LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-19-2001, 12:13 PM   #1
jbm
LQ Newbie
 
Registered: Dec 2001
Posts: 3

Rep: Reputation: 0
Question Designing network security


Currently I am working for a company that is growing very quickly, and with the problems with hackers and virus problems, we are implementing a firewall and I think that a unix/linux firewall would be best. I am wondering if there is a certain operating system of the unix/linux systems to implement as a great security box. I beleive that all internet traffic will have to filter through this system, but I do not want to slow the connect speed down. I realize that it will slightly, but we have to many people depending on FTP and internet downloads, to allow it to slow.
Currently we are running windows OS throughout the network, the server is running the new 2000 server software, but we want to increase the security of this system, many times over.

So is there a Unix/Linux system that would do this, for not much of a price? I allready have the computer together and ready for the OS, could someone lend some knowledge for this issue,Thanks all!
JBM

 
Old 12-20-2001, 02:01 AM   #2
trickykid
Guru
 
Registered: Jan 2001
Posts: 24,133

Rep: Reputation: 199Reputation: 199
Well for as security goes in Unix type environments, I could suggest FreeBSD or NetBSD.. very secure.. Also many flavors of Linux will do the job right.. but all in all, security on a machine and network is dependant on how well you the administer makes it. I do believe Linux and Unix is better secured than Windows, you have more control, and flexibility along with it.
 
Old 12-20-2001, 07:47 AM   #3
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
JBM,

Basically it all boils down to money and performance.
If you have an endless supply of cash, then you go for a PIX or Nokia FW1 setup with redundancy and VPN acl boards.

If you need very very fast network connectivity, then you go for Netscreen firewalls.

If you don't have a lot of cash and are not too bothered about performance then you go for Linux.

"oh yeah when I say performance, I mean if you have a Lease ATM or Frame relay line that's over 32/mbit/s then you don't use a Linux box, but if you had that line then you would have the cash for some PIX's and FW1's"

Basically if you fall into this criteria. "i.e save money, but still be as secure or more secure then a PIX or Fw1 box" I would recommend the following based on my experience.

A PC "Pentium cpu if you plan to do VPN connections"
600Mhz or more. "if you do NAT I recommend a dual CPU"
256MB Ram
no less then 4Gb's Harddisk
3 x 10/100 Network cards "PCI"
VGA graphics, sound optional

OS:
Linux Redhat 7.2

Firewall:
Netfilter "iptables"

IDS's:
Snort

Then you just need to patch the OS fully.
Rebuild the Kernel if your going to have VPN's.
Build a very secure stateful firewall rule base.
Add an IDS to the system to notify you, don't do active IDS's only Passive detection.
Use second card for DMZ area for DNS and Mail servers.
Use Third card for internal Network.
Have at least 8 real Assigned internet addresses for the firewall and DMZ area.

trickykid's right, it's down to how well you secure the system, a default box is always wide open to attacks, but it's also up to the technology of the OS to do the best network integrity job it can by conforming to RFC's correctly.

All these are Network issues with different OS.
examples:

ICMP Error message echoing integrity :
AIX and BSDI respond back with an IP 'total length' field that is 20 bytes too high. Some BSD
machines (AIX, FreeBSD, etc.) send back an inconsistent or 0 checksum.

ICMP Message Quoting :
For a port unreachable message, almost all implementations send only the required IP header + 8 bytes back.
However, Solaris sends back a bit more and Linux sends back more than that.

TCP Initial Window :
AIX is the only OS which uses 0x3F25.
The new TCP stack for NT5, uses 0x402E. (that is exactly the number used by OpenBSD and FreeBSD)

TCP ISN:
Old UNIX boxes use 64k increments.
Newer versions of Solaris, IRIX, FreeBSD, Digital UNIX, Cray, and use random ISN's"
Linux 2.*.*, OpenVMS and AIX use complely random ISN's
Windows boxes use a time dependent ISN "not good" (NT5 has improved on this)

All of these types of issues can be addressed with the OS's kernel but it just shows you, if you want a secure box you have to work on it.
Window boxes on the other hand, have such a bad TCP stack that they often don't conform to any of the RFC's for TCP/IP fully, putting them at risk.

/Raz
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Network Security tibby Linux - Networking 6 06-03-2004 01:43 PM
I want to get into Network Security h1tman Linux - Security 15 09-10-2003 09:09 PM
designing security policy for organisations sadiboyz Linux - Security 2 09-03-2003 03:18 AM
Designing a network Pimple Linux - General 2 05-27-2003 12:02 AM
Designing a Linux Network Infrastructure!? therizwaan Linux - Networking 5 09-12-2002 05:51 PM


All times are GMT -5. The time now is 02:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration