Need secure OS for squid+dansguardian firewall
 

Hi all,

I'm planning on building my first secure firewall, and can't seem to make up my mind on the OS. I like RedHat and SuSE, but I tried OpenBSD a few years ago and really liked it too.

The firewall will be on an older pc:
p3 550Mhz, 256MB RAM, 6GB HD, 2 nic's, no X

I'm going to install:
- firewall (ssh2 open using auth keys)
- NAT
- DHCP server
- squid
- DansGuardian - w/ anti-virus support
- SARG - squid reporting tool (accessible only from green LAN)

I need a secure OS, but ease of upgradability is huge too. Automation is desirable, but only if safe.

A recent book for hardening linux for the above usage would be a god send!

I'm going to manually learn each of these packages, giving myself a couple months to do it (can dedicate alot of time at work too). Any and all suggestions greatly appreciated!

Thanks!

Daryl

well, if you already tried openbsd and you liked it, then why not go with that??

as for the gnu/linux OS, pretty much any distribution can do all the things you listed... the security mostly depends on you, the system administrator... i would recommend slackware, but it's completely subjective and others will suggest other distros... you can use whatever distro you want, really... just pick whichever you like the most...

I don't think that SuSE would be the best in this case. Even installing just the base system is over 1GB.
Also, while YaST simplifies administration, and can be run in a shell, the configuration scripts can be a bit hard to follow if you want to configure things manually.

There is a book called "Hardening Linux" another called "Linux Server Security".
Also, on the www.tldp.org website is a 800 page book on Securing and Optimizing Linux. This document is very comprehensive. It is biased towards Fedora Core. If you decide that this publication is ideal for your purpose, you may decide to go with Fedora to make things easier.

I would go with one of the more mainstream distro's that has a good security update record. It will be easier than having to track announcements and download and apply patches yourself.

There is a book titled "Automating Unix and Linux Administration" that you may find helpful. Although it may be more useful if you are managing several hosts. The author is biased towards using cfengine. He covers using tripwire.

I responded to a similar post recently. Since you are installing a bastion host, most software and services will not be installed. Even the gcc compiler is commonly removed after the host is setup. Since so much isn't being installed, there isn't much left to distinguish one distro from the other. In this case, I would recommend going with what you are most comfortable with.


Make sure that you secure ssh.

Good Luck

oh, and make sure you check-out the resources linked in this thread:

http://www.linuxquestions.org/questi...ad.php?t=45261

(that thread is actually sticked at the top of the security forum...)

I agree with you on this. I actually prefer SuSE as my desktop (and laptop), but agree it's probably not my best choice for a slimmed down server OS.

Only 800 pages? A nice weekend project :)

This is the point I'm at now, and need the most help with. I'm not that familiar with the latest of each major distribution. I dabbled with Debian and Ubuntu awhile back, as well as others, but haven't tried them lately.

Time for yet another trip to the bookstore!

Definitely... thanks!

you can get a sneak-peek of chapter 6 here:

http://www.apress.com/ApressCorporat...92123-1366.pdf

Checking 'em out now... thanks