I manage a small windows network behind a Centos firewall.

After a recent intrusion, I was asked by my boss to mask our wan ip.

Any help would be very appreciated.

Michelle in Daytona...

But what exactly do you need help with? You haven't provided any information regrading neither the security breach nor what it is you want to do now.

Bahhaha I love it. Do you know what ports you allow through, what IPs or ranges any remote users use(if any), is there any boxes on a dmz.. etc...

I was asked by my boss to mask our wan ip.

I assume that means you want to set up a NAT/masquerading firewall? If not, please clarify what you mean by "mask our WAN IP". The reason I'm asking this is because you've stated you are running a CentOS-based firewall, which sort of implies that you might already be doing NAT/masquerading. Also, if possible, please provide at least a basic overview of the intrusion you experienced, why "masking your WAN IP" would prevent if from happening again, and what your current network setup looks like.

Allow an East Tennessee hillbilly to attempt to translate into Western North Carolina hillbilly

There are several reasons we are asking about the nature of the attack, network layout, and so forth. Your goal of "masking the WAN IP" is terribly ambiguous, and sounds more like an excuse to use buzz words rather than an actual request. Your boss might as well ask you to reboot the Internet. Besides, when asking for help, it's usually better to describe the symptoms than to speculate wildly about a solution. The solution you seek may not be appropriate for the vulnerability that was exploited.

For instance, if the attack was a website defacement, then no amount of tweaking your firewall will plug the hole that allowed the SQL injection. If, on the other hand, the Windows machines behind your firewall got infected by a zombie botnet, that's a different solution as well (although blocking outbound IRC and P2P using a traffic shaper of some sort couldn't hurt).

If I were to interpret your boss's request literally (and it hurts my head to do so), I would say he's asking you to put a firewall in front of your firewall.

In the companies that I've worked with the term WAN usually applies to a network that connects multiple sites or locations. The vast majority of these would be connected via routers using seperate subnets.

If you are discussing an internet security on a firewall, that is another matter. The other posters are asking for more specifics so that they can help you with your issue. They aren't just giving you a hard time. To help we would need at the very least, what current firewall you are using, what the nature of the breach was, and a basic overview of your network.

Just to make something clear;Internet is WAN.

True, the Internet is by definition a WAN - but you don't need the Internet to have a WAN, as pointed-out by javaroast. And as mentioned by calraith (and myself), the OP's description of the problem and the plan of action is quite vague. This is evidenced by this WAN discussion itself (we don't know what kind of WAN the OP means). Let's wait for the OP to get back to us with more information so that we may be able to better understand the situation and provide any necessary assistance.

True,but we need WANs to have the Internet............and that is true but I'm just kidding.
I had to say that Internet is WAN because people often have misconceptions about that.
You're right,OP should post more infomartion.

.... *ring* *ring*
"Hey boss, Michelle here. What the hell did you mean by that, exactly?"

Thank you everyone for your posts.

here is some background:

1. the IT guy I replaced hacked into our network the weekend after he was fired and changed the time clock so his last paycheck would be increased (boss thinks he setup a backdoor)
2. I changed all passwords and searched logfiles, which he deleted after he got into our network
3. my firewall experience prior to this job was a Watchguard 700, so I need help with linux
4. a friend of my boss told him his IT person changed his ip (masquerade?) among other measures and secured his network
5. my boss has very limited knowledge of computers!

I am new at this job and they are hard to find right now, so any help would be very appreciated

michelle

Hi Michelle,

Replace that firewall IMMEDIATELY. Yank the WAN link now. There are MANY backdoors he could have put on it. The list is almost endless.

Since you are new to linux, I suggest installing one of the free simple linux-based firewalls, such as Untangle. Just download the cd and boot it to install. They are very easy to install, configure and manage.

www.untangle.com

You will have a new firewall in less than an hour.

Since this person thereby committed fraud, call the police. He also seems to have violated state and/or federal computer-crime statutes: call the police.

A firewall won't help you with someone who knew a password. If you changed all the passwords (login, database, everything) he probably can't get-in anymore.

"A friend of my boss" probably does not have accurate information in this case; in fact, I think he-or-she doesn't. You are dealing with a "jilted-lover attack," the hardest kind.

Be sure to keep careful track of time since all of this might serve as actual-damages proof that might be helpful in adding a couple more years to the time this person could spend behind bars. No, I'm not kidding.

Sure he can. For example, he can have the CentOS box have a cron job to initiate a tunnel to his home box. There are lots of ways.

I would replace the firewall completely. Set it aside. Hell, go to the store and buy a cheap Linksys router/firewall, and use it for now. They are cheap ~$50.