[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Using a separate machine for firewalling.
- Subject: Re: [cobalt-security] Using a separate machine for firewalling.
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Mon, 23 Jul 2001 17:34:18 +0200
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Bill,
> Just wondering if you guys have thought about trying a firewall on a
> separate machine.
Sure thing, Bill. I have an old Pentium 200 MMX (totally overpowered for this
mission) set up as personal firewall for my dial-up network at home. It has
an old 2.5 GIG harddisk and runs with SuSE 7.0
The only running services are the Squid proxy, OpenSSH, Wvdial.dod and a
pretty straightforward IPchains setup. I don't even run Inetd, as it's
unneeded. The box denies all traffic which originates from the internet and
does NAT for the inside network.
The machine has no compiler on it, rpm is deleted and even the kernel header
files are gone (which is sick, I know <g>). That will make it next to
impossible to install anything on it, even if the machine is ever compromised.
As I'm switching to an 256k SDSL line with permanent IPs soon, I'm looking
for another setup soon, with security on the border router and an additional
firewall which protects the DMZ from the internal network.
By the way: A good way to protect a webserver is to put a proxy-firewall
between the webserver and the internet.
The webserver itself will not anser any port 80 queries, except if they come
from the proxy. So in order to see pages, people connect to port 80 of the
proxy, which will then serve the pages from it's cache, or will fetch them
from the hidden webserver. With some regular expressions in the ACL's of your
proxy you can block unwanted strings in the URL's, or even deny traffic from
unwanted sources.
Just one Cobalt RaQ with Squid on it (or another raqmounted server) can
protect an entire network of IIS machines from CodeRed and other nasty
surprises. You might want to print that on the next SUN/Cobalt flyers. ;o)
This works great for mailserver, too. For instance: You have an Exchange
Mailserver running, which you can't switch over to something nifty like
Sendmail or Postfix for administrative reasons. So you just put a box with
Postfix in front of it, which then relays the mails to the hidden Exchange
box. Likewise: Outgoing mails from Echange are relayed through the Postfix
box. That way you can make sure that the Exchange box isn't swarmed with
mails to nonextisten users and you can employ the spam filtering functions of
Postfix with ease.
--
Mit freundlichen Grüßen / With best regards
Michael Stauber
Stauber Multimedia Design ____ Phone: +49-6081-946240
Eppsteiner Weg 9 ___ D-61267 Neu-Anspach ___ Germany
SMD.NET ___ SOLARSPEED.NET ___ FORUMWORLD.COM
n