hardware firewall who best?

Wed Mar 24 20:47:24 UTC 2004

 (TO: Toronto Linux User Group)  
(subsequent cc: one of more individuals)

1. Background to My Questions
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I am helping Prof. "XYZ", of the big Toronto 
"University of FooBar",  on a not-for-pay basis.  
I am maintaining Prof. XYZ's Debian stable/Woody workstation, 
"goozarbox.zoogar.ufoobar.ca", at "123.456.789.123", 
on a LAN in the "Department of ZooGar" within the University
of FooBar. (Scare-quoted names in this paragraph are pseudonyms. 
The scare-quoted IP address is likewise fictitious.) 

Security on goozarbox.zoogar.ufoobar.ca is reasonably tight.  
The system gets patched rather often
with apt-get, and moreover is
at the moment kept disconnected from the LAN except when in active use. 
At patching time, a special script not only runs apt-get 
to update all current packages, but also runs chkrootkit. 

We do not presently use any kind of software firewalling
(such as iptables) on goozarbox.zoogar.ufoobar.ca. 

We do not presently do anything interesting with
goozarbox.zoogar.ufoobar.ca. We use the Internet at present
only for surfing and for connecting to remote boxes with an SSH
client or an FTP client.

The University of Foobar has a firewall. However, this will not
protect goozarbox.zoogar.ufoobar.ca against attacks from
hackers within the University of Foobar, and provides
protection of UNKNOWN quality (perhaps not reliable protection)
against attacks from the general Internet.

It therefore seems to me that I should take further steps to
protect goozarbox.zoogar.ufoobar.ca.

I think, on the strength of a short consultation with a
knowledgeable faculty member, that it would be good for me to
put an additional box - not a fullscale PC,
but a small, cheap box, the size of a big cellphone,
the kind of box sold as a "router", with no keyboard or screen
or drive  -
between goozarbox.zoogar.ufoobar.ca and the departmental LAN.
I think that I should have the new box perform Network Address
Translation, exposing itself to the the LAN at 123.456.789.123,
but accepting dhclient requests from goozarbox.zoogar.ufoobar.ca.
The new box will assign to goozarbox.zoogar.ufoobar.ca some private
IP address, say 192.168.123.456, on the strength
of such a dhclient request, and will readress incoming
packets from the Internet, addressed to 123.456.789.123, so as
to send them instead to 192.168.123.456.

2. My Questions
^^^^^^^^^^^^^^^

Q1____Am I right in thinking that setting up an additional
      box in the way just described is a rational approach
      to improving the security of goozarbox.zoogar.ufoobar.ca?
      (Since I'm fuzzy on security concepts, it would be good
      if someone could say here "Yes, for the FOLLOWING
      specific reason: ...")
Q2____If I am right, then what should I specifically ask for
      when I visit the computer stores? Do I say "router", or do
      I say something more
         specific, of the form "ABC router with DEF"?
      And does it make sense to request any one specific
      brand? (Prof. XYZ is interested in reliability, not cheapness.
      If someone has worked in a security situation similar to mine,
      and has already bought a satisfactory box, and has already
      got it working with Debian stable/Woody dhclient,
      then I'd be keen to obtain a brand recommendation.)
Q3____Am I right in thinking that with such a security solution
      in place, there is no obvious way for a cracker to get root on
      goozarbox.zoogar.ufoobar.ca? Or is there still some
      big security loophole?
Q4____Is my envisaged security solution better than, worse than,
      or about equivalent in quality to filtering packets
      on goozarbox.zoogar.ufoobar.ca with iptables,
      WITHOUT putting an extra box between goozarbox.zoogar.ufoobar.ca
      and the departmental LAN? (A detailed argument, if someone
      can supply an argument, would be of great interest.)

Thanks in advance for any light you can shed. Unless you advise
otherwise, I'll assume that it is okay to quote you to my
other correspondents,  and that it does not matter whether, in
quoting, I conceal or reveal your e-mail address.

Tom = Tom Karmo
verbum-qazKcTl6WRFWk0Htik3J/w at public.gmane.org
http://www.metascientia.com

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml