On Fri, 26 May 2000, csmith wrote:
> If you wanted to fire wall a mixed OS environment with a Linux box of
> about 30 to 60 computers that had access to the outside world (internet)
> via a T1 line and router and switch, what would be your recommendation for
> a for the firewall program ( IPChains or something else) and the hardware
> (use one NIC or two).
Dedicate a Linux box (a low-end Pentium (say, 200 MHz with 32 MB of RAM)
with two PCI NICs would be ideal) to the firewall. Connect one NIC to the
router, the other to the local hub. Install Linux. Shut down unneeded
services and remove unneeded packages. Enable IP forwarding, IP masquerading,
and IP firewalling in the kernel. Use /sbin/ipchains in a deny-by-default
configuration, and then open the services you want connected to the outside
world. Make a full backup of the finished system. Install and use an
intrusion detection system (like LIDS or AIDE) so when the system is
compromised, you know it.
> I am looking for ease of setup and minimal management necessary once set
> up.
Maintaining a secure system is not a management-free task. It is more like
a constant, uphill battle. You won't have to spend a lot of time on it (until
you get compromised), but you will have to spend some. Be prepared to do so.
"Building Internet Firewalls", from O'Reilly & Associates, and "Building
Linux and OpenBSD Firewalls", from Wiley Computer Publishing, are recommended
reading for the Linux admin interested in firewall security.
Hmmm, I just checked www.ora.com, and "Building Internet Firewalls" is
scheduled to have a second, updated edition released next month. That might
be worth waiting for. It will certainly be a welcome title by me. The blurb
claims it will now cover Linux and MS-WinNT.
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
