Re: Advice on a firewall distro - Networking

This is a discussion on Re: Advice on a firewall distro - Networking ; David Brown wrote: > On Sun, 17 Dec 2006 00:11:47 -0500, Robert wrote: > >> On Sat, 16 Dec 2006 17:54:10 +0000, David Brown wrote: >> >>> In the new arrangement, I was not thinking of using the ZyWALL as ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Advice on a firewall distro

  1. Re: Advice on a firewall distro

    David Brown wrote:
    > On Sun, 17 Dec 2006 00:11:47 -0500, Robert wrote:
    >
    >> On Sat, 16 Dec 2006 17:54:10 +0000, David Brown wrote:
    >>
    >>> In the new arrangement, I was not thinking of using the ZyWALL as a
    >>> bridge, but as a NAT router with only one machine (the new linux
    >>> firewall/router) on the LAN side. I would set the rules to initially
    >>> block all ports in either direction, and then open for specific services
    >>> in the required direction. Thus incoming packets would be blocked at the
    >>> ZyWALL unless they were intended for one of the servers (in the DMZ of the
    >>> linux firewall). Outgoing packets would be blocked unless they are on
    >>> ports that are allowed (such as http).

    >> And that is what I have been trying to tell you, you don't need the
    >> ZyWall. The linux box will handle this without a problem.
    >>

    >
    > I know a linux box could do the same thing. I am going to have a linux
    > box running my proxies, openvpn, and other such security-related services
    > (but not higher level services, such as web or email - that's a separate
    > box altogether, on the DMZ). I am also going to have to have routing
    > between the various networks on a linux box with multiple network cards.
    > I see this as being the same box - something I know you advise
    > against, and you recommend keeping the firewall/router as simple as
    > possible. But I can't see how to get the minimum functionality I need
    > (monitoring, logging, traffic shaping, and control of the configuration)
    > without having these services running on the firewall/router itself. My
    > thoughts regarding the ZyWALL are simply a question of whether it adds a
    > little extra safety between the internet and the firewall machine, and
    > whether it is worth bothering with - it will do nothing that is not
    > already handled by the firewall's iptables.
    >


    No, the ZyWALL will not add any extra security as long as the Linux
    firewall is configured correctly (if the Linux box is compromised, the
    attacker can just forward traffic through an open port on the ZyWALL to
    a closed[on the ZyWALL] port on the network). However, adding it should
    not cause any problems, just extra maintenance when you want to open
    another port (you have to open it on both the firewall and the ZyWALL).

    >>>> Here is what I would do;
    >>>>
    >>>> Chose what OS you want to use, I use Linux here. Install 3 interfaces in
    >>>> the box and set then up as follows:
    >>>>
    >>>> eth0 - Internet
    >>>> eth1 - DMZ
    >>>> eth2 - LAN
    >>>>
    >>>> Setup the firewall to do stateful packet inspection (Linux setup).
    >>>>
    >>>> eth0: DROP all new connection that are not destine for the DMZ services you have
    >>>> defined. Allow all ESTABLISHED/RELATED connections. This will allow new
    >>>> connection to your DMZ services but drop any to your LAN.
    >>>>
    >>>> eth1: DROP all new connection trying to leave the DMZ. The only packets
    >>>> that leave the DMZ are the ones that are ESTABLISHED/RELATED. That way if
    >>>> one of the boxes gets hacked they cannot infect the rest of the world or
    >>>> your LAN. Updates to that box should be pushed from the LAN. This will
    >>>> allow connection into the DMZ but will drop all new requests leaving the
    >>>> DMZ
    >>>>
    >>>> eth2: Allow all NEW connection that are allowed by company policy. Allow
    >>>> all ESTABLISHED/RELATED connection. This will allow your users to get out
    >>>> to the Internet and the DMZ.
    >>>>
    >>>> Set your policies on the firewall box to DROP INPUT OUTPUT and FORWARD
    >>>> that way nothing is coming to or going from that box. Since no one has
    >>>> access to this box the box will not be able to be attacked.
    >>>>
    >>>> Set your FORWARD tables to allow what you want everything else will be
    >>>> dropped.
    >>>>
    >>>> There is a lot more to this, this is just the high level view and this
    >>>> setup is working here fine for some time now.
    >>>>
    >>> What you describe here is, I believe, pretty much a standard three-way
    >>> firewall. I have not configured such an arrangement myself, and would have
    >>> to check on the details before setting one up, but I understand the
    >>> principles and the way it works. It is possible that this could be part
    >>> of my solution, with the box I originally described (without the DMZ port)
    >>> attached to eth2 above.

    >> You insist on using your ZyWall and a second firewall/router when both
    >> are not needed. Be my guest. After all it is your setup.
    >>

    >
    > Ultimately, yes - it will be my setup, and my responsibility. But I'm not
    > insisting on anything at the moment - I'm just trying to understand the
    > best way to arrange things.
    >


    As far as I can see, the arrangement Robert described should work out
    perfectly for you. If you want to run specific services on the firewall
    box, then just add specific INPUT rules to allow those services in on
    certain interfaces and ports. When you say you want to run specific
    services, are these internal or external? Internal services should not
    create too much of a risk for you, while external will definitely
    increase it (but not so much that I would recommend against it). So, in
    all, the three interface firewall setup should work out fine for you.

    >>> You didn't include any mention of NAT above. Is that because you avoid
    >>> using it (and if so, how and why? I see NAT as an integral part of a
    >>> firewall solution, as well as a practical way to connect lots of machines
    >>> to the internet), or because you consider a NAT router in addition
    >>> (presumably on the eth2 side)?

    >> No I use NAT here as well for all outgoing packets. NATing would be done
    >> on eth0 for all outgoing packets. I would think that anyone with an
    >> understanding would know this, that is why I said nothing of it.
    >>

    >
    > That's fine. I would expect a NAT setup - but I wanted to be clear. I've
    > come across the odd "NAT is evil, and a poor substitute for proper
    > firewall design" attitudes (particularly among proponents of IPv6), and
    > I'm trying not to make assumptions.
    >
    >> I'm going to stop while I am behind. You have closed your mind and I
    >> really believe you have some understanding but you are not getting the
    >> whole picture of what I am saying.
    >>

    >
    > I'm sorry if I sound closed-minded here (and even more sorry if I *am*
    > closed-minded). I don't have a wide range of experiences - I have set up
    > and run a half-dozen home networks, and I have run the company network
    > since we first plugged in a coax cable twelve years ago. But I don't do
    > this on a daily basis, and I'm bound to ask silly questions about things
    > that you assume are so obvious that they are not worth mentioning, and
    > miss out discussing things you know to be important. I'm very keen on
    > getting as much information and understanding at this stage, so that I put
    > together a secure, reliable and easily maintained setup, but that is
    > flexible enough that I'm not going to have to start again in six months
    > time when I need some other feature. That means I need to ask around for
    > ideas and advice, read up on details, think about my current setup and
    > future requirements, and form my future setup out of it all. I really
    > have learned a lot from this thread, and I greatly appreciate your time
    > and effort.
    >
    > Best regards,
    >
    > David
    >
    >
    >> If you prefer I can do some consulting for you. Just let me know.
    >>
    >>


    I understand where you are coming from, you just want to find all
    available information so you don't make a mistake now that you will
    regret later on. I think a 3 interface setup using Ubuntu server and
    iptables should work out very nicely for you. If you want, you could
    also add Webmin so you have a web interface to the firewall (as well as
    the rest of the server). I would recommend only allowing Webmin over SSH
    or from the LAN at a minimum. I would also recommend setting up SSH to
    only work using public/private key pairs as this greatly reduces the
    risk of someone brute forcing their way into your server. I am currently
    running my firewall and servers all on one Ubuntu box and have yet to
    have any problems with it. Best of luck to you!

    Michael

  2. Re: Advice on a firewall distro

    Michael Ansel wrote:
    > David Brown wrote:
    >> On Sun, 17 Dec 2006 00:11:47 -0500, Robert wrote:
    >>
    >>> On Sat, 16 Dec 2006 17:54:10 +0000, David Brown wrote:
    >>>
    >>>> In the new arrangement, I was not thinking of using the ZyWALL as a
    >>>> bridge, but as a NAT router with only one machine (the new linux
    >>>> firewall/router) on the LAN side. I would set the rules to initially
    >>>> block all ports in either direction, and then open for specific services
    >>>> in the required direction. Thus incoming packets would be blocked at the
    >>>> ZyWALL unless they were intended for one of the servers (in the DMZ of the
    >>>> linux firewall). Outgoing packets would be blocked unless they are on
    >>>> ports that are allowed (such as http).
    >>> And that is what I have been trying to tell you, you don't need the
    >>> ZyWall. The linux box will handle this without a problem.
    >>>

    >> I know a linux box could do the same thing. I am going to have a linux
    >> box running my proxies, openvpn, and other such security-related services
    >> (but not higher level services, such as web or email - that's a separate
    >> box altogether, on the DMZ). I am also going to have to have routing
    >> between the various networks on a linux box with multiple network cards.
    >> I see this as being the same box - something I know you advise
    >> against, and you recommend keeping the firewall/router as simple as
    >> possible. But I can't see how to get the minimum functionality I need
    >> (monitoring, logging, traffic shaping, and control of the configuration)
    >> without having these services running on the firewall/router itself. My
    >> thoughts regarding the ZyWALL are simply a question of whether it adds a
    >> little extra safety between the internet and the firewall machine, and
    >> whether it is worth bothering with - it will do nothing that is not
    >> already handled by the firewall's iptables.
    >>

    >
    > No, the ZyWALL will not add any extra security as long as the Linux
    > firewall is configured correctly (if the Linux box is compromised, the
    > attacker can just forward traffic through an open port on the ZyWALL to
    > a closed[on the ZyWALL] port on the network). However, adding it should
    > not cause any problems, just extra maintenance when you want to open
    > another port (you have to open it on both the firewall and the ZyWALL).
    >


    That's my conclusion too, both from Robert's advice, and from other
    information I've read since this thread. The ZyWALL might make things
    slightly harder for the attacker, since they have to use ports that are
    already open rather than their own choice of port, but it's not going to
    hinder a knowledgeable attacker. If the Linux box is insecure enough
    for the ZyWALL to make a noticeable difference, then I've messed things
    up already, and "patching" with the ZyWALL is not the answer.

    >>>>> Here is what I would do;
    >>>>>
    >>>>> Chose what OS you want to use, I use Linux here. Install 3 interfaces in
    >>>>> the box and set then up as follows:
    >>>>>
    >>>>> eth0 - Internet
    >>>>> eth1 - DMZ
    >>>>> eth2 - LAN
    >>>>>
    >>>>> Setup the firewall to do stateful packet inspection (Linux setup).
    >>>>>
    >>>>> eth0: DROP all new connection that are not destine for the DMZ services you have
    >>>>> defined. Allow all ESTABLISHED/RELATED connections. This will allow new
    >>>>> connection to your DMZ services but drop any to your LAN.
    >>>>>
    >>>>> eth1: DROP all new connection trying to leave the DMZ. The only packets
    >>>>> that leave the DMZ are the ones that are ESTABLISHED/RELATED. That way if
    >>>>> one of the boxes gets hacked they cannot infect the rest of the world or
    >>>>> your LAN. Updates to that box should be pushed from the LAN. This will
    >>>>> allow connection into the DMZ but will drop all new requests leaving the
    >>>>> DMZ
    >>>>>
    >>>>> eth2: Allow all NEW connection that are allowed by company policy. Allow
    >>>>> all ESTABLISHED/RELATED connection. This will allow your users to get out
    >>>>> to the Internet and the DMZ.
    >>>>>
    >>>>> Set your policies on the firewall box to DROP INPUT OUTPUT and FORWARD
    >>>>> that way nothing is coming to or going from that box. Since no one has
    >>>>> access to this box the box will not be able to be attacked.
    >>>>>
    >>>>> Set your FORWARD tables to allow what you want everything else will be
    >>>>> dropped.
    >>>>>
    >>>>> There is a lot more to this, this is just the high level view and this
    >>>>> setup is working here fine for some time now.
    >>>>>
    >>>> What you describe here is, I believe, pretty much a standard three-way
    >>>> firewall. I have not configured such an arrangement myself, and would have
    >>>> to check on the details before setting one up, but I understand the
    >>>> principles and the way it works. It is possible that this could be part
    >>>> of my solution, with the box I originally described (without the DMZ port)
    >>>> attached to eth2 above.
    >>> You insist on using your ZyWall and a second firewall/router when both
    >>> are not needed. Be my guest. After all it is your setup.
    >>>

    >> Ultimately, yes - it will be my setup, and my responsibility. But I'm not
    >> insisting on anything at the moment - I'm just trying to understand the
    >> best way to arrange things.
    >>

    >
    > As far as I can see, the arrangement Robert described should work out
    > perfectly for you. If you want to run specific services on the firewall
    > box, then just add specific INPUT rules to allow those services in on
    > certain interfaces and ports. When you say you want to run specific
    > services, are these internal or external? Internal services should not
    > create too much of a risk for you, while external will definitely
    > increase it (but not so much that I would recommend against it). So, in
    > all, the three interface firewall setup should work out fine for you.
    >


    Yes, the setup described by Robert will be the basis for my firewall
    router. Obviously I'll have a few deviations - there will be the odd
    pinhole for controlled access here and there, but they will be minimal
    and for specific addresses. I'll also have three separate LAN
    Ethernets, but that's just more of the same rather than new concepts.

    The specific internal services I will be wanting to run on the box are
    DHCP for the LANs, and a caching DNS server (which will also track the
    DHCP allocations). The DNS server will not be accessible externally -
    the domain's external addresses will be handled by my ISP. I'm also
    going to want to be in contact with the machine from the (internal)
    network for configuration and maintenance purposes - ssh access, and
    possibly a web interface of some kind.

    The only service I might look at for external access to the firewall
    (rather than passed through to the DMZ) is for VPN access from a couple
    of home offices and laptops. I'm not yet sure whether the VPN's should
    connect directly to the firewall, or should go to a server in the DMZ
    and then be passed on to the firewall. Using the DMZ is perhaps safer,
    but it would also break the rule that DMZ machines cannot initiate
    connections. I also want to heavily limit the VPN access - connected
    laptops should not be virtually connected to the LAN, but should have
    slightly more access than an external internet connection. I'm
    expecting to use OpenVPN, since I have used it before and it is easy to
    route and control.


    >>>> You didn't include any mention of NAT above. Is that because you avoid
    >>>> using it (and if so, how and why? I see NAT as an integral part of a
    >>>> firewall solution, as well as a practical way to connect lots of machines
    >>>> to the internet), or because you consider a NAT router in addition
    >>>> (presumably on the eth2 side)?
    >>> No I use NAT here as well for all outgoing packets. NATing would be done
    >>> on eth0 for all outgoing packets. I would think that anyone with an
    >>> understanding would know this, that is why I said nothing of it.
    >>>

    >> That's fine. I would expect a NAT setup - but I wanted to be clear. I've
    >> come across the odd "NAT is evil, and a poor substitute for proper
    >> firewall design" attitudes (particularly among proponents of IPv6), and
    >> I'm trying not to make assumptions.
    >>
    >>> I'm going to stop while I am behind. You have closed your mind and I
    >>> really believe you have some understanding but you are not getting the
    >>> whole picture of what I am saying.
    >>>

    >> I'm sorry if I sound closed-minded here (and even more sorry if I *am*
    >> closed-minded). I don't have a wide range of experiences - I have set up
    >> and run a half-dozen home networks, and I have run the company network
    >> since we first plugged in a coax cable twelve years ago. But I don't do
    >> this on a daily basis, and I'm bound to ask silly questions about things
    >> that you assume are so obvious that they are not worth mentioning, and
    >> miss out discussing things you know to be important. I'm very keen on
    >> getting as much information and understanding at this stage, so that I put
    >> together a secure, reliable and easily maintained setup, but that is
    >> flexible enough that I'm not going to have to start again in six months
    >> time when I need some other feature. That means I need to ask around for
    >> ideas and advice, read up on details, think about my current setup and
    >> future requirements, and form my future setup out of it all. I really
    >> have learned a lot from this thread, and I greatly appreciate your time
    >> and effort.
    >>
    >> Best regards,
    >>
    >> David
    >>
    >>
    >>> If you prefer I can do some consulting for you. Just let me know.
    >>>
    >>>

    >
    > I understand where you are coming from, you just want to find all
    > available information so you don't make a mistake now that you will
    > regret later on. I think a 3 interface setup using Ubuntu server and
    > iptables should work out very nicely for you. If you want, you could
    > also add Webmin so you have a web interface to the firewall (as well as
    > the rest of the server). I would recommend only allowing Webmin over SSH
    > or from the LAN at a minimum. I would also recommend setting up SSH to
    > only work using public/private key pairs as this greatly reduces the
    > risk of someone brute forcing their way into your server. I am currently
    > running my firewall and servers all on one Ubuntu box and have yet to
    > have any problems with it. Best of luck to you!
    >
    > Michael


    Many thanks for your advice here. I agree entirely about the ssh and
    webmin access.

    At the moment, my most likely plan is for a dedicated firewall machine
    with services running on a separate machine in the DMZ (Ubuntu server).
    I'm looking closely at pfSense, which is a FreeBSD distribution rather
    than Linux, but the principles are the same. There are some nice rack
    mounted boxes available with multiple Ethernet ports, fanless processors
    and CF Cards, letting me build everything I need for the firewall in a
    compact and reliable box (even in the server version, Ubuntu has a lot
    more than the firewall needs). The idea of using pfSense (or IPCop, or
    similar) is that these distros have the functions and software needed
    for a firewall, but very little extra.

    mvh.,

    David



+ Reply to Thread