OT-- Low power, quiet least expensive firewall option - Firewalls

This is a discussion on OT-- Low power, quiet least expensive firewall option - Firewalls ; Moe Trin wrote: > Very little logging is needed. That laptop I'm using is a 386SX-16 > and is more than adequate for a cable connection while drawing just > 40 Watts (including the hard drive). There are plenty of ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: OT-- Low power, quiet least expensive firewall option

  1. OT-- Low power, quiet least expensive firewall option



    Moe Trin wrote:

    > Very little logging is needed. That laptop I'm using is a 386SX-16
    > and is more than adequate for a cable connection while drawing just
    > 40 Watts (including the hard drive). There are plenty of 'firewall
    > optimized' distributions, some small enough to _run_ from a single
    > floppy. google is your friend. Remember that the _ONLY_ thing that
    > should be running on the firewall is the firewall itself. No user
    > crap - and specifically, no X. It's amazing how little resources are
    > needed when you get rid of the eye-candy. Think about it - if it's
    > not installed (never mind not running), it can't be exploited.
    >
    > Old guy


    Moe, This is a marginally related question. My only experience with
    firewalls has been the use of a router (basic functions) and a software
    firewall to augment. Please give me your opinion on using this simple
    combination to protect and administer a Freenet (or similar) server.
    Do you think this would be adequate or would I be better off learning
    how to build a proper firewall? ~Thx

    note: will likely run Solaris

  2. Re: OT-- Low power, quiet least expensive firewall option

    In article <459226AB.95C78040@news.cox.net>, OSbandito@news.cox.net
    says...
    >
    >
    > Moe Trin wrote:
    >
    > > Very little logging is needed. That laptop I'm using is a 386SX-16
    > > and is more than adequate for a cable connection while drawing just
    > > 40 Watts (including the hard drive). There are plenty of 'firewall
    > > optimized' distributions, some small enough to _run_ from a single
    > > floppy. google is your friend. Remember that the _ONLY_ thing that
    > > should be running on the firewall is the firewall itself. No user
    > > crap - and specifically, no X. It's amazing how little resources are
    > > needed when you get rid of the eye-candy. Think about it - if it's
    > > not installed (never mind not running), it can't be exploited.
    > >
    > > Old guy

    >
    > Moe, This is a marginally related question. My only experience with
    > firewalls has been the use of a router (basic functions) and a software
    > firewall to augment. Please give me your opinion on using this simple
    > combination to protect and administer a Freenet (or similar) server.
    > Do you think this would be adequate or would I be better off learning
    > how to build a proper firewall? ~Thx
    >
    > note: will likely run Solaris


    If all you expose inbound is port 80, and you're running a locked down
    OS, and you're locking down the application you expose, then a NAT
    Router with port 80 forwarded inbound (and only port 80), would limit
    your exposure/exploit paths.

    The NAT routers only "route" traffic, they don't really inspect to
    ensure that the HTTP traffic is really HTTP traffic.

    If you can, on your NAT Router, block all outbound ports except DNS and
    HTTP (since many AV solutions get updates over HTTP).

    --

    spam999free@rrohio.com
    remove 999 in order to email me

  3. Re: OT-- Low power, quiet least expensive firewall option

    On 2006-12-27, OSbandito wrote:
    >
    >
    > Moe Trin wrote:
    >
    >> Very little logging is needed. That laptop I'm using is a 386SX-16
    >> and is more than adequate for a cable connection while drawing just
    >> 40 Watts (including the hard drive). There are plenty of 'firewall
    >> optimized' distributions, some small enough to _run_ from a single
    >> floppy. google is your friend. Remember that the _ONLY_ thing that
    >> should be running on the firewall is the firewall itself. No user
    >> crap - and specifically, no X. It's amazing how little resources are
    >> needed when you get rid of the eye-candy. Think about it - if it's
    >> not installed (never mind not running), it can't be exploited.
    >>
    >> Old guy

    >
    > Moe, This is a marginally related question. My only experience with
    > firewalls has been the use of a router (basic functions) and a software
    > firewall to augment. Please give me your opinion on using this simple
    > combination to protect and administer a Freenet (or similar) server.
    > Do you think this would be adequate or would I be better off learning
    > how to build a proper firewall? ~Thx
    >
    > note: will likely run Solaris


    A minimised/hardened Solaris running ipfilter *is* a "proper" firewall.

    --
    http://www.strike-the-root.com/
    [email me at huge [at] huge [dot] org [dot] uk]

  4. Re: OT-- Low power, quiet least expensive firewall option

    On Wed, 27 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
    <459226AB.95C78040@news.cox.net>, OSbandito wrote:

    >Moe, This is a marginally related question. My only experience with
    >firewalls has been the use of a router (basic functions) and a software
    >firewall to augment. Please give me your opinion on using this simple
    >combination to protect and administer a Freenet (or similar) server.


    My personal preference would be for a simple box connected to the
    Internet side of things that only permits those connections INBOUND
    that the administrator wants to allow. If you are providing a web
    server, then someone connecting to your Internet address should ONLY
    be able to connect to port 80 and/or 443 or where ever you are running
    that server. There's no need for them to connect to your gopher server,
    or finger, or telnet, or SSH or any other port, period. You can do
    this connecting the server directly, (and allowing _your_ administrative
    connection via a different interface), depending on your skill level.

    >Do you think this would be adequate or would I be better off learning
    >how to build a proper firewall? ~Thx


    Two things - know how to build a proper _server_ (which mean one that
    has the needed applications and no more than that), _and_ know how to
    build the firewall. The first point is important - if it's not
    installed, it can't be exploited. Our "public" servers all run from
    'read-only' media as an added precaution, and any volatile data is mounted
    'noexec'. It's much harder to exploit that way. Anything uploaded from
    "outside" gets dropped into a directory with d-w-rwx--- permissions - the
    'w' to allow the data to be written by a user with NO other permissions
    anywhere else on the file system, and the 'rwx' to allow the data to be
    removed by a cron job by a group with only one user and transferred to
    a quarantine area where outsiders have no access. The 'un-trusted' user
    (often 'guest' but I've also seen them named 'intruder' or 'hostile')
    only belongs to a separate group that is otherwise unused. This avoids
    access through the 'others' permissions (-------rwx) that is granted if
    you are not the owner or a member of the group.

    >note: will likely run Solaris


    For the server, this would be fine. Use the O/S you are comfortable with,
    the one that you can secure. As a combined server and firewall, I'd be
    a little less enthused, but that's mainly because I don't "know" the
    firewall capabilities as well as I'd want to. For a firewall alone, I'd
    usually recommend an O/S designed for this function rather than a general
    purpose design. I mentioned using Linux on my home firewall, and it's a
    stripped version using a local compile. I'm using that simply because I
    have experience with that O/S and feel comfortable with it. I would
    never consider using an 'out-of-box' 'popular' distribution simply
    because that 'out-of-box' install has much unneeded stuff/features/etc.

    Old guy


  5. Re: OT-- Low power, quiet least expensive firewall option

    On Wed, 27 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
    , Leythos wrote:

    >If all you expose inbound is port 80, and you're running a locked down
    >OS, and you're locking down the application you expose, then a NAT
    >Router with port 80 forwarded inbound (and only port 80), would limit
    >your exposure/exploit paths.


    Agreed in principle.

    >The NAT routers only "route" traffic, they don't really inspect to
    >ensure that the HTTP traffic is really HTTP traffic.


    True - this is a function of the server itself. It can (and must) be
    bolted down to not permit _ANYTHING_ except the allowed service. For a
    web server, this means for example, not allowing relaying or uploading.

    If you must allow uploading by your authenticated users, then any such
    uploads should be to a special uploads directory where users do NOT have
    'read' permissions, and anything put into this directory should be whisked
    away to a quarantine area for inspection before such material is available
    to anyone else (and that specifically includes uploaded mail, to avoid
    becoming a spam source).

    >If you can, on your NAT Router, block all outbound ports except DNS and
    >HTTP (since many AV solutions get updates over HTTP).


    Here, I disagree - the server should not be running a client (other than
    DNS) over the same hose. (This also helps blocking relaying.) If you are
    not accepting user "files" from the world (files really meaning _anything_
    other than usernames and passwords if needed, and the desired URL), then
    your AV work (if needed) should be performed on a separate internal box
    where you create the files that may be downloaded from your server. My
    preference for uploading files to the server is that this be done by a
    separate interface that will only accept connections from a very
    restricted number of your systems.

    Old guy

  6. Re: OT-- Low power, quiet least expensive firewall option

    Unless you work for the FBI you don't need any firewall. Firewalls are for
    sissies.

    OSbandito wrote:

    > Moe Trin wrote:
    >
    > > Very little logging is needed. That laptop I'm using is a 386SX-16
    > > and is more than adequate for a cable connection while drawing just
    > > 40 Watts (including the hard drive). There are plenty of 'firewall
    > > optimized' distributions, some small enough to _run_ from a single
    > > floppy. google is your friend. Remember that the _ONLY_ thing that
    > > should be running on the firewall is the firewall itself. No user
    > > crap - and specifically, no X. It's amazing how little resources are
    > > needed when you get rid of the eye-candy. Think about it - if it's
    > > not installed (never mind not running), it can't be exploited.
    > >
    > > Old guy

    >
    > Moe, This is a marginally related question. My only experience with
    > firewalls has been the use of a router (basic functions) and a software
    > firewall to augment. Please give me your opinion on using this simple
    > combination to protect and administer a Freenet (or similar) server.
    > Do you think this would be adequate or would I be better off learning
    > how to build a proper firewall? ~Thx
    >
    > note: will likely run Solaris



+ Reply to Thread