[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Where do I start?

To: "Sheflug" <sheflug [at] vuw.ac.nz>
Subject: Re: [Sheflug] Where do I start?
From: "Stephen J. Turnbull" <nospam [at] sk.tsukuba.ac.jp>
Date: Wed, 30 Aug 2000 10:41:05 +0900 (JST)
List-help: <http://www.sheflug.co.uk>
List-owner: <mailto:sheflug-admins [at] vuw.ac.nz>
List-post: <mailto:sheflug [at] vuw.ac.nz>
List-subscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=subscribe>
List-unsubscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=unsubscribe>
Reply-to: "Sheflug" <sheflug [at] vuw.ac.nz>
Sender: sheflug-bounce [at] vuw.ac.nz

>>>>> "Will" == Will Newton <will [at] misconception.org.uk> writes:

    Will> I would reccomend OpenBSD (or any other BSD) over Linux for
    Will> a firewall. The firewall tools are far less of a moving
    Will> target than ipfwadm/ipchains/whateverelseitsbeencalled on
    Will> Linux.

True, the interface will change again (to iptrees, IIRC) from 2.2 to
2.4.  Big deal.  The basic ip filter functionality is the same.  You
name "routes" (including protocol, ports, and TCP flags as
appropriate) and say whether they are acceptable or not, and
optionally specify additional processing.  How to do the latter (eg,
accounting, setting up an "immune system" to counter "evil" probes)
may be a little more difficult to figure out.

But this is not even as big a move as C to C++ or C++ to Java.

The real advantage to *BSD systems (OpenBSD is recommended --
especially loudly by its developers, take that how you will -- as
security-oriented) is that they install much less bulls**t by default
in the initial install.  Firewalls are about denying, disabling, and
generally "distalling" as much functionality as possible.

Any Linux distro that installs _without_ a GUI is probably an
acceptable start.  I recommend Debian's "router" install because you
do get a PMS, and it (used to) install into about 30MB.  LRP might be
another alternative.  There's no particular reason to suppose that any
of the others wouldn't have the same advantages, but we did hear
recently from Barrie that a "minimal" Red Hat install took up 230MB.
At least 215 MB of that is just security holes on a firewall....

    >> I'm willing to read up on all this but I also need a "victim"

Reading:  Cliff Stoll, Cuckoo's Egg.  Keep it in the toilet^H^H^H^H^H^H
family reading room.  It's not a textbook, it's true confessions.  Fun
to read, gives you some idea of how these things work.

Cheswick and Bellovin, Firewalls and Internet Security.Addison
Wesley.  Oldie but goodie.  Heavy concentration of the idea of
_planning_ your firewall.

Among the Linux HOWTOs, there really aren't any true firewall HOWTOs.
They're really about HOWTO packet filter, which is an important
component of a firewall (and sufficient for pure client use).  Do

find /usr/doc/HOWTO -iname '*firewall*' -or -iname '*chain*' \
                -or -iname '*vpn*'

Virtual private networks are something worth reading up on; the
concepts are useful in thinking about firewalls.

There is a package or two for setting up your security out there; I
wouldn't trust them, but running one --verbose to see what it does,
and thinking about why it checks those things, is sure to be a good
exercise.

    >> system that I can gradually configure and learn on. Would it be
    >> practical to set up such a system although it would be on our
    >> internal LAN and hence behind our firewall,

Certainly.  Set up _two_ boxen, one as the target, one as the tiger
team.  Get tools like Saint and SATAN on 'tiger', and then see what
weaknesses they find on 'target'.  They do some pretty obnoxious
stuff, which your LAN manager will likely notice (users probably
won't), so clear it in advance.  Better yet, spring for an extra
hub/switch and do your experiments disconnected, or with various
topologies relative to the internal gateway.  (If you can work after
hours, you can dual boot some of the Windows boxes so that you have
*nix tools to scan the network.  I don't recommend that for either
'tiger' or 'target', though.)

Port monitors, various net monitors, and things like Karpski can be
useful too.

-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
_________________  _________________  _________________  _________________
What are those straight lines for?  "XEmacs rules."
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.

References:
- [Sheflug] Where do I start?
  - From: Steve Tickle <s.tickle [at] quarndon.co.uk>
- Re: [Sheflug] Where do I start?
  - From: Will Newton <will [at] misconception.org.uk>

Prev by Date: Re: [Sheflug] File permissions for ssh keys.
Next by Date: Re: [Sheflug] File permissions for ssh keys.
Prev by thread: Re: [Sheflug] Where do I start?
Next by thread: Re: [Sheflug] Where do I start?
Index(es):
- Date
- Thread