|
Security considerations for possible server/firewall/router combination
With this new CentOS 7 box I have a lot of ideas popping into my head faster than I can research them. This is the most work I have put into home server box and I am seeing very favorable results which makes me want to try more. However, one of my goals this time around is security. Building an awesome server that runs everything won't do me much good if it is easily compromised.
I have had a lot of issues remotely connecting to my home network. I thought it was incorrect settings on my various machines and programs. However, after careful diagnostics of the router (ex, removing it and pluging in the the pc directly to the modem) I discovered that my router would not follow the set port-forwarding rules without some major coaxing (it's 7 years old). It's obviously time for a new router. The one I want is pricey but still within budget, however I look at my newly installed server rig and wonder. I know you can set up a linux box as both a firewall and a router for a small / medium network. But is it safe to also use the same box as a websever and a local file server? What are some of the security implications? |
It all depends on your needs and resources. You can always raise the security level, no matter what you have. (Read "Oxbow Incident"? Old, blind man to a gunman: "it doesn't matter how fast you are, there is always someone faster." ;) )
Since this is for home network, I'll keep my suggestions according to that. Normallly I'd say don't use firewall for any other services, although there are distros with pretty good reputation doing exactly that. ClearOS is one, have used it myself actually earlier in a special situation. But if you can, keep them separate. And since you have a CentOS box already all you need is a decent firewall. There are so many firewalls out there, lots of them free - you definitely don't need to buy a very expensive one! My absolute favourite these days is pfSense This is just the software, you install it on any computer you might have. You could also buy an appliance - see the links to "Recommended Hardware Vendors" or "The pfSense Store". Personally, I bought an appliance complete with wifi which suits my small company perfectly. For a client, a larger company with pretty high security needs, we use Dell servers and put pfSense on them. pfSense is based on BSD, but don't worry about that! It has a very nice web-GUI, you very seldom (if at all) need to go to the cli - and if you do, you'll find it's very close to Linux. So my suggestion is: get a firewall of your choice, should not cost more than $500 in total. If you're at a lower budget, use an outdated PC you might have lying around in the closet and put an fw software like pfSense on it. It will work fine, and doesn't cost you anything. Secondly, secure your server too. You need to use it as web- & fileserver if I got you right. Make sure no other unnecessary services are running, configure server and firewall so that these services can be reached only from necessary locations. For example, your file server should probably be reachable only by you & family, it's not a public service - am I right? Then setup OpenVPN or similar on the firewall, only allow access to fileserver via vpn. Do not allow root login to ssh on server, best is actually to use PAM and allow ssh-logon only to specified accounts. There is of course a lot more to be said about security, just a few things to start the discussion. |
And away we go :p
So if I am understanding you right, you do not recommend having the server/router/firewall software all on the same box even if it is for a home environment. That was what I was thinking but wanted to make sure I wasn't being over paranoid. That, and I am trying to squeeze all the productivity I can out of that box I was looking over the pfSense link. It looks great. But if I bring just one more box into the house the GF is going to throw it to the curb and me to the couch :( I am on pc acquisition probation until we move. I noticed you mentioned firewall software but not router software. Can those two be on the same box or are they one in the same? |
for a home network, the router can be a simple linksys box, the 'firewall' can be a garage sale special with an added nic running a firewall distribution such as smoothwall express or ipcop, then you would set up the system like this
Code:
|modem|-|router|(switch)--[firewall]--workstationnote if you are going to use the server via the internet then it is best to leave the server outside the firewall and let the router and iptables rules protect it, then the 'firewall' pevents any traffic from further entering your private network, this is known as a 'dmz' setup otherwise if the server is not to be exposed to the internet then it can be inside the firewall as well. and in answer to your query it is best to have them as separate units, for several reasons, though the main reasons are that the various parts (router/server/firewall) take up resources, so it's best to have a machine dedicated to each as to not overcrowd the resources of the machine secondly is that putting them all on the machine is putting all your eggs in one basket, leaving more of a surface area to attack. |
Quote:
And maybe a specialized distribution would suit your needs, like the ClearOS I used before. To continue the discussion about security: frieza wrote about the main considerations putting everything on one box, I'd just like to provide some more details. The problems securitywise are: 1. If an attack against one service succeeds, attacker might get control of everything on that server. So attacking the web server could give attacker control of your firewall and access to every file in the fileserver. 2. Running only one main service per server makes it easier to really tighten the rules thus locking down your network as much as possible. This is not very practical in your situation, but for a really secure network I'd use different servers for web, filesharing and database. The db-server should also be on a separate network not reachable from outside. But for home needs I'd say normally the best is one firewall, one server. And it's OK to keep GF happy and put everything on one box - just pay attention to access rules, don't expose any service to public internet if it's not absolutely necessary! Use vpn for own connections. Quote:
And as for frieza's suggested setup, for a home/SOHO net you can simplify it like this: Code:
|modem|-[firewall]--workstation |
Nevertheless, I wouldn't put everything into the same box.
|
Firstly, thank you all for your input. I am learning a lot about security from this.
What you guys are suggesting is actually close to what I wanted to do before my GF revoked my pc procurement permissions. (We only have 8 pc's in a 900sqft apt. What is her problem? :p). So reading your posts, it looks like the firewall is primarily to protect the internal network. I understand the reasoning behind this. Also, putting everything on separate boxes so if one is compromised the others are isolated. I understand that too. This is my GF-COMPROMISE setup I am using currently: Code:
[MODEM]--[dd-wrt ROUTER w/SW FW]--[SERVER + REST OF NETWORK]Currently this server is internal/external. There are some forward facing sites/services but they are for my benefit and those of my friends/family. Not meant to be public. Then there are then internal services. I have scripts that make backup's of specific folders on different PC's on the network, I have shared files and folders and also a media server to feed the geebox. Based on what you guys told me in this thread my setup SHOULD look something like this? Code:
[MODEM]--[ROUTER]--[FIREWALL]--[SERVER-DATA]--[OVERSIZED-HOME-NETWORK]Seriously though, thanks a lot for taking the time to go though what must be security 101 with me. |
No, that's not it.
Here's the real challenge: Keep your GF happy and design a good network for your needs. This is the kind of challenge you face when working as a network technician or sysadmin. It's not easy, but it has to be done - and it can be done! It just takes a whole lot more of thinking, arguing, redesigning and whatever. For a starter, go through your closets, check what you already have. Old computers can be very useful put in the right place. Then design your network from there, making it as good & secure as possible using only the equipment you already have without upsetting girlfriend. There's a good challenge for you! :) |
Friend, what you are describing is what me and my geeky counterparts call a Kobayashi Maru. I have been down this road many times with my GF. It always comes down to the same thing: SPACE. And I do understand her thinking. My little 1-bed/1-bath apartment isn't exactly spacious. Heck, both her and my gaming rigs are set up at the same desk to save space as there would be no place to put a second desk!
I DO have two mobo/cpu/ram combos and one box in the closet. Would need a PSU and HDD, but I could build a system right quick that I could use for a firewall. But I would have to put it somewhere. Unless I mount the board/psu/hdd to the ceiling of the closet (yes, I was seriously thinking about this for a build at one point) I do not think I can avoid my gf noticing. :D We will be moving at the end of the year. Just got a new job with a big bump in pay so we are moving out of this crappy apartment once the lease is up. And I have been promised that after we move and I have my own office/mancave/room that the restrictions are off as long as I don't start putting pc's in random parts of the house. At that time I can build for my needs: Firewalls, Routers, UPS's, Servers.... I got's lotsa ideas :) |
note that some of the machines (such as a file server) could be low power small sized units such as a raspberry pi which could be built into a box not much bigger than a portable hard drive.
|
Quote:
How about this for a solution: Make your CentOS server a virtualization host, on it you install a software firewall and all the servers you want. The servers you put in internal networks, internet will go only to firewall guest. It's not quite as good as having separate hardware, but I believe it's good enough for you at the moment. (Although I must say, only 8 pc's in a 900sqft apt - the real problem here is there are too few of them! But then, women doesn't always understand that... ) |
Quote:
I may virtualize like you said but JUST got this new job and with it a bigger paycheck to play with. I know that I have to get a new router no mater what and the GF knows that too. This one is causing major issues for both of us. And when I do that I MIGHT be able to plead the case for a HW firewall as well... I do want one anyway and they have such a small footprint so.... I think this will all work it out with time. Once I move I can start looking into rack-mounts! :D |
Make your own router/firewall and learn from doing it. If that's to vague here's a starting point: http://docs.slackware.com/howtos:mis..._slackware_box
I've hacked into most of the low end SOHO appliances I've had and appart from some proprietary drivers for the hardware and proprietary web management interface the rest was all open source software ... noting that you could not do on any ordinary Linux system. |
That is definitely an idea that I have been thinking about: create a Firewall/Router box (again, another box, same problem :p) which is why I was investigating possible security issues of putting them all together with my server. It seems like the general consensuses is that it would be a bad idea. And I am going to have to agree especially since I can't even lock down my ftp server right now (another thread).
But yeah, I got lots of choices once I get the space: http://www.dslreports.com/shownews/E...Distros-118897 I look forward to that project |
"Exploring DIY Linux Router Distros" ... but where's the do it yourself if you use a ready-made router oriented distro ?
If you like the DIY you should be using the most neutral linux distribution you can find ... or you will be learning just about that specific distribution ... well that's how I feel about it anyway. |
| All times are GMT -5. The time now is 03:54 PM. |