best distro for security - Security

This is a discussion on best distro for security - Security ; Hi, I still have some doubts on distro as IpCop, Smoothwall, Basteille, Endian and the like. I mean, they seem to be really small, maybe 40MB, while major distro are one or few cds. As long as I'd like to ...

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 21 to 40 of 58

Thread: best distro for security

  1. Re: best distro for security

    Hi,

    I still have some doubts on distro as IpCop, Smoothwall, Basteille,
    Endian and the like. I mean, they seem to be really small, maybe 40MB,
    while major distro are one or few cds. As long as I'd like to change
    the OS of the WInXP machine physically connected to the internet cable
    and that shares this connection with other pcs in a lan, but without
    installing an OS that has only firewall capabilities, I'd like to get
    the Linux-BSD secure features, while being able to work with other
    programs on that pc too. Could it be a better solution to get a
    "general distro" (which usually has yet more secure features than Win
    by itself...) and than add a more powerfull firewall software (not
    another ditro, just a program) if needed?
    I'd like to make some comparison before deciding what to keep, so on
    the BSD side I'm now downloading FreeBSD, while on the Linux side I've
    not yet decided (maybe Debian, ubuntu, Gentoo...), suggestion?

    Thanks for helping,
    Marco




    Jesper H. wrote:
    > On 2006-08-08, Ertugrul Soeylemez wrote:
    > > Now you just need to enable IP forwarding. Many distributions provide
    > > simple facilities to do this, but at the low level, you would issue
    > > the following command:
    > >
    > > # echo 1 > /proc/sys/net/ipv4/ip_forward
    > >
    > > However, if your distribution provides such facilities, you should use
    > > them, as otherwise you had to issue that command after each reboot.

    >
    > Wouldn't it be better/cleaner to configure it in /etc/sysctl.conf?
    >
    > --
    > |\_/| ,(Meow) Jesper H.
    > (^.^)
    > `^' Sanity is an illusion



  2. Re: best distro for security

    I was thinking I could try with some live distro, booting from a cd I
    don't even need to format my pc for testing if I'm able to have Linux
    as internet filter.
    Comments and suggestions are, as always, welcome.

    Marco



    Marco wrote:
    > Hi,
    >
    > I still have some doubts on distro as IpCop, Smoothwall, Basteille,
    > Endian and the like. I mean, they seem to be really small, maybe 40MB,
    > while major distro are one or few cds. As long as I'd like to change
    > the OS of the WInXP machine physically connected to the internet cable
    > and that shares this connection with other pcs in a lan, but without
    > installing an OS that has only firewall capabilities, I'd like to get
    > the Linux-BSD secure features, while being able to work with other
    > programs on that pc too. Could it be a better solution to get a
    > "general distro" (which usually has yet more secure features than Win
    > by itself...) and than add a more powerfull firewall software (not
    > another ditro, just a program) if needed?
    > I'd like to make some comparison before deciding what to keep, so on
    > the BSD side I'm now downloading FreeBSD, while on the Linux side I've
    > not yet decided (maybe Debian, ubuntu, Gentoo...), suggestion?
    >
    > Thanks for helping,
    > Marco
    >
    >
    >
    >
    > Jesper H. wrote:
    > > On 2006-08-08, Ertugrul Soeylemez wrote:
    > > > Now you just need to enable IP forwarding. Many distributions provide
    > > > simple facilities to do this, but at the low level, you would issue
    > > > the following command:
    > > >
    > > > # echo 1 > /proc/sys/net/ipv4/ip_forward
    > > >
    > > > However, if your distribution provides such facilities, you should use
    > > > them, as otherwise you had to issue that command after each reboot.

    > >
    > > Wouldn't it be better/cleaner to configure it in /etc/sysctl.conf?
    > >
    > > --
    > > |\_/| ,(Meow) Jesper H.
    > > (^.^)
    > > `^' Sanity is an illusion



  3. Re: best distro for security

    Marco wrote:

    > I was thinking I could try with some live distro, booting from a cd I
    > don't even need to format my pc for testing if I'm able to have Linux as
    > internet filter.


    This could be the best way for you to get experience, and could probably
    be reasonably secure as well. When you get your configurations set as
    needed, save them to floppy or HD so they will be loaded next time you
    boot the CD.

    Several things to consider:

    A true "firewall only" should probably best be just that, with only
    firewall and whatever other minimum software access needed to maintain it.
    On the hopefully slim possibility that unauthorized access is gained to
    that machine, any other software available all presents potential
    vulnerabilities.

    The infamous "arbitrary code" of an attacker needs to live somewhere
    accessible to that machine, including memory, but also on writable media
    like floppies left in the drive or on the HD. For a "permanent" firewall
    machine it would be best to write your own CD with just the software and
    configurations needed, remove any floppies (memory sticks, etc.) and
    physically disconnect any HD or other writable drives. Also, there is
    (always?) a writable file system (at least in Knoppix) in ramdisk.
    (Knoppix is based on Debian.)

    For short-term testing purposes, your plan probably does not have any
    major security exposures. Make sure to keep updated software. Keep
    updated on security advisories for whatever software is running.

  4. Re: best distro for security


    responder wrote:
    > Marco wrote:
    >
    > > I was thinking I could try with some live distro, booting from a cd I
    > > don't even need to format my pc for testing if I'm able to have Linux as
    > > internet filter.

    >
    > This could be the best way for you to get experience, and could probably
    > be reasonably secure as well. When you get your configurations set as
    > needed, save them to floppy or HD so they will be loaded next time you
    > boot the CD.
    >
    > Several things to consider:
    >
    > A true "firewall only" should probably best be just that, with only
    > firewall and whatever other minimum software access needed to maintain it.
    > On the hopefully slim possibility that unauthorized access is gained to
    > that machine, any other software available all presents potential
    > vulnerabilities.
    >
    > The infamous "arbitrary code" of an attacker needs to live somewhere
    > accessible to that machine, including memory, but also on writable media
    > like floppies left in the drive or on the HD. For a "permanent" firewall
    > machine it would be best to write your own CD with just the software and
    > configurations needed, remove any floppies (memory sticks, etc.) and
    > physically disconnect any HD or other writable drives. Also, there is
    > (always?) a writable file system (at least in Knoppix) in ramdisk.
    > (Knoppix is based on Debian.)
    >


    This theory provides no data retention at all. If you were to receive a
    DOS scenario or were to be affected by a unintentional problem such as
    power supply failure etc.... you would not retain any data whatsoever.
    Non-volatile resources are constructed as such for particular purposes
    and may be used as such.

    You would simply know that your firewall went down. Great in theory but
    application of this theory is rather troublesome. Volatility can be a
    real problem on a keystone device such as a firewall.

    > For short-term testing purposes, your plan probably does not have any
    > major security exposures. Make sure to keep updated software. Keep
    > updated on security advisories for whatever software is running.



  5. Re: best distro for security

    Secure Buddha wrote:

    responder wrote:


    >> Several things to consider:
    >>

    [...]
    >> The infamous "arbitrary code" of an attacker needs to live somewhere
    >> accessible to that machine, including memory, but also on writable
    >> media like floppies left in the drive or on the HD. For a "permanent"
    >> firewall machine it would be best to write your own CD with just the
    >> software and configurations needed, remove any floppies (memory sticks,
    >> etc.) and physically disconnect any HD or other writable drives. Also,
    >> there is (always?) a writable file system (at least in Knoppix) in
    >> ramdisk. (Knoppix is based on Debian.)
    >>
    >>

    > This theory provides no data retention at all. If you were to receive a
    > DOS scenario or were to be affected by a unintentional problem such as
    > power supply failure etc.... you would not retain any data whatsoever.
    > Non-volatile resources are constructed as such for particular purposes
    > and may be used as such.
    >
    > You would simply know that your firewall went down. Great in theory but
    > application of this theory is rather troublesome. Volatility can be a
    > real problem on a keystone device such as a firewall.


    Leaving a HD (etc) connected is not uncommon. ... Good point. Didn't
    intend to sound didactic. It was just one of several considerations for
    OP. I was really thinking more in terms of network logging.

    There is no reason log data and any other that should be preserved cannot
    be sent to other machine(s) with non-volatile retention. As a firewall,
    it is connected to an outside network and an inside network and all
    options are available. If the connection to either goes down, the other
    might still be up and receiving log data. If the local machine loses
    local power, local logs won't tell you anymore than network logs. Seems
    robust enough to me. It's just part of a viewpoint that the less unneeded
    local capability available on an exposed machine, the better. One size
    does not necessarily fit all.

    Your (implied?) approach, local writable on-line non-volatile (HD?)
    storage might be more robust. And it is a simpler solution.

  6. Re: best distro for security

    Unruh (06-08-08 22:54:12):

    > > You would use something like rp-pppoe (in case of PPPoE) or lone
    > > pppd

    >
    > No. That depends entirely on the modem you have and your ISP. For
    > example here in canada the modems operate in bridged mode. No pppoe,
    > no pppoa. And some modems already have pppoe negotiation built into
    > the modem.
    >
    > These are all issues you need to take up with your ISP.


    "(in case of PPPoE)".


    > > ..., but at the low level, you would issue the following command:
    > >
    > > # echo 1 > /proc/sys/net/ipv4/ip_forward
    > >
    > > However, if your distribution provides such facilities, you should
    > > use them, as otherwise you had to issue that command after each
    > > reboot.

    >
    > Well no, you can always put it into a script which is what the distros do.


    That's what I mean by using the dist's facilities.


    Regards,
    E.S.

  7. Re: best distro for security

    Matthias Kirchhart (06-08-08 22:23:57):

    > > When it comes to NAT or NPT, then things get a bit more complicated.
    > > The easiest way is to use a user interface for that, which most
    > > distributions provide. Then it's as simple as entering the port
    > > ranges and destination addresses. If you don't have them, then you
    > > again have to do it at the low level. See the iptables man-page to
    > > learn more, or visit the Netfilter homepage [1].

    >
    > Well I have done that once with a box. You first have to enable the
    > forwarding thing. The command to enable NAT is quite simple:
    >
    > iptables -t nat -A POSTROUTING
    > -o ppp0
    > -j MASQUERADE
    >
    > Where ppp0 is the interface which is connected to the internet. This
    > command masquerades everything that is routed through the ppp0
    > interface. I would also block all incoming connection requests that
    > come from ppp0:
    >
    > iptables -A INPUT -m state ___-state NEW
    > -i ppp0
    > -j DROP
    >
    > I know that this is nothing really secure, but for small people like
    > me it is enough


    Well, yes. That's for the simplest cases, but it already fails, when
    you've got two hosts behind the firewall.


    Regards,
    E.S.

  8. Re: best distro for security

    "Jesper H." (06-08-08 22:12:29):

    > > # echo 1 > /proc/sys/net/ipv4/ip_forward
    > >
    > > However, if your distribution provides such facilities, you should
    > > use them, as otherwise you had to issue that command after each
    > > reboot.

    >
    > Wouldn't it be better/cleaner to configure it in /etc/sysctl.conf?


    Well, that _is_ actually a facility provided by your distribution.


    Regards,
    E.S.

  9. Re: best distro for security

    John Thompson (06-08-09 03:05:41):

    > The advantage *BSD has, especially for special-purpose applications,
    > is that the operating system and its applications are developed as a
    > unit, while in linux the kernel is developed separately from the
    > applications. When you update a *BSD system, you don't just update
    > the kernel, you update all the programs that come with it as well. The
    > downside is that updates are fewer and further between than with
    > linux, but the upside is that they are all developed and tested
    > together before they are released.


    That's true, as far as the user perspective goes. But from an internal
    perspective, each package has an own, independent development tree, just
    as the Unix philosophy: Each program has a one simple task, which it
    has to perform as perfectly as possible. In Linux, the development of
    the operating system (excluding the kernel) is a totally independent
    process, while in BSD they share mailing lists and bug trackers.


    Regards,
    E.S.

  10. Re: best distro for security

    "Marco" (06-08-10 04:48:55):

    > I was thinking I could try with some live distro, booting from a cd I
    > don't even need to format my pc for testing if I'm able to have Linux
    > as internet filter.
    > Comments and suggestions are, as always, welcome.
    >
    > > I still have some doubts on distro as IpCop, Smoothwall, Basteille,
    > > Endian and the like. I mean, they seem to be really small, maybe
    > > 40MB, while major distro are one or few cds. As long as I'd like to
    > > change the OS of the WInXP machine physically connected to the
    > > internet cable and that shares this connection with other pcs in a
    > > lan, but without installing an OS that has only firewall
    > > capabilities, I'd like to get the Linux-BSD secure features, while
    > > being able to work with other programs on that pc too. Could it be a
    > > better solution to get a "general distro" (which usually has yet
    > > more secure features than Win by itself...) and than add a more
    > > powerfull firewall software (not another ditro, just a program) if
    > > needed?
    > > I'd like to make some comparison before deciding what to keep, so on
    > > the BSD side I'm now downloading FreeBSD, while on the Linux side
    > > I've not yet decided (maybe Debian, ubuntu, Gentoo...), suggestion?


    A general purpose distribution is not necessarily less secure than
    special purpose distributions, and it may even be more secure (as
    mostly, a lot more people work on it, updates are provided faster,
    etc.).

    The sole installation of a package does not decrease security yet for
    not-already-compromised systems, as far as single-user machines are
    concerned (mutli-user systems, of course, tell another story). You have
    to actually _use_ them, too.


    Regards,
    E.S.

  11. Re: best distro for security

    Ertugrul Soeylemez wrote:
    [...]
    > Well, yes. That's for the simplest cases, but it already fails, when
    > you've got two hosts behind the firewall.
    >
    >
    > Regards,
    > E.S.


    Really? That really surprises me. Why is that? I haven't had any problems
    with it yet even though there were more clients. Well I haven't tried to
    access the internet from two different hosts at the same time, but every
    host could seperately access the internet. Thanks for the note...

  12. Re: best distro for security

    Matthias Kirchhart (06-08-14 22:43:46):

    > > Well, yes. That's for the simplest cases, but it already fails,
    > > when you've got two hosts behind the firewall.

    >
    > Really? That really surprises me. Why is that? I haven't had any
    > problems with it yet even though there were more clients. Well I
    > haven't tried to access the internet from two different hosts at the
    > same time, but every host could seperately access the internet. Thanks
    > for the note...


    I think, I was inaccurate, but I'm sure you understood, what I mean.
    I'm actually talking about multiple hosts getting accessed from the
    internet simultaneously. You would have to decide which host gets
    privilege over the other. I'd rather forward different port-ranges to
    either client, or better yet, do this dynamically (e.g. via connection
    tracking). That's not only easier -- it's more secure.


    Regards,
    E.S.

  13. Re: best distro for security

    Ertugrul Soeylemez wrote:
    ....
    > I think, I was inaccurate, but I'm sure you understood, what I mean.
    > I'm actually talking about multiple hosts getting accessed from the
    > internet simultaneously. You would have to decide which host gets
    > privilege over the other. I'd rather forward different port-ranges to
    > either client, or better yet, do this dynamically (e.g. via connection
    > tracking). That's not only easier -- it's more secure.
    >
    >
    > Regards,
    > E.S.


    Ah, now I see what you mean. Haven't thought of that yet.

    Thanks!

  14. Re: best distro for security

    Thanks you all for these interesting suggestions.

    Marco





    softwarecommie@gmail.com ha scritto:

    > mikrotik.com has some really awesome looking embedded linux-based
    > RouterOS appliances. I have never used them, but What I have heard
    > sounds awesome. Can't wait to get my hands on one.
    >
    > If you want to make your own, I highly recommend OpenBSD. A while ago I
    > made a stateless firewall with an ancient PC using OpenBSD that worked
    > beautifully.
    >
    > Marco wrote:
    > > Hi,
    > >
    > > I'd like to place a Linux-based pc to handle my internet connection,
    > > getting it from the adls line and sourcing it to the pc on a
    > > Windows-based net. It has to be placed as a "filter" in between the
    > > internet and the Win computers. Which distro would you suggest me? Any
    > > comments, tips, tricks on the way I should do that?
    > >
    > > Thanks so much for youyr help,
    > > Marco



  15. Re: best distro for security

    In comp.os.linux.security Ertugrul Soeylemez :
    > "Marco" (06-08-07 23:42:43):


    >> 1) I'm not that familiar with linux, I mean, I have made some C
    >> programming under it (2.4 kernel in an embedded system) and I played
    >> around with Mandrake, but not that much, so I can be consider a
    >> newbie. Starting from this point is it OpenBSD more difficult to work
    >> with? I'm not worried to learn, but I'd like to ask before.


    > From the user perspective, BSDs are very similar to Linux. I haven't
    > used any, though, so I can't tell you much about them. As I said


    So how would you know? Of course it is similar to Linux as it is
    just another unix.

    Wouldn't suggest *BSD for the OP, it is more likely to find a
    good howto for a small firewall using Linux or one could just use
    one of the dozens of small special "distro" which might target
    the OPs needs.

    However, if people inside the LAN insist on using Outlook + IE,
    a *nix firewall won't add that much security.

    [..]

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 349: Stray Alpha Particles from memory packaging
    caused Hard Memory Error on Server.

  16. Re: best distro for security

    Michael Heiming wrote:

    > In comp.os.linux.security Ertugrul Soeylemez :


    >> From the user perspective, BSDs are very similar to Linux. I haven't
    >> used any, though, so I can't tell you much about them. As I said

    >
    > So how would you know? Of course it is similar to Linux as it is
    > just another unix.
    >
    > Wouldn't suggest *BSD for the OP, it is more likely to find a
    > good howto for a small firewall using Linux or one could just use
    > one of the dozens of small special "distro" which might target
    > the OPs needs.
    >
    > However, if people inside the LAN insist on using Outlook + IE,
    > a *nix firewall won't add that much security.
    >
    > [..]
    >


    E.S. is able to speak for himself. I observe though, that I have heard
    the statement that BSD's are better (security wise) more than once. Of
    course OpenBSD has a well deserved reputation for security based on
    intensive code auditing - they are proactive in looking for (and
    fixing) problem code.

    Paul Sheer, who wrote the excellent Rute User Guide said in that
    document that "using FreeBSD improves your security immediately"
    (paraphrase).

    I am also aware that some people make the point that FreeBSD releases
    are "considered in total" ie all the improvements to userspace programs
    as well as the kernel are done all at once. Linux has more of a moving
    target approach, so you can jump on at any point in the continuous
    improvement (?) process. Maybe this is taken to mean that at least
    security is a focus at one particular point in time for the BSD's, but
    not so Linux? Dunno.

    After having gone through several linux distributions and tried both
    FreeBSD and OpenBSD I have settled on Arch Linux as my permanent home.
    It has a good package manager, frequent updates, clean design and runs
    very quickly. I like. As far as security goes, I just try to keep the
    network "listeners" to a minimum which in my case means zero. That
    leaves me with worrying about the programs I use to access the
    internet, and especially, not being stupid about clicking on links
    provided in emails etc.

    If I had to run a web server I am sure I would start with OpenBSD and
    work from there - those guys are really engaged in producing a good
    product. I think their record on security issues speaks for itself.

  17. Re: best distro for security

    On 2006-08-23, Michael Heiming wrote:

    > Wouldn't suggest *BSD for the OP, it is more likely to find a
    > good howto for a small firewall using Linux or one could just use
    > one of the dozens of small special "distro" which might target
    > the OPs needs.


    Really? Took me about 2 seconds to find this on google:

    http://www.alti.at/knowhow/obsdlivecd/fw.php

    :-)

    --

    John (john@os2.dhs.org)

  18. Re: best distro for security

    On 2006-08-23, John wrote:

    > If I had to run a web server I am sure I would start with OpenBSD and
    > work from there - those guys are really engaged in producing a good
    > product. I think their record on security issues speaks for itself.


    I agree. I use Slack for my desktop, but if I ran a net server, I'd
    run OpenBSD. I have an OpenBSD box for learning unix. It's a good
    distro. It's also the OS of choice and recommended by a security
    professional I know.

    nb

  19. Re: best distro for security

    In comp.os.linux.security notbob :
    > On 2006-08-23, John wrote:


    >> If I had to run a web server I am sure I would start with OpenBSD and
    >> work from there - those guys are really engaged in producing a good
    >> product. I think their record on security issues speaks for itself.


    > I agree. I use Slack for my desktop, but if I ran a net server, I'd
    > run OpenBSD. I have an OpenBSD box for learning unix. It's a good
    > distro. It's also the OS of choice and recommended by a security
    > professional I know.


    I fail to see the difference security wise if I run a web server,
    the usual LAMP setup on Linux or on *BSD, it is exactly the same
    software you are running.

    On the other hand soft- and hardware support is available 24/7
    for Linux from all major vendors, not that I'd be aware of it
    for *BSD?

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 451: astropneumatic oscillations in the
    water-cooling

  20. Re: best distro for security

    On 2006-08-24, Michael Heiming wrote:

    > I fail to see the difference security wise if I run a web server,
    > the usual LAMP setup on Linux or on *BSD.....


    Me too. But, I'm not a highly paid security professional. That's why
    I take the advice of a person who is.

    nb

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast