-time connections in that regard.
    2. A firewall inspects every packet that it is instructed to and does any one of a number of things to it - drop the packet, permit it, etc. From this basic functionality you can set up security on your box such that certain ports / IPs are allowed to talk to it and others aren't. That's a gross oversimplification. You should check the Firewall-HOWTO that's available all over.

      A proxy server simply listens for requests from services (usually web) and goes out and does all the work. For example, Squid, a web proxy server, listens for web requests and then accesses the pages and sends them back to the computer that asked for them. The benefits of this are speed - Squid will remember what pages it's asked to retrieve most frequently, and save local copies of those so it can send them right off the hard drive instead of downloading them when it's asked.

      You should note that firewalls and proxies aren't mutually exclusive. Lots of people, myself included, run a firewall to keep the baddies out, and a proxy server to speed things up a bit.
    3. Lots of people here will say yes. Just think of it this way: it's a bad idea to run any service that you don't need. Redhat 5.2, for example, ships with the mail, web, ftp, samba, nfs, rpc, finger, telnet, etc. servers all enabled. This is pointless; you probably don't need every single one of them (although some people do). Aside from taking up memory and CPU time, all these things you now have running have possible security holes in them. It's nt a linear scale, but disabling half your services would probably cut your chance of being hacked in half, so to speak. One word of advice to you would be to use encrypted sessions for whatever services you do decide to use. Telnet, for example, is just a glorified TCP/IP session, and is plainly readable to anyone that has the means to. Thus, if you're telnetting to your house across the internet, anyone can read your name, password, address, phone number - whatever you're typing in. Definitely I would use SSH [www.ssh.fi] and also stunnel [daewoo.com.pl] for IMAP/POP across the internet. Your box is as secure as you make it - spend a lot of time upgrading to squash bugs, disabling unneeded processes, and using common sense, and you'll make your foes' jobs a lot harder.
    4. Firewalls are not incredibly hard. It took me about two days of playing with IPCHAINS (the firewall program) and reading the HOWTOS to become proficient. Squid (proxy server), on Redhat, works pretty much out of the box. Only three or four lines to the Squid configuration file to get it up and running. Remeber that you can run other service on your firewall/proxy - mail, news, whatever. I run tons on mine.
    5. Well, I'm using your configuration. RH 5.2 (too lazy to upgrade, as well) masquerading/firewalling/proxying six Windows 98 boxes, an iMac, and a powerbook. It's worked like a charm for months. I've never, once, had Linux crash. I'm far more worried about my 6 year old hard drive giving out at the moment than I am about the server going down. Good luck!



    --
    "Some people say that I proved if you get a C average, you can end up being successful in life."
  • In the 'Real World,' you would never run more than one service on a box. In a home lan situation, you can cheat.

    I'm not saying don't keep security in mind, but there shouldn't be anything wrong with using a fileserver for a firewall on a home lan. Just remember that your files are on the internet, so don't do stupid things like public shares.

    Ipchains can do some really nice things for you. For instance, you can say, "I don't want any traffic from eth0 going to the rpc ports."

    So, if you have two nics in your gateway, and eth0 is plugged into your modem and eth1 is plugged into a hub on your lan, your local boxes could talk rpc to the gateway, but any box on the internet couldn't.

    This does take a lot of research. I suggest getting nmap and port scanning. For the most part, you are safe if you can scan from a box on the internet (borrow a shell) and see only a ssh port open, or whatever other services that need to talk to the internet.

    As for setting up a file server, just pick a daemon and make sure all of your workstations have clients. You probably want to use samba since it is more secure (relativily) than nfs (aka No F*cking Security). Then again, meet your needs.

    Another post on this thread mentioned getting a 486 and setting it up as a gateway. If you do this, and still want to offer nntp and smtp to the outside world, you will have to port forward. There is nothing wrong with that, but it can get messy if you get lazy.

    have fun.

  • The best thing to do from a theoritical stand point is install openBSD, which has earned a reputation of being secure. This is not to imply that linux isn't/can't be secure, only that openBSD may be better.

    Avoid running servers on the box that you don't need. I would put imap4 and mail on the firewall, but you don't want samba (the protocol it runs was hacked to add security, and while samba is good I shouldn't be on the firewall. A local news server runs just fine on a different machine, and (natd or masq is probably needed for home users) therefore should not be on the firewall unless you reallly want a public news server. (you don't) IF you want to run a web server it will have to be on the firewall, export /home read only from your main machine so you have several levels of protection. (break the firewall and then a machine with write access to those disks - this may conflist with imap4 needing write access) If you need a DNS, run a secondary on the firewall, the primary inside, and have external secondarys point to your firewall not the internal DNS.

    I could go on with advice about ftp, but in the end you have to make some choices. It makes your security better (if only in theory) if you don't run ftp, than if you run ftp with read only access, than if you give all users full ftp access. Most other services face this smae choice. Write down the services you want, and then consider the minimal way to run them.

    One important thing: install ssh and disable telnet. Not that telnet is a likely source of attacks, but ssh gives some authentication.

    Turn on logging, and ideally log to a old dot-matric printer. You want a hardcopy of everyone loging in, and what port they use (use port wrappers). then study those logs. If you get an attack then logs will show it, and because they are hard copy they can't be deleted by a cracker.

    Try to track down any cracker, put even one script kiddie in jail (or youth jails) and you can maybe send a message to all these clueless parents that they better get a clue, their kids could be breaking the law online. (this is all a new area of law, so you will probably have to rein in the lawyers trying to figgure out how to deal with this situation)

  • hmm... (Score:1)

    by rbf ( 2305 )
    First, get a seperate machine, a 386, 486, or a DEC Alpha Multia (my favorite), to act as a firewall/proxy. I'd use Debian GNU/Linux (first choice) or FreeBSD (second choice), as I find Red Hat to be a pain to setup when security is a must, on the firewall/proxy and your P200.

    rbf who is typing this on a Alpha running Debian GNU/Linux 2.1 with Linux 2.2.13.


    LONG LIVE ALPHA!!!
  • Nothing to worry about there. DSL in general is as secure as any other internet connection - it's less secure than a dialup line just because you're not connected all the time, but it's not much different than T1 or any other full-time connections in that regard.

    Not true. DSL is not as secure as any other static connection. The way DSL works is often you are assigned a single ip address out of a huge subnet on a BVI, because of this everyone on the same subnet is pretty much treated as on the same LAN.

    So you pretty much have to secure yourself from LAN attacks as well. Win95 users don't have that printer shared, :-)

  • Not true. DSL is not as secure as any other static connection. The way DSL works is often you are assigned a single ip address out of a huge subnet on a BVI, because of this everyone on the same subnet is pretty much treated as on the same LAN.
    So you pretty much have to secure yourself from LAN attacks as well. Win95 users don't have that printer shared, :-)

    This depends on the type of DSL. Some DSL is bridged and some is routed. Bridged generally means what you say. You are on essentially a LAN with other people, although you don't have to worry about broadcast traffic and receiving packets destined for other addresses. You get arp responses, for one thing, and probably other security-questionable effects.

    Routed means that you are on the WAN. You are treated just like any other host on the internet. Just like a normal old T1. With a lot of DSL modems, if you're running routed you can turn on encryption and other niceties, but I doubt many ISPs support this.
  • I'm part of a small ISP which offers SDSL to businesses. Basically what we've provided on our end looks like this:

    Bandwidth comes in and hits our router (cheap 2501), which performs the first level of protection. Basic bad packet drops and the like. From there it hits a Linux box which provides a web cache (with an option to go though JunkBuster), email, news, etc.. All traffic from our customers must go through this box, as it is how we keep track of their bandwidth useage and control it through rshaper. Yes I know that Cisco has offerrings to do this but frankly the routers are too expensive for our current situation.

    All the DSL customers are on a 10/100 switch which keeps them from sniffing each other's traffic without requiring us to find a motherboard with 15 PCI slots in it. :-) The office computers at the ISP run off of another ethernet card which has ipchains to do masqing. The Pairgain 300S' we have have no configuration options and no IP so it's not possible to circumvent them to transmit someone else's data easily. (It may be possible to have a machine spit out false ARP replies and confuse the switch but I should be able to circumvent that soon). VPN options for the local banks and the like I'm still looking for acceptable solutions for.

    Basically our system protects from outside spoofing and broadcast pings and the like. (echo 1 > /proc/sys/net/ipv4/icp_echo_ignore_broadcasts is your friend here). The linux box doing the cacheing also handles all the SNMP traffic measurements for each IP/group of IPs (mail me for how to get SNMP doing this) and has the basic IP chains set up to reject packets coming in from the wrong interface, etc. Note that I said nothing about not allowing cross-WAN Microsoft Networking... I allow it but alert the client to the security problems... It's my job to keep maximum data flowing, not make them run circles and if they're aware of the consequences and still wish to do it.)

    On the client's side we strongly suggest a similar linux firewall. It can be cheap and small and hidden. There's no reason not to do it. For $500 we'll do it for them. All it does is block the bad packets / spoofed packets / etc. and optionally provide their own private web cache which cuts down on their costs. With such a box in place they are safe from the others on our service (although I think I'll set up the linux box to flag alarms for bad packets coming from a client and the like.)

    There are other posts here saying things about DTK and other such programs... They're not really necessary unless you want to really see what's going on, which is a good thing, but if all you're concerned about is keeping the baddies out, you don't need to decieve them. Just block them outright.
  • I have us west dsl and and access my home network remotely. Sometimes my ip addr changes though, and somebody else gets my old ip. It is always funny to then telnet into their 675. An "enable" and "show running" later and you have their password (which is used for email too).

Slashdot Top Deals

"The one charm of marriage is that it makes a life of deception a neccessity." - Oscar Wilde

Close