Hi

I'm running/administering a couple of networks each of which consists of a Linux SAMBA server ("Mitel SME server") and a bunch of Windows and Linux machines. Both networks now have broadband ADSL routers to provide Internet access, and I'm worried about the security of the networks. I'm a newb when it comes to "real" security so I've started looking around and reading up but I'm feeling a bit swamped by all the stuff available and I'm not sure where to start. So here are a few questions - perhaps someone can help?

1. Both routers use NAT which I understand gives some level of security. Is this adequate protection for a typical home network? The networks aren't hyper-sensitive but I still wouldn't like them compromised.

2. I'm considering running a firewall on each of the clients on the network - is this sensible or even practical, considering I need SMB to work across the network to the server for file sharing? I realise it's probably not the best solution but is it workable?

3. Can someone point me to a good resource for reading up on basic security issues with a Linux bias?

I am aware of things like "smoothwall" which turn a spare PC into a firewall, and I've been thinking about that as a solution for protecting the whole network, but (at least in one case) I don't think it would be practical to introduce another PC owing to space, noise etc. so I'm looking at alternative solutions.

I don't mind spending time reading up on this stuff, and experimenting with various solutions, but the problem is at the moment I'm really not sure where to start so any pointers would be much appreciated.

Thanks

Andy B

My opinion: individual software firewalls on the clients will drive you nuts. But just the NAT protection provided by your router is not enough.

Smoothwall is an excellent solution, and they have a free version you can try, but as you say, it takes a PC to run it on. I use Smoothwall here and am happy with it. Maybe you could run it on a laptop or a small-form-factor PC -- be aware that it does not require a monitor,keyboard or mouse on the PC once you have it running; it has a browser interface so you can admin from another machine on the LAN, or even remotely from the WAN side. So all you need is the box. I use a P166 machine that my employer was going to discard.

There are firewall "appliance" devices on the market that are smaller than a PC and probably less noisy. I can't say much about them, have no experience there. At work we use a SonicWall appliance and it has a lot of nice features but it's getting old and there are a lot of issues with things like VPN from a Windows XP client, for example.

A site I like for security reading is ShieldsUp! at <https://grc.com/x/ne.dll?bh0bkyd2>. I have also found a lot of good information at this site: http://www.dslreports.com/ -- there is a 'security' link at the left of the home page. Lots of good reading at this site about all kinds of stuff.

Good luck and I'd be very interested to hear how you make out.

Thanks, eflester, the links you gave look useful.

I realise that a "headless" computer running shorewall or similar is probably the ideal solution, but in some cases it's not practical (or at least not acceptable). I _might_ get away with it in the case of the networks I mentioned in my first post, but I also know several other people who are considering a simple home network with (say) two PCs and a cheap ethernet ADSL router, and they want my advice. I can't exactly suggest to them all that they need an extra computer just to keep them safe! So I guess what I should have really asked in the first place is this:

Imagine you have two (or more) PCs connected to each other via a LAN and using SMB file sharing (say one Windows, one Linux) and have the LAN connected to the Internet via a basic (NAT only, no firewall) ADSL router. Is it possible to run a software firewall on a Linux PC such that it will allow SMB file sharing over the local network, whilst protecting from intrusions via the Internet?

In other words, I want to allow incoming and outgoing connections to the other computers on the LAN, and allow outgoing connections via the router to the Internet, but deny all incoming connections from the Internet. I'm guessing that this is possible, but I haven't found this scenario described in any of the Linux firewall documentation I've read so far (or at least, not in terms I could understand!).

If anyone can point me to something that describes how to set up a firewall in this scenario I'd appreciate it.

Thanks

Andy B

"Imagine you have two (or more) PCs connected to each other via a LAN and using SMB file sharing (say one Windows, one Linux) and have the LAN connected to the Internet via a basic (NAT only, no firewall) ADSL router. Is it possible to run a software firewall on a Linux PC such that it will allow SMB file sharing over the local network, whilst protecting from intrusions via the Internet?"

I did almost exactly what you describe. It is a measure of my lack of experience that I found it far too complicated to configure the software firewalls on the PCs to do this. I believe it is possible, but I was unwilling to figure it out at the time. I will explain what I did instead -- but first:

If you had the hypothetical situation that you describe above you would need a software firewall on both the Linux and the Windows PC. For example, I installed Sygate's free firewall on my XP Pro box. On my Red Hat 9 box I used the native RedHat firewall.

So: to make it work you'd have to tell each one of those firewalls exactly what to allow in and out. And I couldn't help wondering if a hacker couldn't get into one machine from the other somehow... As I said, I just wasn't up to that task.

What I did instead: I put an extra NIC in each machine. I ran one NIC to the router from each box. The other NIC was connected to the NIC in the other PC via a crossover cable (you could use a hub -- I just didn't have one laying around when I did this, but I did have cable). This created a dual-homed network with a WAN side and a LAN side. I assigned static IPs to the LAN side NICs and told the firewalls to leave them alone. I let the router assign IPs to the WAN side (you could go static here too, no real reason) and turned those firewalls up to 'MAX.' This network arrangement worked beautifully here for a long time. It is very inexpensive, not hard to configure, and the only disadvantage is that instead of one network cable you need two. NICs are cheap.

Now someone may tell you that this is insane and I can't refute that, but it works fine and passed every test I threw at it including just using it for about a year.

Good luck, and I hope this was helpful.

Thanks eflester

Your arrangement sounds interesting but it's not practical in my situations.

However, I had a look at the site you recommended, http://www.dslreports.com/ and from what I can tell there a NAT router should give enough protection for the simple case where no ports are opened or forwarded - which will be the case on some of the networks I'm referring to. One (my home one) is a bit more complex, but that one has a router with a built in firewall.

I've also been doing some investigation into software firewalls for the clients (as an extra line of defence) and I think I can get the kind of configuration I'm looking for working - there's someone on the MandrakeClub forum doing something similar. I've got ZoneAlarm (or ZoneAlarm Pro) on the Windows boxes and I'm playing with Shorewall on the Linux boxes.

I'll keep you posted on my progress - thanks for your advice.

Cheers

Andy B

If you are connecting the Mitel SME server to the router and also using it to NAT & firewall, which it is designed to do, you should be ok..

NAT on the router is necessary just for the pcs behind it.
It only offers protection against closed ports for incoming connections. Most routers can be set to only allow advertised ports coming in. If it doesn't have a 'stateful' firewall included, it can't tell the difference between a new connection and a hack attempt on the same port.

The SME server comes with a great range of firewall tools, so using it as a gateway/firewall is smart..

It sounds as if the solution you seek is already in your hands.

I obviously need to learn to read more carefully. Somehow I skipped over the whole "SME server" thing in abovett's original post. I just read a quick article about it from Linux Mag. I was thinking of something like an ordinary distro with Samba turned on.

Thanks to peter_robb for making me go back and read what I read before -- now I have something new to try.

Hi

That's not quite what I'm doing at the moment. The server and all the clients are connected to the same switch as the router, so the server is not doing the routing at present - though I guess it should be, at least on the network without a separate firewall! I'd have to add an extra NIC to it - hopefully that wouldn't be a problem. It's quite an old PC, though, and I don't like messing around with it too much as it's important that it doesn't go down as it's the main filestore and authentication server for all the users on the LAN. Also, several people have strongly discouraged me from running a firewall and a file server on the same PC, though I guess it's better than no firewall at all!

Now I'm confused! My understanding or NAPT on a router was that it was effectively stateful as it uses the outgoing connection to work out the reverse mapping - see http://www.dslreports.com/faq/4627 and http://www.dslreports.com/faq/4629 which seem to be quite explicit on this! On the network in question there are no forwarded ports - the broadband connection is only used for web browsing, e-mail and downloading the odd file, so there should never need to be.

Would you say that the writer of the above articles has missed something?

I guess I ought to look into it - should have thought of it before! (So much to do, so little time...)

Thanks for everyone's help so far. I've only just started using this forum, and it's proving to be really helpful!

Andy B

Also, several people have strongly discouraged me from running a firewall and a file server on the same PC, though I guess it's better than no firewall at all!

So many different opinions.. eh!!

I have my own firewall business and always prefer to put a firewall between servers and the net, but as soon as there is an open port to the server, it's as good as connected directly. The weakest link will break first... So security is important on everything that can see or be seen by the internet..
So long as you are sure the kernel and software is kept uptodate, you can't do much better.
I do agree tho, that if a breakin occurs, it's better to have the server in a dmz..
But you can't put domain controllers/M$ shares in a dmz..
so keep the software well patched..!

Now I'm confused! My understanding or NAPT on a router was that it was effectively stateful as it uses the outgoing connection to work out the reverse mapping - see http://www.dslreports.com/faq/4627 and http://www.dslreports.com/faq/4629 which seem to be quite explicit on this!

Ahh, SO many different opinions...
Don't confuse NAT with 'conntrack'
NAT isn't stateful, conntrack is. I doubt your router uses a stateful system. If it did, it would be called a 'firewall'.
Basic NAT just remembers source ip & ports
conntrack watches the whole protocol

On the network in question there are no forwarded ports - the broadband connection is only used for web browsing, e-mail and downloading the odd file, so there should never need to be.

If there aren't any ports to be seen from the internet, you have a good first line of defence.
Someone must be invited in to cause trouble...
Your email server is outside too? It has antivirus software in it?

So you have the makings of a secure system. How uptodate is the SME server?

Hello

Thanks for all the advice, Peter.

I think you're going a bit beyond me in some of this, but I'll try to keep track!

I've been talking about several LANs (present and possible) up to now, so I'd better narrow the discussion down to one of them.

It's a small LAN (four Win98 PCs and an SME server at present) at my church, and run on a very tight budget (half the PCs are old cast-offs). Until recently the only Internet connection was a dial-up from one of the Win98 PCs, but we've just added ADSL and a broadband router. At present the router is connected directly to the LAN, and I'm trying to figure how much of a risk this is, as long as there are no forwarded ports. I know that in principle there are lots of things I could do to improve security, but I need to balence the amount of work involved and the complexity of the resulting system (what happens if I'm hit by a bus etc.!) against the risks. How likely is our little LAN to be attacked by crackers and how much would it _really_ matter if it was - heresy I know, but this is the real world and can't afford a lot of time to maintain the system!

I've never even heard of conntrack! Guess I'd better go and read up. I agree that NAT (or more precisely NAPT I guess) is not a full "stateful" firewall, but since it is recording the outgoing IP address and port to determine where to route returning packets, that is a "state" of sorts - that's what I meant by "stateful". I guess I ought to use the term more carefully.

That's what I'm assuming - I don't see any reason to open or forward any ports on that network, as all that's needed is web browsing and basic e-mail...

What e-mail server? I think you are over-estimating the complexity of the LAN here! I am looking into ways of improving the e-mail access but at present it's simply Outlook Express on one of the clients accessing an ISP's POP3 server.

At present - it's not I think I need to do something about that - but again, time is a factor. Until now, with no direct connection to the Internet, I figured it was't a problem. Now I guess I need to learn how to do it. Not sure when though - there's simply too many things to do (this LAN is one of many PCs and networks I'm looking after) and I am struggling to keep up as it is, so sometimes I have to compromise. I'm trying to get my head round the relative risks so I can decide which problems to address and which to let slide

I think I will:
(a) look into how much work it is to keep the SME server patched up to date. As long as it's manageable I'll do it.
(b) Stick with the router directly on the LAN for the moment - but if I have to open any ports in the future, I'll look at routing it via the firewall in the SME server if that's not too complex to set up.

Thanks again for your advice.

Regards

Andy B