On Tue, Nov 29, 2005 at 06:03:56PM +0530, Sanjay Arora wrote:
List:
We are a small company with a (very short) shoe-string budget running
CentOS 4.2. I am a newbie sys-admin and am planning securing the Network
as follows, please comment on design and if known suggest a GUI & policy
based ruleset generator that can additionally (preferably rsync the
ruleset over ssh) to the target machine & reset the ruleset.
WAN: A DSL link firewalled by an IPtables firewall, currently running
IPcop on this...may shift to monowall or pfsense..or maybe add
additional rulesets to the IPcop box itself. ssh, http, pop3, imap, smtp
redirected to internal IP space (192.168.) DMZ server running web-apps
and is the vulnerable target.
There's a case to be made for encrypted versions of pop3, imap, and
possibly http, but this is otherwise fine.
Do note that that's a lot of services to offer inside the LAN (instead
of in a DMZ).
DMZ: Want to close all ports (in/out) on the DMZ server except for the
above services, with logging of all attempts from inside the lan or
outside.
The first idea is a good one. Logging stuff from the LAN might also be
useful. Logging outside attacks usually isn't - a packet filter will
stop so much that reviewing the logs takes ages, and there's usually
very little sense in pursuing it. (Or, as with all 'don't log this'
comments in this post, you may choose to log them but be aware that you
will likely not be able to review them.)
LAN: 4 Servers running various services according to their jobs. Want to
explicitly close all ports (in/out) except the required ones with
logging of all attempts.
Okay, a lot of servers on the LAN. Might be worthwhile thinking if any
can be moved to a less priviliged area, possibly a second DMZ (note:
IPCop doesn't support this out-of-the-box - some hacking, or manual
firewall configuration, can be used to 'persuade' it to).
Other things to be done:
1. Running an IDS on the local network (Snort).
Only makes sense once you have done all else. An IDS takes gobs of time,
and since - IMNSHO - no system with known vulnerabilities should be
allowed on the network, it will only catch false positives and failed
attacks.
Mind, an IDS can be very useful - but it, again, costs a lot of time.
2. Block all outgoing mail except from the official mailserver & running
anti-spam & antivirus on all in/out mails, with a copy of all logged for
archival/forensics purposes.
Make sure that this is allowed under your jurisdiction, not everyone may
like it. It will also take quite a bit of space.
Running anti-spam on outgoing e-mail might or might not be required.
3. Block all outgoing ports except as required and log all attempts to
connect to blocked ports from inside or outside.
I'd only log outgoing blocked connections, but otherwise a good idea.
3. Install an application to get all iptables logs from all servers
including the perimeter firewall, into a database.
Ok, though I've never understood why people want to use a database - the
log parser should have given you the relevant data, and grep can easily
sort out the extra information if you need it.
5. Get data from the perimeter IDS & LAN IDS into the database.
Ok.
6. Extrapolate the database on regular basis for re-evaluation.
Not too useful, as this is unlikely to get done. Rather, run automated
nightly (or more often) log parsers.
Comments are invited on the above. Also suggestions of open source &
free projects that can help my deploy the policy based firewalling and
all the above.
Why I need a GUI & policy based framework for implementing my firewalls,
when my requirements are static? Well, I may need to add additional role
to a server on the LAN, if any other server fails. In fact, I intend to
keep the services prepared on alternate servers, only not deploy them
redundantly. Secondly, never know when needs change and something that
is easily configured and deployed would adapt better.
No clue how to do this, I've never cared for anything like this.
Also, I have a question that needs answer. How do I allow IMs like
yahoo, msn, icq and transparently proxying & logging all business
chats...staff will be aware from IT policy that all email/IM are
recorded. We plan to run a Jabber server for Enterprise IM but how to
control the IMs?
Unencrypted instant messaging can be dealt with by simply sniffing the
wire. I am not familiar enough with the protocols, but maybe Snort can
be persuaded to do this.
Please critique..bang my head on floor & caution on the drawbacks of the
approach...advise...provide links/learning resources...share
experiences...and help me get it right.
With best regards.
Sanjay.
Looks good. The most important thing I miss is a way to quickly patch
lots of machines when MS releases the next update or somesuch.
Joachim
