On 5/16/06, Terry <[EMAIL PROTECTED]> wrote:
Page 2 gives the policies/functionality I would like to have. I want the system to be secure but I would also like to be able to admin the system from the outside.
You want your cake AND you want to eat it? Ambitious! Mostly, there is the threat of SSH brute forcers, which is annoying but trivial to defend against (don't let people pick dumb passwords on any exposed box). Occasionally, there is the chance of an SSH pre-auth remote root vuln, but I sort of doubt it, I hear OpenSSH's privsep is hard to beat.
http://tyson.homeunix.org/net.pdf
Nice diagram. It appears you like OpenBSD. :-) I assume you are using all OpenBSD because you want a really secure network. Let me ask you to rethink it. My $.02 is that a homogenous network will be very secure, unless the one platform you use has a fatal flaw. It also won't be as functional, since you can only run software ported to that OS. You should read the "monoculture" paper, although some people found the metaphor and analogy misleading, I found it to be somewhat common sense. If I were you, I'd at least consider having one internal system that can run Xen and/or VMWare (I honestly don't know if OpenBSD can) and then you can at least boot other OSes to play with them. There's a lot of good ideas and neat things out there, and OpenBSD is not the supreme font of them all. Or do OpenBSD until you master it, or reach diminishing returns, or get bored, then consider reinstalling one of them with something else.
I can't decide if it would be best for the firewall to be transparant or not.
If you're talking about bridging, then that's in direct conflict with your desire to admin it from the outside. The only way to admin a bridging firewall is on the keyboard and monitor directly attached to it. It is also impossible to download any packages/ports, or do just about anything than filter/pass packets. I find it somewhat irritating, like cutting off my hands so that someone else can't use them to stab me in the eye. If you're talking about transparent proxying, be sure that your proxy supports all the kinds of transactions. For example, squid supports all the HTTP transaction types that I know of, but some message-oriented HTTP proxies (privoxy) don't support CONNECT, so some things like streaming media won't work, and it's really irritating to have to console into the firewall and disable that stuff, re-enable it when you're done, etc.
Also, the admin computer listed isn't absolutely necessary but I thought it might be a good way to help me admin the system from the outside.
In what way? If you're outside, you're not on the admin box. Chaining to the admin box and back to the firewall box... it's not clear what problem that solves that connecting directly to the firewall doesn't.
Also, I'm still looking into learning how to use the Linksys WRT54G in "bridge mode." As I understand it, I will need to do this.
I don't see why. It can operate as a router just fine. However, the stock firmware really isn't designed to do what you're trying to do. Consider installing OpenWRT or dd-WRT: http://openwrt.org/ http://www.dd-wrt.com/dd-wrtv2/index.php Note that by default in the stock firmware, the LAN ports are bridged together already. I am not sure if the WAN port is bridged or not. I wanted my LAN to be able to connect to the administrative web interface, and to be the network uplink, but had trouble doing both. I ended up putting in routes for 1/1 and 128/1 to get all the traffic routed where I wanted, but a simpler solution is to turn the web interface on for the WAN port. If you ever need to reset the WRT to factory defaults you'll need to be on the LAN port again, because the WAN port doesn't have the web interface enabled by default. And oh yeah, don't use 192.168.0/24 for your internal network. Pick something rare, like one of the RFC 1918 "class B" blocks, because the WRT uses 192.168.0/24 and some cable ISPs use 10/8 internally. Save yourself a lot of trouble and pick something relatively unique. -- "Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484