On Thu, Feb 13, 2003 at 11:59:11AM +0700, Budi Febrianto wrote:
> Management urgently push me to implement firewall in our system.
> Yes... we do not have firewall.
We all urgently push you to implement a firewall...any firewall...
(SmileyifIdidsmileyswhichIdon't).
> I'm playing around with RHL 8 to set up firewall with iptables.
> With Pentium II 300, 64 MB, 4 GB SCSI HD, 2 NIC's 100 Mbps. I think it
> enough.
Nope--more memory required. At least 128.
> I configure firewall based on Rusty's IPTABLES How to.
> Well, it works and I think it secure enough.
Hmm...you may want to use one of the "auto-generators" just to compare
their results to your own, not to replace. An easy way to see how others
do it.
> But now, there are many vendors come with pre-built firewall that I only
> have to configure it in 15 minutes (that what they say), and it works.
True--for a small office, the SoHo is probably fine. Get beyond that, and
the bucks start to really add up. (It isn't cheap, exactly, for the SoHo,
either.)
> What are the different if I using RHL 8 as firewall, rather than using
> pre-built firewall. They say that the pre-built firewall come with
> hardened operating system, I think Linux already did.
Linux has proven to be quite robust; however, you probably want to
look at the Bastille "Hardening System" (www.bastille-linux.org).
Probably the greatest problem you can point to with Linux is that it's a
multi-purpose OS as delivered. You don't WANT a firewall to do a lot of
things--the more programs running, especially network-aware, the greater
your exposure to potential incursions, either from bugs in the various
programs, or (more often) through inadvertent misconfiguration.
Thus, it behooves you to strip it down. Or you can use other peoples'
efforts to do so--for instance, Charles Steinkuehler's LEAF/LRP
(leaf.sourceforge.net/devel/cstein).
SOME GENERAL OBSERVATIONS
=========================
CommercialFirewalls
-------------------
Commercial full-bore firewalls are expensive, usually prohibitively so.
They're often complex to configure, and it's arguable whether they really
provide more protection than a properly configured Linux-based firewall.
And they're complex software systems in their own right; you have to
trust them to have done rigorous QA testing, and to find and fix bugs
in a timely manner.
Firewall Appliances
-------------------
A firewall appliance, such as a SoHo router/firewall, is just that--plug
it in and it runs with a default set of rules. They have no disk,
no media--everything is in firmware.
An upside to a commercial firewall appliance is simplicity--you typically
can set it up in 10-15 minutes, and updates are firmware upgrades from
the vendor. Downsides? You don't know how it works, or how well.
You have to pay, often per-seat.
Also, many of these vendors are offering something they're calling a
"DMZ Port". Don't bother; this isn't a real DMZ, it's a marketing ploy
to make you think you've got one. It's just a port with no rule sets
protecting it; unlike a real DMZ between two firewalls, this still has
a single point of failure (the appliance itself.)
Linux-based Firewall
--------------------
You already know something about this. It's very inexpensive to get started,
and can provide a quite robust firewall system. Downsides are those shared
with full commercial firewalls, in that it's more complex to configure,
and is a complex software system. You need to strip it down yourself to make
it tight and small (or you can use one of the systems already so configured).
The underlying OS needs to be maintained--RedHat is obsoleting systems after
a period of time, so you'll have to plan upgrades.
GENERAL FIREWALL STRATEGY
=========================
The best approach is an old one--have both a bastion and curtain firewall,
and make them different kinds of firewall so the same attack can't get
through both.
Set up something like a SoHo as your external firewall, and a Linux-based
firewall as the internal firewall. Now you have a REAL DMZ to put 'Net-
visible servers such as Web and Mail, and you can instrument the external
firewall to squeal for help to the internal whenever it's under attack
(however, if you're really using an applicance for the external, the best
you can do is probably just forward the log. Maybe put the Linux box out
there for more detailed reporting, if that's important.)
You should also take a run through www.linux-firewall-tools.com/linux/.
Security requires study; have fun!
--
Dave Ihnat
[EMAIL PROTECTED]
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
