After thinking the many proposals of what to do I came up with a simple
solution: conjure up a way that I would do it (not really, I have better
ideas that this one, but I'd need to convince them to buy a firewall and I'm
not sure that would fly) and give it to their boss asking him to pass it on
to them for review. I'd tell them that I was just playing around with
ideas, composed this one, and since they're CNEs that know about this stuff
if they'd please give it a look over and tell me what they think (heh heh).
It'll probably be implemented behind my back. I wouldn't truly care about
getting credit since I'm aiming to improve security around here more than
gain recognition, but with their boss seeing my proposal who knows? I'll
also pass this on to some other people around here (so I'll at least get
some recognition around here of having a brain). However, first I need to
ask a favor of you all, I was wondering if you guys could review my proposal
and tell me what you think about. So here it is (hot of the press):
Secure Network Initiative for Small Networks
Revision 1.0
January 15, 1998
by Geoffrey J. Gowey
PURPOSE:
This is a proposed setup for a securing a network for administrators on a
low budget (those that don't want to by a firewall and other security
devices) and that want one up fast. The strength of this setup relies on
two filters and the rules used for filtering (it's not perfect, but it's
better than nothing). The other advantage is that it puts some of the old
junkboxes that many instutions have to use.
IMPORTANT: This setup is aimed for small setups (100-150 nodes) using a
single T-1.
OVERALL DESIGN:
Internet Connection
|
|
External Filter
| DMZ
---------------------------------
| Web Server |
| SMTP/POP server |
| Primary external DNS server |
| Secondary external DNS server |
| Anonymous FTP server (optional)|
---------------------------------
|
Internal Filter
|
Log host (optional)
|
Internal Network
|
Primary internal DNS server
|
everything else
SYSTEM SPECIFICATIONS:
External Filter:
Either a filter router (CISCO, HP, etc.) or a system with
the following specs:
P-75 (overkill?) 64MB RAM
Any filtering setup (NetBSD w/ ipf rules, FreeBSD,
Karlbridge/Karlbrouter, etc.)
Two ethernet cards that work with the filtering software.
A printer to log rejected packets (preferably dot matrix or
daisy wheel) and A LOT of paper.
Internal Filter:
same setup.
Web server:
Get a package and meet the requirements.
My preference is NetBSD w/ Apache.
With NetBSD a 486 with 8 or 16 MB RAM should be adequate.
SMTP/POP server:
Get an 486 that meets NetBSD's or FreeBSD's installation
requirements, and a POP server.
The DNS servers:
Nearly same config as the SMTP/POP server, but a 386 can be
used instead of a 486, and a POP server is not needed.
FTP server:
Same config as the SMTP/POP server, but no POP needed.
Log host:
Old 386 running NetBSD, FreeBSD, etc. (just about anything
that can catch syslog UDP packets). Although a 486 might be
better since a large HDD will be needed.
FILTER RULES:
External Filter:
From Practical UNIX & Internet Security[Garfinkel&Spafford]:
Block packets for services that you do not wish to cross
your firewall.
Block packets that have IP source routing or that have
other "unusual" options set.
(my idea on this) Just about all TCP services except WWW
and FTP. Just about all UDP services except DNS.
(modified) Block inbound packets with a source address of
any systems in the DMZ, internal network, or routers (anti-spoofing).
(my idea) Block inbound packets with a destination of the
internal DNS server.
Internal Filter:
From Practical UNIX & Internet Security[Garfinkel&Spafford]:
Block packets for services that you do not wish to cross
your firewall.
(my idea) almost the same rules as above, except allow UDP
for syslog (port 514) destined for the loghost (and only for the loghost) in.
Block packets that have IP source routing or that have
other "unusual" options set.
(modified) Block packets addressed to your filters.
(my idea) block outbound DNS packets destined for the
external dns primary/secondary servers from everything except the internal
primary DNS server.
(my idea) block inbound packets lower than port 1023
without the ACK bit set (this will cause the remaining packets to be
ignored). Thanks to Chapman and Zwicky for this idea. Reason: doesn't
allow people on the outside to access FTP, HTTP, and anything else using TCP
on the inside using ports 1023. Only problem: X-Windows Servers, and any
server sitting higher than port 1023 (but we do not use such animals here).
REASON FOR AN EXTERNAL/INTERNAL DNS SERVERS:
My reason for such separation is that it only allows people have
immediate access to systems in the DMZ (hackers would have to sniff packets
to figure out the remainder of the setup). The external/internal setup also
allows some added flexibility and security.
DRAWBACKS OF THIS SETUP:
If a proxy server was used the filtering would be even easier, and
more secure.
-----------------------------------------------------------------------------
Geoff Gowey | NetBSD: the best multi-platform OS
daemond(at)ibm.net | www.netbsd.org
*****************************************************************************
Spammers beware: I do not buy from companies that spam and I keep track!
Above policy STRICTLY ENFORCED!
*****************************************************************************
"All I ask is for the chance to prove that money can't buy me happiness"
or more simply put "SHOW ME THE MONEY!!!"
Follow-Ups:
|
|
