LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-23-2005, 07:50 PM   #1
msound
Member
 
Registered: Jun 2003
Location: SoCal
Distribution: CentOS
Posts: 465

Rep: Reputation: 30
how secure is my network?


I was just hoping for a little feedback on my network layout. This is my home network so theres really nothing fancy, i just wanted to know if theres anything i should do to make sure my data is secure.

My layout:
Cable Modem -> Router with NAT & Firewall -> Suse Proxy Server with Default Firewall Rules -> Switch -> LAN

I put my proxy server behind the router so theres less of a chance the server itself will be compromised (not to mention the computers on my LAN).

On my proxy server ive disabled all unwanted network services (no apache, ssh, ftp, postfix, nfs). I've configure a transparent proxy that doesn't allow anyone on my network (except for me of course) to download .exe's .zip's .com's .rar's .bat's .gz's .bz's .gz2's .bz2's or .tar's.

Right now I feel pretty safe but is there anything else i should consider in terms of security? Should I add anymore rules to the default SuseFirewall2 configuration? Also, do you think this setup would be secure enough for a small office network? What would you all do differently?
 
Old 06-23-2005, 08:48 PM   #2
Moloko
Member
 
Registered: Mar 2004
Location: Netherlands
Distribution: Debian
Posts: 729

Rep: Reputation: 30
Enable SSH for instance, it's quite usefull to be able to login remotely. Use the hosts.allow and hosts.deny to regulate access to services.

Your setup is still difficult to check without knowing what you did exactly, but since most internet services are disabled there is little of interest for any outside attempt to compromise the network. It actually seems you are being overprotective and have configured the systems too rigidly.

The whole point of a internet connected network is internet connectivity both ways. To protect that might be a challenge, shutting everything down is not imo.

Last edited by Moloko; 06-23-2005 at 08:49 PM.
 
Old 06-24-2005, 08:39 AM   #3
msound
Member
 
Registered: Jun 2003
Location: SoCal
Distribution: CentOS
Posts: 465

Original Poster
Rep: Reputation: 30
Quote:
The whole point of a internet connected network is internet connectivity both ways. To protect that might be a challenge, shutting everything down is not imo.
Thanks for your feedback. I realize that for a home network this setup is sort of overkill but right now I have no reason to leave any of the additional network services on my proxy (like apache or ssh) running. Theres no reason why I'd ever need to administer it remotely.

I've setup a "trusted_sites" acl in my squid.conf file which lets the people on my network download the restricted file types (exe's zip's etc) from specified web sites.

In the next few months I'll probably want to host a few web sites. At that point I'll enable ssh and disable the root login in the sshd_config file. Obviously apache will be turned back on but Im not going to need FTP or a MTA so those two services will remain disabled.
 
Old 06-24-2005, 08:53 AM   #4
ralvez
Member
 
Registered: Oct 2003
Location: Canada
Distribution: ArchLinux && Slackware 10.1
Posts: 298

Rep: Reputation: 30
The best way to approach security is to make your network as secure as a fortress and then loosen up as needed.
IMHO you did the right thing ... better to secure than sorry.

R.
 
Old 06-24-2005, 09:07 PM   #5
gundelgauk
Member
 
Registered: Jul 2003
Distribution: Gentoo
Posts: 168

Rep: Reputation: 30
Greetings!


I'd have to agree with ralvez, especially regarding the ssh issue: sure it would be nice but if you do not need it, leave it off.

It appears to me that you have a reasonable security setup. There are only a few things I'd wish to contribute.

1) Firewall. You said you use the "default" firewall settings on your SuSE proxy. I personally do not trust any firewall that I do not know exactly how it works. So if I were in your position, my first task would be to configure my own iptables firewall. That way I could make sure that it allows/blocks/logs exactly what I want and nothing more, nothing less.

The same is true for your "Router with NAT & Firewall". If it is a linux/unix box, I'm pretty sure that you could still improve its configuration somehow. If it's a hardware router - just forget about that paragraph.

2) Now for some advanced stuff. If you are really paranoid, you should setup and configure some kind of intrusion detection system. For some time I used to use tripwire which checks all files for (unauthorized) changes. But it is kind of a pain to set up and maintain because it will alert you whenever you do any system updates (which you should do regularly!). But it is possible to configure it in a reasonable way.

3) Finally the obvious stuff: Make absolutely sure that your daemons (squid, named, etc.) listen only on the internal network interfaces. That way they would not answer to any requests from outside even if anyone would manage to bypass your firewall. If possible also use tcp wrappers. I think special kernel hardening patches would really be overkill for your setup but if you wish, read up on them and utilize them anyway.

Linux/Unix security is not very hard to achieve but getting it anywhere near perfection is a long, hard (and very educating) process.


All the best!
 
Old 06-24-2005, 09:28 PM   #6
msound
Member
 
Registered: Jun 2003
Location: SoCal
Distribution: CentOS
Posts: 465

Original Poster
Rep: Reputation: 30
great post, i really appreciate the feedback. Unfortunately I still consider myself sort of a linux noob, while I have been using it regularly for about 2 years, ive always relied on the gui tools to get things done. I think picking up a book (or browsing a few web sites) on iptables would be a good start for me. then from there i can figure out how to secure all of my running services.

I started this post because i was wondering if i could get away with a setup like this. while it does seem like overkill for a small home network, the skills i learn configuring my own network could easily be applied at the work place. It sounds like if I really want a secure network im going to have to do a lot of "manual" configuation (not just gui tools).

Can anyone recommend any good sites to help get me started on iptables. I know I can just google the topic but if anyone has any personal favorites in their bookmarks I'd like to check them out. Thanks.
 
Old 06-26-2005, 09:09 PM   #7
saltron
LQ Newbie
 
Registered: Jun 2005
Posts: 6

Rep: Reputation: 0
man iptables
 
Old 06-26-2005, 09:43 PM   #8
comprookie2000
Gentoo Developer
 
Registered: Feb 2004
Location: Fort Lauderdale FL.
Distribution: Gentoo
Posts: 3,291
Blog Entries: 5

Rep: Reputation: 58
Here is a start;
http://linuxgazette.net/103/murray.html

Last edited by comprookie2000; 06-26-2005 at 09:48 PM.
 
Old 06-27-2005, 08:12 PM   #9
Dstruct0
Member
 
Registered: Jun 2005
Distribution: Debian Etch, Lenny, Squeeze
Posts: 37

Rep: Reputation: 0
Also here:

http://www.jollycom.ca/iptables-tuto...-tutorial.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Secure Home Network blacky_5251 Linux - Security 4 10-20-2005 09:45 PM
Setup secure CUPS on network cwin Linux - Software 0 04-11-2005 01:11 PM
how to secure your wireless network srenar Slackware 6 06-20-2004 08:55 PM
Feasible and secure network layout? Adman Linux - Security 2 07-12-2003 01:18 AM
How secure is my Network Irish Whiskey Linux - Security 3 03-26-2003 05:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration