[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Using a separate machine for firewalling.

Subject: Re: [cobalt-security] Using a separate machine for firewalling.
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Mon, 23 Jul 2001 17:34:18 +0200
Organization: Stauber Multimedia Design
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Bill,

> Just wondering if you guys have thought about trying a firewall on a
> separate machine.

Sure thing, Bill. I have an old Pentium 200 MMX (totally overpowered for this 
mission) set up as personal firewall for my dial-up network at home. It has 
an old 2.5 GIG harddisk and runs with SuSE 7.0

The only running services are the Squid proxy, OpenSSH, Wvdial.dod and a 
pretty straightforward IPchains setup. I don't even run Inetd, as it's 
unneeded. The box denies all traffic which originates from the internet and 
does NAT for the inside network.

The machine has no compiler on it, rpm is deleted and even the kernel header 
files are gone (which is sick, I know <g>). That will make it next to 
impossible to install anything on it, even if the machine is ever compromised.

As I'm switching to an 256k SDSL line with permanent IPs soon, I'm looking 
for another setup soon, with security on the border router and an additional 
firewall which protects the DMZ from the internal network.

By the way: A good way to protect a webserver is to put a proxy-firewall 
between the webserver and the internet.

The webserver itself will not anser any port 80 queries, except if they come 
from the proxy. So in order to see pages, people connect to port 80 of the 
proxy, which will then serve the pages from it's cache, or will fetch them 
from the hidden webserver. With some regular expressions in the ACL's of your 
proxy you can block unwanted strings in the URL's, or even deny traffic from 
unwanted sources.

Just one Cobalt RaQ with Squid on it (or another raqmounted server) can 
protect an entire network of IIS machines from CodeRed and other nasty 
surprises. You might want to print that on the next SUN/Cobalt flyers. ;o)

This works great for mailserver, too. For instance: You have an Exchange 
Mailserver running, which you can't switch over to something nifty like 
Sendmail or Postfix for administrative reasons. So you just put a box with 
Postfix in front of it, which then relays the mails to the hidden Exchange 
box. Likewise: Outgoing mails from Echange are relayed through the Postfix 
box. That way you can make sure that the Exchange box isn't swarmed with 
mails to nonextisten users and you can employ the spam filtering functions of 
Postfix with ease.


-- 

Mit freundlichen Grüßen / With best regards

Michael Stauber

 Stauber Multimedia Design ____ Phone:  +49-6081-946240
 Eppsteiner Weg 9 ___  D-61267 Neu-Anspach ___ Germany
 SMD.NET ___ SOLARSPEED.NET ___ FORUMWORLD.COM
n

Follow-Ups:
- RE: [cobalt-security] Using a separate machine for firewalling.
  - From: malcolm wild

References:
- [cobalt-security] Non existing urls are entered for 1,5 hour
  - From: Robbert Hamburg
- Re: [cobalt-security] IPChains Tool
  - From: Carrie Bartkowiak
- [cobalt-security] Using a separate machine for firewalling.
  - From: Bill Irwin

Prev by Date: Re: [cobalt-security] IPChains Tool
Next by Date: RE: [cobalt-security] Using a separate machine for firewalling.
Previous by thread: Re: [cobalt-security] Using a separate machine for firewalling.
Next by thread: RE: [cobalt-security] Using a separate machine for firewalling.

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index