Post #227,552
10/1/05 8:13:50 PM
|
Home made firewall?
Our corporate DMZ is a segment off of our firewall.
A bunch of systems hang off it, being carefully
controlled when they are attempting to access our
internal net.
But what about each other?
I am considering creating a Linux or *BSD many port
firewall to control access. I need to care about
speed, since multiple systems may be attempting
access, and they will be given GB connectivity
if possible.
I will have a dual Xeon at my disposal, with a
bunch of slots.
I will have a budget for decent multi-port GBit
cards.
In order of importance:
\tWorks / fast enough (hardware support for quad TOE boards).
\tSecurity.
\tEase of maintenance - OS patches - reflects back to security.
\tAbility to run monitoring software - ethereal, ntop, etc.
So, 1st I have to choose the TOE board.
This looks like a nice choice:
[link|http://www.intel.com/network/connectivity/products/pro1000mt_quad_server_adapter.htm|http://www.intel.com...erver_adapter.htm]
[link|http://www.intel.com/network/connectivity/resources/doc_library/tech_specs/spec_pro1000mt_quad_port_server_adapter.htm|http://www.intel.com...erver_adapter.htm]
Only lists Linux and FreeBSD as OS choices though.
Looking here for OpenBSD compat:
[link|http://www.openbsd.org/i386.html|http://www.openbsd.org/i386.html]
it seems to support it, except I see an bad note:
[link|http://www.openbsd.org/cgi-bin/man.cgi?query=em&arch=i386&sektion=4|http://www.openbsd.o...ch=i386&sektion=4]
"The driver supports IPv4 receive
IP/TCP/UDP checksum offload on all but 82542-based"
Ahh, according to the specs, it has the 82546EB processor,
should be OK.
So, using OpenBSD should be my best case on security. Using
the native firewall language looks very easy to implenent
(and understand) the rulesets required for locking the systems
down.
Ease of maintenance is an iffy. I need more info on this.
OpenBSD wants you to upgrade EVERYTHING at once in the event
of a patch, or so it seems. Which could be painful.
On the other hand, it is so small, disk snapshots should be trivial
for rollback.
Ability to run monitoring software looks pretty good. Almost all
the tools that I could do on Linux I can also do on OpenBSD.
[link|http://www.insecure.org/tools.html|http://www.insecure.org/tools.html], or so it seems. Or am
I assuming the the little deamon means all the BSDs, and I'm
going to get burned?
Let's consider FreeBSD, which the Intel adaper supports out
of the box.
[link|http://www.freebsd.org/|http://www.freebsd.org/]
It looks pretty complete, has a bunch of firewall options, including
a port of the OpenBSD PF environment:
[link|http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html|http://www.freebsd.o...firewalls-pf.html]
They describe version differences which might bite me.
Maybe I don't even want to use PF, maybe I want IPF or IPFW.
How would I know, I need a BSD geek to tell me.
Do I have an unreasonable level of expection concerning the
security of OpenBSD VS FreeBSD? Based on the vendor hardware
support (Intel card), I'd probably want to go using FreeBSD
if possible. Also, as I read the FreeBSD feature list, it
seems more advance with lots more goodies.
[link|http://www.freebsd.org/features.html|http://www.freebsd.org/features.html]
OK, what issues have I missed?
\t
|
Post #227,572
10/2/05 2:25:37 AM
|
the hard way?
Have you considered [link|http://www.ipcop.org/modules.php?op=modload&name=phpWiki&file=index&pagename=IPCopMissionStatement|IP Cop] Seems like you're trying to make too much work for yourself.
Have fun,
Carl Forde
|
Post #227,576
10/2/05 8:39:22 AM
|
Depends
The harshest criticism in my environment is reserved for people who pretend to be techies, but use tools that hide complex environments from them with pretty interfaces.
If you review this, [link|http://z.iwethey.org/forums/render/content/show?contentid=227484|http://z.iwethey.org...?contentid=227484], you will see one of our guiding principles for our organization is:
would like to have a bunch of smart cross-trained geeks running the place, rather then vendor focused silos of knowledge
A recent example was a dump of a GUI generate iptables rule-set. The jr admin was showing it, and was unable to explain what it was doing. Now this admin is smart, but inexeperienced HERE. He has a comp-sci degree, and has setup and adminned many Linux and Unix systems. He is also a deep-diver, usually reading up on great detail when researching something. In other places he may qualify for Sr admin, just not here, where we have someone else we call senior, who has far more experience than this guy.
Anyway, he was wrong when he explained it. When I read the ruleset, I made the exact same mistake, but figured it out a few lines later, since I don't pretend to know the syntax of IPTables.
If I am responsible for this particular bit of security - firewalling the DMZ, then I'm going to follow my requirements list. Works 1st, securely.
I can test "works". I can theorize "securely". But only if the low level rules are written by me, as simply as possible, as restrictive as possible. If I use a pretty front end, I have been abstracted from the implementation. An I have NO trust for writers of pretty front ends, since the focus is not the security, it is the pretty front end.
Some day I am going to be called to explain every aspect of the security up on a white board. I'm not allowed to say: IPCOP says it should be OK.
|
Post #227,647
10/2/05 9:47:48 PM
|
Use FWBUILDER
It does netfilter, ipfilter, pix and others.
It ipwrites the config or script based on what you are using.
[link|http://www.fwbuilder.org|http://www.fwbuilder.org]
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
[image|http://www.danasoft.com/vipersig.jpg||||]
|
Post #227,649
10/2/05 10:25:08 PM
|
Interesting
But only if I can figure out the what the scripts it is writing does.
Thanks.
|
Post #227,716
10/3/05 10:39:40 AM
|
They are VERY... Exceptionally well done.
They whole scripts thing is easy.
I like it for being straight forward and easy to understand.
The iptables/netfilter stuff it does is stellar. I have only found one bug (it has been addressed) and it is a trival "rule fix" for making the rules. I haven't even cared to update to a revision that it is fixed in, it is a 4 second edit of the script to fix it myself.
But, then again I should.
Also, it can upload all the data/script and configs to the devices running the scripts, including "update services" for the firewall.
It uses "first rule match wins" logic for the GUI, but will write the script/ruleset/config the proper way for each type of firewall supported.
I haven't seen something this easy to use and manage a firewall, ever. Even the CISCO WINDOWS stuff comes no-where close.
It is straight forward, can handle anything to the limits of the Firewall device/OS/etc. Storing all the data in XML and a well documented XML schema.
I can setup a small example of the scripts for each and every device/filter it supports using the same ruleset just changing the device type. If you'd like.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
[image|http://www.danasoft.com/vipersig.jpg||||]
|
Post #227,723
10/3/05 10:59:43 AM
|
Initial glance looks like it want a library of service types
Do I need to define them (ftp, ssh, SQL/Net, etc) or is there something I can grab that I missed. I did an apt-get to setup.
|
Post #227,729
10/3/05 11:21:37 AM
|
There are all the standard ones.
/me opens FWBUILDER
At the top, there is a "user" head, click on it and select the standard section.
Things are drag and drop. Make sure your understand NAT with Linux. NAT comes before the routing or allow/deny stage. So the rules in global have to have the NAT addresses for letting stuff in.
I can send you my *.fw I use. Just to show you an existing setup that works. I am a bit less anal than you will be. I'll send it to your TCD account.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
[image|http://www.danasoft.com/vipersig.jpg||||]
|
Post #227,730
10/3/05 11:27:42 AM
|
Thanks
Note: I'm not using NAT for this setup, all addresses to be specified are real.
I think!
|
Post #227,595
10/2/05 11:56:28 AM
|
first, if they are in the DMZ they can talk to each other?
by nature a publicly exposed IP address is reachable so why are you building a separate box? Is this to be a management box on a secured path "quiet" ip space?
thnx,
bill
"the reason people don't buy conspiracy theories is that they think conspiracy means everyone is on the same program. Thats not how it works. Everybody has a different program. They just all want the same guy dead. Socrates was a gadfly, but I bet he took time out to screw somebodies wife" Gus Vitelli
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 49 years. meep
questions, help? [link|mailto:pappas@catholic.org|email pappas at catholic.org]
|
Post #227,637
10/2/05 8:20:11 PM
|
DMZ yes, but need better isolation
1st of all, our DMZ is not all public space.
The goal is to have a series of boxes that
are externally accessable in a constrained fashion.
Which then also have specific limited access to our
internal systems.
So this means there could be a web server, an
FTP server, an ssh bouncebox, and specific client
based systems on the DMZ. A client might need a
particular server that only is accessable from
them via their IP address.
But if all these systems are on the same IP segment,
on the same physical LAN, then they can all see
each other, unless we put a high end switch that
has ACL setups. Which we don't want to do, since
it seems our LAN guys run into "issues" as they try
to setup these ACLs.
Which then means it is up to me to lock them down
via the above described method.
|
Post #227,728
10/3/05 11:17:38 AM
|
4 port Copper GIG cards are available.
Linux, FreeBSD, OpenBSD and NetBSD all support about a kajillion network ports. You could in reality have the firewall restrict ANY kind of traffic, even based on time. If you were to have a Dual Xeon with 12 PCI slots (triple peered) and 4 port NICS, you could theoretically have 48 GIG ports. Plus if the motherboard itself has a NIC builtin, that could be the management device/nic etc... Or, if you were to go with a computer setup with CompactPCI slots, you could theoretically have upwards of 100+ network ports. Not cheap, but very flexible as you could do everything you want. You could also setup a logging service for the firewall to report to, as each "rule" can be setup to log everything with different labels. You could even get fine grained and make rules for each tcp/udp/icmp/etc port for each IP address. Plus you can make rules that are specific to that NIC only as well as the globals and masquerading/NAT. You could use make it so that only certain kinds of traffic are available outbound, and a different set as inbound only. You really wouldn't even have to have an ssh bounce machine... although I'd keep one anyway. For instance, you could also do port-translation as well. Adding addresses to a machine need only be done at the Firewall, you could add something like this: | Visible IP and Port | DMZ IP and port | Machine | | 10.10.10.6:80 | 192.168.200.2:81 | One | | 10.10.101.3:80 | 192.168.200.2:88 | One | | 10.10.100.5:80 | 192.168.200.2:8180 | One | | 172.16.12.86:21 | 192.168.200.3:8180 | Two | | 172.16.101.19:21 | 192.168.200.3:2121 | Two | | 192.168.100.34:22 | 192.168.200.3:2222 | Two | | 198.110.74.110:53 | 192.168.200.4:1053 | Three |
This would allow you to have multiple services running on the same host, possibly reducing machine count, possibly allowing you to value-add without having to add machines. Certainly this adds to complexity, but in a managable way. You could even force the responses to come from a different address, if you wanted. Almost to many options to count. And if that is not enough, you can do traffic shaping on *BSD and Linux as well. External commands for that are (supported??) possible, but I am not sure about that. I'd do the shaping with a seperate tool anyway. Too many options exist now for me to put it into a short description. Plus add in the ISCS stuff and amazing things could happen. For me, the best possible part is the ability to quickly (re)build (the)a new machine and then pile-on the rules, and being able to keep those rules in a CVS/SVN/etc revision system. Should anything happen to it. --
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
[image|http://www.danasoft.com/vipersig.jpg||||]
|
Post #227,732
10/3/05 11:44:59 AM
|
But the intel only allows 2 per box
So I have to look to others such as [link|http://www.silicom.co.il/ProductsAndEventsinside.asp?id=87|http://www.silicom.c...sinside.asp?id=87]
Which is Broadcom - and I HATE broadcom.
|
