on "5-30-2003" "Petty, Robert" writ:
... ciao:
: has a glaring hole I don't know about
that is your first pirority; ongoing security vigilence. get on the
maillist at 'securityfocus.com'.
: Which kernel would be best? 2.0.x, 2.2.x, or 2.4.x?
i would suggest the 2.2.25 kernel. it's stable, runs like a champ,
and at this point in time, pretty secure. the 2.4.x kernel has just seen
a security problem up-to-and-including 2.4.20. the suggested fix for
that is the latest 'release-candidtae'. on a production machine, i don't
think so.
: Should snort be running on the firewall machine
i like to put all the 'security' stuff on the box that's most
exposed. then, elinimate any services that are not ABSOLUTELY required,
and make sure the ones that are , are kept secure.
: Should SSH go to the firewall
ssh is a known, and current attack vector. if you have to run ssh,
make sure there are no problems wiht it. a search at securityfocus.com
is worth every bit of time it takes.
: NAT and Firewall rules ... a malicious attacker cannot hide rule changes
if an attacker has gotten that far, you're hosed. that suggests
either the rules less than effective, or other security problems exist.
ro media a good idea though; saves a lot of time if you ever do get
compromised.
: be used as a basis? I would prefer one that starts off more strict
let me suggest "http://www.bastille-linux.org";. this is a hardening
script that (a) does a great job setting user defined firewall rules, and
perhaps more importantly, (b) offers a very informative tutorial in the
process.
however:
bastille has gotten a lot more 'sophisticated' in that, it's trying
to be "all things to all people". i much prefer the earlier versions,
1.1 and 1.2. the latest and greatest 'demand' a gui for installation,
and that a limitation i prefer not to embrace. either way though, it is
the way to go.
with regard to 'linux'.
if your firewall has no need for a 'desktop', be "warned" that the
default install of RH-8.0 has UTF-8 encoding. this fucks up the command
line interface, and causes all sorts of ugly promlems with ncurses. i am
'told' this problem does not exist in RH-9.0. they both however, have
the 2.4.x kernel series. some decisions on your part seem probable ...
--
... i'm a man, but i can change,
if i have to , i guess ...
