El mar, 29-11-2005 a las 18:03 +0530, Sanjay Arora escribiÃ:
List:
We are a small company with a (very short) shoe-string budget running
CentOS 4.2. I am a newbie sys-admin and am planning securing the Network
as follows, please comment on design and if known suggest a GUI & policy
based ruleset generator that can additionally (preferably rsync the
ruleset over ssh) to the target machine & reset the ruleset.
Please critique..bang my head on floor & caution on the drawbacks of the
approach...advise...provide links/learning resources...share
experiences...and help me get it right.
With best regards.
Sanjay.
Hi:
My 2 euro cents,
devil-linux ( www.devil-linux.org )
"
Devil-Linux is a distribution which boots and runs completely from
CDROM. The configuration can be saved to a floppy diskette or a USB pen
drive. Devil Linux was originally intended to be a dedicated
firewall/router but now Devil-Linux can also be used as a server for
many applications. Attaching an optional hard drive is easy, and many
network services are included in the distribution.
The system is designed to install without the use of a hard drive. It
requires the use of a CDROM and a write-protected floppy. The CDROM
provides the operating system, and the floppy provides the configuration
information, via a tarball that is unpacked into the /etc directory. In
this way, the system is fully configurable, yet the running system has
no writeable device.
"
You can use desktop machines ( low budget in fact ) without HD ( less
hardware points of failure )
Easily to replace if broken ( binaries on CD and config on
usb/fd/hd/cdrom )
No extra pain if you think that the binaries are being compromised.
Reboot and all binaries OK again.
You will can create a firewall cluster using low machines ( if i can get
success
http://sourceforge.net/mailarchive/forum.php?thread_id=9002831&forum_id=658
and use firewall port knocking too, now a wish
http://sourceforge.net/mailarchive/forum.php?thread_id=9085546&forum_id=658
)
In the 'client' side use fwbuilder gui http://www.fwbuilder.org/
A powerful gui for several firewall solutions ( iptables, ipfilter,
OpenBSD PF and Cisco PIX )
It integrates well with DL ( via ssh with click and go )
Both projects very active and well supported, with great in deep
know-how.
HTH
Regards
--
David Ballester Montolio
GNU/Linux user #206389
GNU/Linux - Unices Sysadmin
Oracle DBA
SAP-BC
Kern Pharma - Grupo Indukern
www.kernpharma.com
skype: david.ballester
"In this day and age, computer systems
are getting faster and more capable, but
they still do not eliminate the need for a
sensible, intelligent person to run the
show. Computers will never be 'smart
enough for any fool to use.' ... When you
go looking for a software package, don't
just look for which one has the most
automation. Don't believe that because
it has all that automation, it will make
your job or your life easier. It won't. ...
There is no substitute for using your own
brain to get a job done right."
- Howard Chu of Highland
