One application that works well with Iptables is Fwbuilder. It's very
handy for GUI based administration of rules from a central point. Plus
it's free.
-----Original Message-----
From: Sanjay Arora [mailto:sanjay.k.arora@gmail.com]
Sent: Tuesday, November 29, 2005 7:31 AM
To: SF-security-basics Mailing List
Subject: Security, Distributed firewalling application...long ;-)
List:
We are a small company with a (very short) shoe-string budget
running CentOS 4.2. I am a newbie sys-admin and am planning
securing the Network as follows, please comment on design and
if known suggest a GUI & policy based ruleset generator that
can additionally (preferably rsync the ruleset over ssh) to
the target machine & reset the ruleset.
WAN: A DSL link firewalled by an IPtables firewall, currently
running IPcop on this...may shift to monowall or pfsense..or
maybe add additional rulesets to the IPcop box itself. ssh,
http, pop3, imap, smtp redirected to internal IP space
(192.168.) DMZ server running web-apps and is the vulnerable target.
DMZ: Want to close all ports (in/out) on the DMZ server
except for the above services, with logging of all attempts
from inside the lan or outside.
LAN: 4 Servers running various services according to their
jobs. Want to explicitly close all ports (in/out) except the
required ones with logging of all attempts.
Other things to be done:
1. Running an IDS on the local network (Snort).
2. Block all outgoing mail except from the official
mailserver & running anti-spam & antivirus on all in/out
mails, with a copy of all logged for archival/forensics purposes.
3. Block all outgoing ports except as required and log all
attempts to connect to blocked ports from inside or outside.
3. Install an application to get all iptables logs from all
servers including the perimeter firewall, into a database.
5. Get data from the perimeter IDS & LAN IDS into the database.
6. Extrapolate the database on regular basis for re-evaluation.
Comments are invited on the above. Also suggestions of open
source & free projects that can help my deploy the policy
based firewalling and all the above.
Why I need a GUI & policy based framework for implementing my
firewalls, when my requirements are static? Well, I may need
to add additional role to a server on the LAN, if any other
server fails. In fact, I intend to keep the services prepared
on alternate servers, only not deploy them redundantly.
Secondly, never know when needs change and something that is
easily configured and deployed would adapt better.
Also, I have a question that needs answer. How do I allow IMs
like yahoo, msn, icq and transparently proxying & logging all
business chats...staff will be aware from IT policy that all
email/IM are recorded. We plan to run a Jabber server for
Enterprise IM but how to control the IMs?
Please critique..bang my head on floor & caution on the
drawbacks of the approach...advise...provide links/learning
resources...share experiences...and help me get it right.
With best regards.
Sanjay.
