Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-07-2012, 05:30 AM   #1
Registered: Sep 2007
Location: In My Box
Distribution: Arch Linux
Posts: 420

Rep: Reputation: 33


I wanna ask your ideas on how to setup the security of a network.

I have 6 Computers, 1 router, 1 switch and two ideas.

1st idea :
One of these computers takes the role of a hardware firewall and i attach to it the switch and then to the switch the rest of computers.
In this way firewall-pc will work as Packet filtering , IDS & IPS while the other PCs will be just with their OS and system encryption.

2nd idea :
Here i thought to add ip-tables rules, at all of the PCs plus system encryption and the firewall one only IDS & IPS.

What you think is the best idea for a network like this ?
Maybe i made a mistake somewhere, so any suggestion is welcomed.

Hmm..nobody has an idea or to suggest something ?

Last edited by unSpawn; 11-07-2012 at 10:44 AM. Reason: //Don't bump 0-reply threads and remain patient.
Old 11-08-2012, 06:08 AM   #2
Registered: May 2001
Posts: 29,371
Blog Entries: 55

Rep: Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555
Kind of depends. Security not being a goal on its own you would usually look at the purpose of (a set of) machines, design 'net layout around that and then decide where on the perimeter you would place your IDS sensor (in essence the question is: "what is it that you must detect?" There is no rule saying you can't have a sensor anywhere you want to. Wrt firewalls people often say that if you're behind a NAT router all is OK (aka "don't worry") but that doesn't take into account the NAT router having become a SPOF (power failure / reload firmware restoring default "allow everything" rules) and the fact that next to traffic regulation a host-based firewall can also do traffic accounting:
-If for example you have a 2 machine web server setup (HTTP + IDS, MySQL) and 3 workstations you could confine the latter 3 to their own network segment and the web server machines to a DMZ. That would leave one machine for the central router / firewall / IDS role (Vyatta, pfSense, IPCOP, etc, etc).
- If you already have a dependable OTS router (nothing beats that wrt power consumption) running some Linux distribution (Draytek, WRT54G, MicroTik, etc, etc) already providing customizable firewalling, routing and traffic control then you could place your Snort sensor between modem and router (or if your router has a SPAN port you could place the sensor there) and divide the rest of the machines in VLAN's according to their role. There's no rule saying they can't all run an IDS nor that one of them can't double as central network analysis workstation.
- If unfettered network analysis is your fetish then you place one IDS sensor between modem and firewall, one behind the firewall, have both dump traffic captures to storage, alerts to a central syslog machine and configure one machine as a network analysis workstation. That would leave you one machine for the router / firewall role or as workstation ;-p

In short knowing what you must detect dictates sensor placement.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Network Security Toolkit distribution aids network security administrators LXer Syndicated Linux News 0 07-23-2008 11:02 PM
Buying a Firewall/Security. device Ideas? here2serve Linux - Enterprise 7 02-29-2008 06:34 PM
Security Related Project Ideas Required adityakrishnan Linux - Security 2 08-25-2007 05:19 PM
your ideas on internet security please..... prowzen Linux - Security 2 07-10-2001 11:17 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:59 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration