[olug] Security
Brian Wiese
bwiese at cotse.com
Mon Jan 7 09:40:51 UTC 2002
This sounds pretty tight.
On Mon, 7 Jan 2002 10:20:44 -0600
"Jeremy Bettis" <jeremyb at hksys.com> wrote:
> I recently learned the hard way about how important this can be. Here
is
> how our new setup will be.
>
>
> Totally Freaking Paranoid Firewall (TFP) - no logons at all except from
the
> console. Will run a VPN server and DNS server running inside chroot
only.
This is a customized setup I take it, I didn't find any type of distro out
there labeled 'TFP' or such on google. :) Just figured this was something
like Engarde Linux, which is pretty secure also, I should try that distro
again sometime... http://www.engardelinux.org/
> In DMZ: the dmz does not allow connections to anywhere, but incoming
> connections are allowed from inside network and internet.
This is what I was thinking about also, if the box is compromised... they
can't go anywhere with it/from it. :)
> DMZ machines still
> use tcp wrappers/ipchains/etc to protect themselves from each other.
> web/ftp/sendmail/sshd - TFP proxies these to this machine
Sounds like chrooting even futher. :) Thats basically the practice we are
going to implement, we are creating this VPN and all, so we can kinda be
on the same network... but we are still firewalling each other off for
everything (may allow samba via vpn- ?not sure how thats going to work yet
though?)... then if they ask to come in, we can let them (like lowering
the drawbridge).
You may find this article interesting:
http://www.linuxfocus.org/English/January2002/article225.shtml
> The lesson is, always have a machine that is logging all connections to
the
> DMZ, so that when your web/ftp/sendmail/sshd/whatever machine gets
hacked,
> the hacker can't erase the logfiles (DOH!)
Yep, like send the log files to a remote machine in realtime or burn to a
cd. ?
Some kind of telemetry box ( http://www.telemetrybox.org/ ) or (
http://sourceforge.net/projects/tbox ) with also stuff like netsaint
(netsaint.org) running.
-- actually though, how technically do you implement this capturing log
files on a remote machine? a script that scp's the running syslog or
something of that sort?
> Also the DMZ can't access the internet, since the hacker is most likely
> going to install DDOS tools or use ftp to add more software to your
machine.
> If the machine can't get out, it's not as useful.
How am I supposed to update it? lol :) That makes things a little more
difficult, but thats what you always (it seems) have to sacrifice for
security, is usability. Perhaps I can open it up/add a route quick for
updates, then remove the route again. Thats simple enough. Is it secure
enough?
It's neat that we can figure this all out about 'how' to make a secure
network... the hard part is going about and 'doing' it! Security requires
eternal vigilance. :) ... and a lota work. lol
Brian
--
FREEDOM! - Braveheart
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
For help contact olug-help at bstc.net - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at bstc.net
or `mail olug-unsubscribe at bstc.net < /dev/null`
(c)2001 OLUG http://www.olug.org
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
More information about the OLUG
mailing list