I am a seasoned admin, working with Solaris, AIX and the fluffy penguin now for 8 years or so....
I have learned quite a lot about the trade, including to be very cautious about proclaiming a system to be secure if I don't absolutely positively kinda believe it is....
Thus my question:
I want to setup a Linux firewall for a small network of 15 machines connected live to the internet via broadband. I don't want to put something in place that has a glaring hole I don't know about that makes the installation more insecure with a false sense of security.
Which kernel would be best? 2.0.x, 2.2.x, or 2.4.x?
As a general rule, the newer kernels are better. There are usually a lot of corrections, patches, etc. that are automagically included in the later kernels that you won't find in the earlier ones. The corrections and patches are primarily stability related and security related.
Should snort be running on the firewall machine or another machine? If on another machine, should I put the firewall and IDS box on a hub as the first hop so they both see the same traffic? The customer's router is not manageable (linksys) and they have no budget for a Cisco Router or PIX.
If you need routing gear, check out an open source project called Freesco. Under normal circumstances for the network you are describing, having snort on the firewall isn't horrible.
The Linux box will serve as a secondary NAT layer, any pitfalls with this?
Make sure that what you need is NAT and not really a proxy.
Should SSH go to the firewall machine or be passed through to an internal Linux box?
FreeSWAN offers some nice VPN functionality if you are trying to set that up. Not really sure what your purpose is with this. If it's to tweak the firewall, it should be only to the firewall. If you need to manage the network, I'd look at other solutions, like some simple 2 factor authentication using public and private key pairs.
Should the NAT and Firewall rules be written and maintained on CD-R media so a malicious attacker cannot hide rule changes? Should the firewall be re-initialized on a schedule to ensure the live rules are those from the read-only media?
sysadmin magazine had an article a while back about running a halted firewall. Since the system is halted, no changes can be made to anything in the kernel space - i.e. the firewall rules. I've seen people put the firewall on a write protected floppy in order to keep any changes from being made. Anything fishy, just reboot. Your CD would be a newer version of that.
Last, but not least, what's a good HowTo that can be used as a basis? I would prefer one that starts off a little more strict so I can simplify rather than have to bone up on all of the current vulnerabilities.
What ever you set up the default should always be "deny all". Only the traffic you want should be passed in either direction. Again, I would refer you to sysadmin magazine. Their back issues are on their web site and are freely searchable. I have found them to be a good resource. Another place to look would be techrepublic.com. They have a lot of check lists and other such resources that you can download once you create an account (free).
-- Thanks,
Ms. Jimi Thompson, CISSP, Rev.
"Those who are too smart to engage in politics are punished by being governed by those who are dumber." --Plato
