hardware firewall who best?

[Ilya Palagin]

verbum-qazKcTl6WRFWk0Htik3J/w at public.gmane.org wrote:
>  (TO: Toronto Linux User Group)  
> (subsequent cc: one of more individuals)
> 
> 1. Background to My Questions
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> I am helping Prof. "XYZ", of the big Toronto 
> "University of FooBar",  on a not-for-pay basis.  
> I am maintaining Prof. XYZ's Debian stable/Woody workstation, 
> "goozarbox.zoogar.ufoobar.ca", at "123.456.789.123", 
> on a LAN in the "Department of ZooGar" within the University
> of FooBar. (Scare-quoted names in this paragraph are pseudonyms. 
> The scare-quoted IP address is likewise fictitious.) 
> 
> Security on goozarbox.zoogar.ufoobar.ca is reasonably tight.  
> The system gets patched rather often
> with apt-get, and moreover is
> at the moment kept disconnected from the LAN except when in active use. 
Why do you disconnect it?

> At patching time, a special script not only runs apt-get 
> to update all current packages, but also runs chkrootkit. 
Running chkrootkit makes sense only if you boot from a "clean" disk. If 
a system
is already exploited, chkrootkit results will be faked too.
Don't waste CPU time :-)

> 
> We do not presently use any kind of software firewalling
> (such as iptables) on goozarbox.zoogar.ufoobar.ca. 
> 
> We do not presently do anything interesting with
> goozarbox.zoogar.ufoobar.ca. We use the Internet at present
> only for surfing and for connecting to remote boxes with an SSH
> client or an FTP client.
> 
> The University of Foobar has a firewall. However, this will not
> protect goozarbox.zoogar.ufoobar.ca against attacks from
> hackers within the University of Foobar, and provides
> protection of UNKNOWN quality (perhaps not reliable protection)
> against attacks from the general Internet.
> 
> It therefore seems to me that I should take further steps to
> protect goozarbox.zoogar.ufoobar.ca.
The only steps you should take are:
-- disable services you don't use on the linux box, like inetd or lpd
-- configure securely services you need
-- only administrator should have console access,
disable other user accounts (if there are any)
-- update the system on regular basis (you're already doing this)

> 
> I think, on the strength of a short consultation with a
> knowledgeable faculty member, that it would be good for me to
> put an additional box - not a fullscale PC,
> but a small, cheap box, the size of a big cellphone,
> the kind of box sold as a "router", with no keyboard or screen
> or drive  -
> between goozarbox.zoogar.ufoobar.ca and the departmental LAN.
> I think that I should have the new box perform Network Address
> Translation, exposing itself to the the LAN at 123.456.789.123,
> but accepting dhclient requests from goozarbox.zoogar.ufoobar.ca.
> The new box will assign to goozarbox.zoogar.ufoobar.ca some private
> IP address, say 192.168.123.456, on the strength
> of such a dhclient request, and will readress incoming
> packets from the Internet, addressed to 123.456.789.123, so as
> to send them instead to 192.168.123.456.
You don't need a router.  The thing you're talking about is called 
"firewall",
but it would make sense if you were going to protect you internal 
network. You
don't need it to protect linux box from the dept.LAN. The reasons are:
-- the are no known remote exploits for linux kernel
-- if any exploits appear, be sure that Debian team will fix it 
immediately.  You're
already running apt-get :-)
-- firewall won't help against security flaws in software like mail or 
proxy servers
(again, apt-get is your friend)

> 
> 
> 
> 
> 2. My Questions
> ^^^^^^^^^^^^^^^
> 
> Q1____Am I right in thinking that setting up an additional
>       box in the way just described is a rational approach
>       to improving the security of goozarbox.zoogar.ufoobar.ca?
>       (Since I'm fuzzy on security concepts, it would be good
>       if someone could say here "Yes, for the FOLLOWING
>       specific reason: ...")
No, it'll be just wasting of money

> Q2____If I am right, then what should I specifically ask for
>       when I visit the computer stores? Do I say "router", or do
>       I say something more
>          specific, of the form "ABC router with DEF"?
>       And does it make sense to request any one specific
>       brand? (Prof. XYZ is interested in reliability, not cheapness.
>       If someone has worked in a security situation similar to mine,
>       and has already bought a satisfactory box, and has already
>       got it working with Debian stable/Woody dhclient,
>       then I'd be keen to obtain a brand recommendation.)
You don't need to visit stores :-)

> Q3____Am I right in thinking that with such a security solution
>       in place, there is no obvious way for a cracker to get root on
>       goozarbox.zoogar.ufoobar.ca? Or is there still some
>       big security loophole?
No, it won't improve security.  Your possible security breaches are in
software you're running and users who log in (if there are any)

> Q4____Is my envisaged security solution better than, worse than,
>       or about equivalent in quality to filtering packets
>       on goozarbox.zoogar.ufoobar.ca with iptables,
>       WITHOUT putting an extra box between goozarbox.zoogar.ufoobar.ca
>       and the departmental LAN? (A detailed argument, if someone
>       can supply an argument, would be of great interest.)
With iptables you can, for instance, allow ssh access from a particular 
address
only, but you won't get significat security improvement.  Anyone can set
this address on his machine :-) , even if you keep it in secret. Security by
obscurity isn't reliable thing.

> 
> 
> Thanks in advance for any light you can shed. Unless you advise
> otherwise, I'll assume that it is okay to quote you to my
> other correspondents,  and that it does not matter whether, in
> quoting, I conceal or reveal your e-mail address.
What do you mean?
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml