Not that I deal with that stuff, but here at work they sell Astaro (www.astaro.com.au) it is a commercial package.
It's a firewall/gateway/email gateway/proxy/virus filter/analysis tool/integrated snort and much more. It's essentially a Linux system (software) with a nice and easy to use web interface and automatic updates. If that's not your cup of tea, it may at least give you ideas about what is needed or nice to have in such a setup. Marek Wawrzyczny On Tue, 1 Feb 2005 04:55, Howard Lowndes wrote: > I have been asked to set up multiple LANs with Internet access in what I > consider to be a hostile environment - a private uni student dorm > complex. > > Basically it will be Linux gateways with most probably Winblows or Mac > boxes on the LANs. > > As far as possible I will be locating the gateway boxes in as physically > secure an area as I can, but even so I will need to be looking at > security as regards access to the gateways as well as network security. > > My thoughts so far are: > > 1. BIOS password has very limited effect. > 2. GRUB password to prevent editing the GRUB boot strings. > 3. Locked cases with no CD or floppy - how can I prevent USB drives > being attached without disabling the USB bus in the BIOS. My thinking > here is that I will use the USB bus to connect to the Internet modem and > the Ethernet connection to connect to the LAN. Perhaps I might be > better off to totally disable the USB bus in the BIOS and use a second > Ethernet connection to connect to the Internet modem. > 4. SNORT on all interfaces. > 5. Traffic volume monitoring and reporting with traffic shaping for over > quota - what are the privacy considerations here? RRDTOOLS - anything > else here? > 6. Tight access control into the gateway boxes themselves - no user > accounts. > 7. Normal filtering of Internet nasties. > 8. How do I look for (possibly infringing) P2P traffic? > 9. I will need to allow for HTTP, HTTPS, SMTP, POP3, but what ports > should I allow for the various IMs, a/v streaming, IRC (6667), what > else? I might also need to cater for IPSec tunnelling - I know what is > needed there. > 10. As this is a private dorm complex, what about AUPs between the > students and the landlord. > > OK, that's just immediate random thoughts. Would anyone care to add to > my worry list, esp anyone who has sysadmin experience in a > hostile^H^H^H^Hstudent environment. :) > > > -- > Howard. > LANNet Computing Associates; > Your Linux people <http://www.lannetlinux.com> > ------------------------------------------ > "When you just want a system that works, you choose Linux; > when you want a system that just works, you choose Microsoft." > ------------------------------------------ > "Flatter government, not fatter government; > Get rid of the Australian states." -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
