LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-07-2012, 05:30 AM   #1
netpumber
Member
 
Registered: Sep 2007
Location: In My Box
Distribution: Arch Linux
Posts: 333

Rep: Reputation: 31

Hi.

I wanna ask your ideas on how to setup the security of a network.

I have 6 Computers, 1 router, 1 switch and two ideas.

1st idea :
One of these computers takes the role of a hardware firewall and i attach to it the switch and then to the switch the rest of computers.
In this way firewall-pc will work as Packet filtering , IDS & IPS while the other PCs will be just with their OS and system encryption.

2nd idea :
Here i thought to add ip-tables rules, at all of the PCs plus system encryption and the firewall one only IDS & IPS.


What you think is the best idea for a network like this ?
Maybe i made a mistake somewhere, so any suggestion is welcomed.

Hmm..nobody has an idea or to suggest something ?

Last edited by unSpawn; 11-07-2012 at 10:44 AM. Reason: //Don't bump 0-reply threads and remain patient.
 
Old 11-08-2012, 06:08 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786
Kind of depends. Security not being a goal on its own you would usually look at the purpose of (a set of) machines, design 'net layout around that and then decide where on the perimeter you would place your IDS sensor (in essence the question is: "what is it that you must detect?" There is no rule saying you can't have a sensor anywhere you want to. Wrt firewalls people often say that if you're behind a NAT router all is OK (aka "don't worry") but that doesn't take into account the NAT router having become a SPOF (power failure / reload firmware restoring default "allow everything" rules) and the fact that next to traffic regulation a host-based firewall can also do traffic accounting:
-If for example you have a 2 machine web server setup (HTTP + IDS, MySQL) and 3 workstations you could confine the latter 3 to their own network segment and the web server machines to a DMZ. That would leave one machine for the central router / firewall / IDS role (Vyatta, pfSense, IPCOP, etc, etc).
- If you already have a dependable OTS router (nothing beats that wrt power consumption) running some Linux distribution (Draytek, WRT54G, MicroTik, etc, etc) already providing customizable firewalling, routing and traffic control then you could place your Snort sensor between modem and router (or if your router has a SPAN port you could place the sensor there) and divide the rest of the machines in VLAN's according to their role. There's no rule saying they can't all run an IDS nor that one of them can't double as central network analysis workstation.
- If unfettered network analysis is your fetish then you place one IDS sensor between modem and firewall, one behind the firewall, have both dump traffic captures to storage, alerts to a central syslog machine and configure one machine as a network analysis workstation. That would leave you one machine for the router / firewall role or as workstation ;-p

In short knowing what you must detect dictates sensor placement.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Network Security Toolkit distribution aids network security administrators LXer Syndicated Linux News 0 07-23-2008 11:02 PM
Buying a Firewall/Security. device Ideas? here2serve Linux - Enterprise 7 02-29-2008 06:34 PM
Security Related Project Ideas Required adityakrishnan Linux - Security 2 08-25-2007 05:19 PM
your ideas on internet security please..... prowzen Linux - Security 2 07-10-2001 11:17 AM


All times are GMT -5. The time now is 11:46 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration