Security Basics mailing list archives
Security, Distributed firewalling application...long ;-)
From: Sanjay Arora <sanjay.k.arora () gmail com>
Date: Tue, 29 Nov 2005 18:01:06 +0530
List: We are a small company with a (very short) shoe-string budget running CentOS 4.2. I am a newbie sys-admin and am planning securing the Network as follows, please comment on design and if known suggest a GUI & policy based ruleset generator that can additionally (preferably rsync the ruleset over ssh) to the target machine & reset the ruleset. WAN: A DSL link firewalled by an IPtables firewall, currently running IPcop on this...may shift to monowall or pfsense..or maybe add additional rulesets to the IPcop box itself. ssh, http, pop3, imap, smtp redirected to internal IP space (192.168.) DMZ server running web-apps and is the vulnerable target. DMZ: Want to close all ports (in/out) on the DMZ server except for the above services, with logging of all attempts from inside the lan or outside. LAN: 4 Servers running various services according to their jobs. Want to explicitly close all ports (in/out) except the required ones with logging of all attempts. Other things to be done: 1. Running an IDS on the local network (Snort). 2. Block all outgoing mail except from the official mailserver & running anti-spam & antivirus on all in/out mails, with a copy of all logged for archival/forensics purposes. 3. Block all outgoing ports except as required and log all attempts to connect to blocked ports from inside or outside. 3. Install an application to get all iptables logs from all servers including the perimeter firewall, into a database. 5. Get data from the perimeter IDS & LAN IDS into the database. 6. Extrapolate the database on regular basis for re-evaluation. Comments are invited on the above. Also suggestions of open source & free projects that can help my deploy the policy based firewalling and all the above. Why I need a GUI & policy based framework for implementing my firewalls, when my requirements are static? Well, I may need to add additional role to a server on the LAN, if any other server fails. In fact, I intend to keep the services prepared on alternate servers, only not deploy them redundantly. Secondly, never know when needs change and something that is easily configured and deployed would adapt better. Also, I have a question that needs answer. How do I allow IMs like yahoo, msn, icq and transparently proxying & logging all business chats...staff will be aware from IT policy that all email/IM are recorded. We plan to run a Jabber server for Enterprise IM but how to control the IMs? Please critique..bang my head on floor & caution on the drawbacks of the approach...advise...provide links/learning resources...share experiences...and help me get it right. With best regards. Sanjay.
Current thread:
- Security, Distributed firewalling application...long ;-) Sanjay Arora (Nov 29)
- <Possible follow-ups>
- RE: Security, Distributed firewalling application...long ;-) Simpson, Brett (Nov 30)
- Re: Security, Distributed firewalling application...long ;-) neurobashing (Nov 30)