LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Stateful Firewall/IDS/Filter/DDoS Mitigation - What Would You Advise? (http://www.linuxquestions.org/questions/linux-security-4/stateful-firewall-ids-filter-ddos-mitigation-what-would-you-advise-449786/)

Xolo 05-30-2006 01:26 AM

Stateful Firewall/IDS/Filter/DDoS Mitigation - What Would You Advise?
 
I've got a question for whoever is interested;

Consider a firewall with (at least) the following features:
  • Stateful packet filtering (Deep packet inspection)
  • Denial of Service Mitigation (Think serious attacks here, not your overseas friend joking around)
  • Source Network Address Translation (SNAT)
  • Source Network Address Translation (SNAT)
  • Destination Network Address Translation (DNAT)
  • Port forwarding
  • IDS Intrusion Detection and Prevention System
  • Mail/Web Filter (Bad/Junk mail, Viruses, Ads, P2P/IM traffic, etc.)
  • DNS, and possibly Mail (Storage, Retrieval, Forwarding) and Web Server
  • Support for typical protocols such as IPSEC, PPTP, L2TP, MPPE (VPN/VPN Passthrough)
  • WAN Load Balancing/Automatic Failover

Last but not least, hardware should be?:
  • Processor (How fast, what type?)
  • Disk (RAID or not, total amount of space, etc.?)
  • Memory (How much?)
  • Network Interfaces (10/100/1000Mbit Ethernet/Optical/Wireless?)
  • Backup measures (Or not?)

With that in mind, what packages would you recommend to run, on which distribution?
I'm not really looking for HOWTO's or complete router/firewall distributions, but rather for the loose components you may have had good experiences with that could make up a secure automatic firewall with the features described above.
Mainly because I learn more from putting it together than I do from installing a complete distribution.


Thank you for your input.

linuxmanju 05-31-2006 08:15 AM

Lookout for Ipcop
www.ipcop.org

Regards
Manjunath

unSpawn 06-01-2006 07:55 AM

Just a few remarks:
- Denial of Service Mitigation
DoS-type attacks are combatted most effectively by your ISP's routers.


- Intrusion Detection and Prevention System
IDS OK, but I haven't seen any IPS for GNU/Linux?


- (listing various services here)
"In the olden days" it was considered a basic rule that for each function or service there should be one device, and for some functions I think the rule still stands. IMHO a router is a router and a firewall is a firewall. They're *not* baskets you should put all your eggs in. Reasoning against all eggs in one basket also is shown on the functional level as services have different requirements (Squid vs Apache) to perform well and so it goes for setups like loadbalancing services where you would ultimately split services to different boxes: backend database/storage, servers in front of that, proxies in front of that and the arbitrator/loadbalancer/packet scrubber/router in front of that. OK, there's some shortcuts you can take with say virtualisation, and practically it all depends on what's in the wallet, but if you need to provide ninetynine percent uptime then keeping all eggs in one basket ain't gonna cut it.


Processor (How fast, what type?)
Disk (RAID or not, total amount of space, etc.?)
Memory (How much?)
Network Interfaces (10/100/1000Mbit Ethernet/Optical/Wireless?)
Backup measures (Or not?)

If you would combine router/firewall/packet scrubber functionality on your average xDSL line then I'd say a PIII with 512MB RAM would be OK, 1GB RAM would be generous. Gigabit LAN will only make sense if you have and use it. For the "outside" it won't matter on your average xDSL line. As I've learnt it the hard way I'm adamant a backup functionality should be available always and from the start.

Xolo 06-06-2006 03:30 AM

Quote:

Originally Posted by linuxmanju
Lookout for Ipcop
www.ipcop.org

Regards
Manjunath

Thanks, i've seen IPCop and have had it running for a while as an always-on VPN server.
Not completely what i'm currently looking for however, but it's on my list. :)

Xolo 06-06-2006 03:59 AM

Quote:

Originally Posted by unSpawn
Just a few remarks:
- Denial of Service Mitigation
DoS-type attacks are combatted most effectively by your ISP's routers.

This is true, but arguably only if your ISP cares.
Good example from my side is that I have the same cable company providing the cable to both my home and workplace, and only my workplace gets better (though still bad) service under the same exact terms and pricing, and exact same equipment provided for home and company use.
Bad as in low end badly maintained modem equipment (A single LANd packet can take the modem down), zero support for routing devices, and a seriously flawed firewalling solution for the business part (none for the home users). My servers at work are wide open to attack because there is no 'middle way' between the available firewalling policies offered by the ISP, it's either completely open or completely shut, and each single change costs us 50 and up to 3 months waiting time before it actually happens (correctly).
Fortunately I do have my own software based firewall in place, but i'm not confident Microsoft ISA Server 2004 will provide enough protection in the future without serious investments in other solutions.

Quote:

Originally Posted by unSpawn
- Intrusion Detection and Prevention System
IDS OK, but I haven't seen any IPS for GNU/Linux?

One more reason to ask i'd say :)

Quote:

Originally Posted by unSpawn
- (listing various services here)
"In the olden days" it was considered a basic rule that for each function or service there should be one device, and for some functions I think the rule still stands. IMHO a router is a router and a firewall is a firewall. They're *not* baskets you should put all your eggs in. Reasoning against all eggs in one basket also is shown on the functional level as services have different requirements (Squid vs Apache) to perform well and so it goes for setups like loadbalancing services where you would ultimately split services to different boxes: backend database/storage, servers in front of that, proxies in front of that and the arbitrator/loadbalancer/packet scrubber/router in front of that. OK, there's some shortcuts you can take with say virtualisation, and practically it all depends on what's in the wallet, but if you need to provide ninetynine percent uptime then keeping all eggs in one basket ain't gonna cut it.

Agreed - one device for each separate service, for the reasons you mention.
I also agree that putting all the eggs in one basket isn't going to cut it for 99.9% uptime, but the wallet is indeed tight, if not inexistant. I can spare some coins at home occasionally for decent equipment (though I can't afford a separate server room. yet ;) ), but i'm more leaning towards the (my) workplace. And sadly, the budget there is eternally flat broke and has a seriously long waiting and approval list I have to cut through if I want to get good equipment, if at all.
If you can imagine how terribly easy it is to get management off your back with a low-cost solution in the education sector, you'll understand that it's both terribly flawed and unfortunately neseccary in some cases. Don't think about it too long though, unless you like your hair turning grey and falling out ;)

I was looking at HotBrick's machines, but these look rather expensive compared to the level of funtionality they offer - some of which is only a 60-day trial unless you get a subscription. Certainly not something I could/would buy, and it would produce a heavy frown on the face of management because of the high initial cost and possible subscriptions.
I was pretty sure that most, if not all functionality of one of those HotBrick machines can be equalled for a drastically lower cost, hence my quest for proposed packages. :)
I don't really need a single machine to handle both Firewalling and Mail, at work for example since I already have a firewalled proxy and separate mail server. But if a HotBrick can, can I? in the interest of self-education and possible development of a custom 'drop-in' solution in case something goes sour on my side. Ideally a single machine just becomes a hardened router with IDS/IPS functionality.


Quote:

Originally Posted by unSpawn
Processor (How fast, what type?)
Disk (RAID or not, total amount of space, etc.?)
Memory (How much?)
Network Interfaces (10/100/1000Mbit Ethernet/Optical/Wireless?)
Backup measures (Or not?)

If you would combine router/firewall/packet scrubber functionality on your average xDSL line then I'd say a PIII with 512MB RAM would be OK, 1GB RAM would be generous. Gigabit LAN will only make sense if you have and use it. For the "outside" it won't matter on your average xDSL line. As I've learnt it the hard way I'm adamant a backup functionality should be available always and from the start.

Our IT manager at work is struggling at his hardest with the powers that be to get all of our school's locations hooked up with at least 10Mbit (possibly 1:1 even instead of 1:4 like it is now) fiber optic connection to the Internet with a different ISP, with a future plan towards higher speeds when they become more affordable. The intention is to also have a Gigabit LAN backbone throughout the entire building, and in future to also have this be extended internally between each location for Roaming/VPN/Intranet/Server synchronisation purposes (three to four school locations will be (re)built in very close proximity of each other). All that is going to happen less than 1 year and 4 months from now when our new school has been built and finished, so my ultimate aim will be around one year from now to have a protection solution outlined and detailed by then.
Agreed, backup functionality should always be available :) it has saved my fileserver once from a full RAID5 crash, something I hope will never happen again but you'll never know.

Thanks for posting.

unSpawn 06-06-2006 06:26 AM

This is true, but arguably only if your ISP cares.
Hmm, no, what I mean to say is that you can't combat it effectively at an endpoint. Yes, you can harden away, but you can't make it stop there.


IDS OK, but I haven't seen any IPS for GNU/Linux?
Combing over FM & SF, leaving out projects that aren't IPS in the network sense or haven't released files, this list turns up:
0. HLBR or Hogwash Light BR,
1. LAk-IPS,
2. FirstLight IPS (notice the license).
0 and 1 use Snort(-inline) and 2 uses Snort-compatible rules. AFAIK rule-based detection is just a part of what a network oriented IPS should be because it relies on static rules. More important would be to find out what decision making and dynamic rule (analysing and learning) making capabilities are involved.


If you can imagine how terribly easy it is to get management off your back with a low-cost solution
Yes I can. The trick is making those responsable aware of the longterm catches/risks before they sign off on it. If there's probs later on they can't escape Purgatory by feigning innocence.


I was pretty sure that most, if not all functionality of one of those HotBrick machines can be equalled for a drastically lower cost, hence my quest for proposed packages.
I'd like to think that's just making a list of requirements and configurations on paper. Once you got the inventory use a spare box or Qemu to build you a workbench to test on. While we'd be happy to help you "get things right" this is the Linux - Security forum, so questions about network design, configuration etc, etc should best be posted in one of the adjacent fora like Linux - Software, Linux - Networking, etc, etc.


But if a HotBrick can, can I?
I'm confident you can. Also, secondhand HW is not something to be frowned at: an old PIII still can make for a good server. I've seen enough (unracked) footprints covered with old HW chugging away w/o probs, and there's enough small shops shipping refurbished ones for low prices.


my ultimate aim will be around one year from now to have a protection solution outlined and detailed by then.
That's a nice project and I'm sure we'd be happy to assist you along the way. While a year might seem long now, time flies (regardless of having fun or not), best be methodical about it and draw a plan first, but I'm sure you don't need that advice... Good luck.

prozac 06-06-2006 06:52 AM

this is thread to watch out. i would suggest xolo to keep posting and not let this thread die out (only if you care).

Xolo 06-09-2006 03:08 AM

Quote:

Originally Posted by unSpawn
Hmm, no, what I mean to say is that you can't combat it effectively at an endpoint. Yes, you can harden away, but you can't make it stop there.

Ah, yes I understand what you mean now. Though, that still doesn't take care of an uncaring ISP ;) i'm seriously considering ditching thise one however.

Quote:

Originally Posted by unSpawn
Combing over FM & SF, leaving out projects that aren't IPS in the network sense or haven't released files, this list turns up:
0. HLBR or Hogwash Light BR,
1. LAk-IPS,
2. FirstLight IPS (notice the license).
0 and 1 use Snort(-inline) and 2 uses Snort-compatible rules. AFAIK rule-based detection is just a part of what a network oriented IPS should be because it relies on static rules. More important would be to find out what decision making and dynamic rule (analysing and learning) making capabilities are involved.

Snort.. I remember trying that once. Thanks for pointing these out to me. An analysing and learning equipped IPS would be ideal, so i'll be sure to focus on that. It doesn't look like these actually do any learning, but perhaps I misread, so i'll reread it all later when I have more time.

Quote:

Originally Posted by unSpawn
Yes I can. The trick is making those responsable aware of the longterm catches/risks before they sign off on it. If there's probs later on they can't escape Purgatory by feigning innocence.

We have masters of denial working here :p we'll see though how things go after their budget cuts into IT equipment for the coming two years (two because supposedly all money has been spent twice over already somehow?), because they are at the receiving end of their own deal with the new building coming and all that. They were cheap enough to limit the amount of wallports that are going to be installed in what rooms, so it's going to look like yet another case of misplaced skinflint-syndrome like we got in the building we're currently in. Some rooms have no cabling going there whatsoever, and it's irritating the teachers because they have to go between two floors to get to a computer.
Take into account the fact that by 2007 and going into 2008 we are obligated to provide a 100% usable base in classrooms for electronic exams (there will be little to no paper based exams then) complete with a '15% reserve' and you have a sure recipe for impeding doom.

Quote:

Originally Posted by unSpawn
I'd like to think that's just making a list of requirements and configurations on paper. Once you got the inventory use a spare box or Qemu to build you a workbench to test on. While we'd be happy to help you "get things right" this is the Linux - Security forum, so questions about network design, configuration etc, etc should best be posted in one of the adjacent fora like Linux - Software, Linux - Networking, etc, etc.

Yes, list first, the hardware I have already from a bunch of scrapped machines here at work. I can make at least two decently equipped identical machines for testing purposes. It's just a matter of time. I'll try to keep to the relevant forums when possible :) I might also have to look into keeping a log somewhere central and accessible.

Quote:

Originally Posted by unSpawn
I'm confident you can. Also, secondhand HW is not something to be frowned at: an old PIII still can make for a good server. I've seen enough (unracked) footprints covered with old HW chugging away w/o probs, and there's enough small shops shipping refurbished ones for low prices.

True: One of my little projects here at work involves a Linux webserver based on a P4-T 1.4Ghz mainboard and 2GB of RAMBUS memory I had left over after a fileserver upgrade, and /var set on a new(!) 160GB IDE disk I managed to shuffle into my inventory. This machine hides under several subdomains of my workplace's website, running phpWebsite, PHPNuke, KnowledgeTree, eventually Moodle and will eventually also serve as a general purpose FTP archive for other stuff like Linux sources and some protected areas for my colleagues. Once we get the higher bandwidth it'll be far more useful since it's a bit cramped now on 2M down/256k up Business ADSL though.

Quote:

Originally Posted by unSpawn
That's a nice project and I'm sure we'd be happy to assist you along the way. While a year might seem long now, time flies (regardless of having fun or not), best be methodical about it and draw a plan first, but I'm sure you don't need that advice... Good luck.

Thanks :) yes I hope it'll be a nice project. Keeps me busy and learning either way! and good advice is never misplaced, I do need to be methodical about it to make it reproducible.

Xolo 06-09-2006 03:11 AM

Quote:

Originally Posted by prozac
this is thread to watch out. i would suggest xolo to keep posting and not let this thread die out (only if you care).

I do care, else I would not be here. :)
I try to help when and where I can and pick up knowledge as I go along. So i'll be around for more of the same.

javaroast 06-10-2006 11:44 AM

[QUOTE=unSpawn]Just a few remarks:

- (listing various services here)
"In the olden days" it was considered a basic rule that for each function or service there should be one device, and for some functions I think the rule still stands. IMHO a router is a router and a firewall is a firewall. They're *not* baskets you should put all your eggs in.

I understand your point here and agree for the most part, but without routing functionality isn't a firewall pretty much useless? All kidding aside a firewall has to function as a router to do it's job.

javaroast 06-10-2006 11:57 AM

* Stateful packet filtering (Deep packet inspection)
* Denial of Service Mitigation (Think serious attacks here, not your overseas friend joking around)
* Source Network Address Translation (SNAT)
* Source Network Address Translation (SNAT)
* Destination Network Address Translation (DNAT)
* Port forwarding

IP tables can handle all of these. Port forwarding is really just a function of NAT.



* IDS Intrusion Detection and Prevention System

Snort fits the bill here for IDS. Earlier posts mentioned some possibilities for IPS.

* Mail/Web Filter (Bad/Junk mail, Viruses, Ads, P2P/IM traffic, etc.)

Mail filter would be a function of the mail server and there are many mail and mail related filters. Web Filtering = Dan's Guardian


* DNS, and possibly Mail (Storage, Retrieval, Forwarding) and Web Server

Yeah all of the above bind, various mail servers, apache

* Support for typical protocols such as IPSEC, PPTP, L2TP, MPPE (VPN/VPN Passthrough)

Support yes, but your mileage will vary. IPSEC = no problem. PPTP passthrough is a pain in the a** thanks to some braindead decisions made my Microsoft. It's not a first choice I'd make for VPN, but thats my opinion.

* WAN Load Balancing/Automatic Failover

Linux can handle this, but it does up the hardware requirements. There are a few different ways to handle it, and the answer really deserves a separate thread.

prozac 06-11-2006 02:26 AM

Quote:

Originally Posted by Xolo
I do care, else I would not be here. :)
I try to help when and where I can and pick up knowledge as I go along. So i'll be around for more of the same.

I knew you care. ;)

I would like to point out queuing techniques and use of filters on combating DOS, DDOS and alikes. CBQ and other more advanced ones along with specific filters I think can play an important role in combating DOS attacks. I have not heard much about queues here but at the time when i was graduating, I developed a profound interest in the field of traffic control and QoS under Linux.
I believe its a better way to handle traffic than iptables. We can construct very specific rules using 'tc' to block specific traffic when under attack. But i agree that on most parts the ISPs should do their part on combating the attacks. They are simply better equipped than us and have a lot more bandwidth than us. even if we successfully drop all unwanted packets, the sheer volume of the unwanted traffic maybe enough to paralyze our intenet link if not our server resources. I hope to talk much about it.

Xolo 06-25-2006 03:47 PM

I've made a blog on LinuxQuestions.org to keep a central record of this thread's technological progress.
Haven't filled it in yet, i'll get back on that later. I'll have a bit more time soon :)

Xolo 07-10-2006 02:15 PM

Anyone got any ideas for (more) "must-haves" concerning the main subject?
Vacation should start in two more weeks, then I can do more practical things besides write.

unSpawn 07-24-2006 04:07 AM

So... since we didn't overload you with new stuff to look at, how's things progressing?...


All times are GMT -5. The time now is 02:38 AM.