1 / 123

Building a RedHat Linux Firewall – A User Experience

Building a RedHat Linux Firewall – A User Experience. USERblue San Francisco Session 6306. Abstract.

lane
Download Presentation

Building a RedHat Linux Firewall – A User Experience

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building a RedHat Linux Firewall – A User Experience USERblue San Francisco Session 6306

  2. Abstract • Linux makes an excellent firewall! It's in there! I kept hearing that, so when I needed a firewall to protect my home lan from all the badness on the Internet I started my quest for the ideal linux firewall. I'm now on version three, and not finished yet. Come hear my story, and perhaps take home a few ideas you can use when you connect your home or office to the Internet.

  3. The Speaker Harold Pritchett Patricia Egen Consulting (706) 546-0692 harold@uga.edu

  4. Disclaimer Everybody has lawyers: The ideas and concepts set forth in this presentation are solely those of the respective authors, and not of the companies and or vendors referenced within and these organizations do not endorse, guarantee, or otherwise certify any such ideas or concepts in application or usage. This material should be verified for applicability and correctness in each user environment. No warranty of any kind available.

  5. Building your own firewall • It’s easy with linux • But my recommendation is • Don’t bother • Unless you want to do it as a learning experience or you’re REAL broke!

  6. Buy a firewall • There are many vendors who make inexpensive SOHO firewall/routers. • For example, the LinkSys firewall/hub is currently available from amazon.com for $59.99 after a $10 mail in rebate. (and they throw in a free ethernet cable)

  7. There are a LOT of options!

  8. Buy a firewall http://www.linksys.com http://www.netgear.com http://www.actiontec.com http://www.usr.com http://catalog.belkin.com http://www.cayman.com http://www.microliss.de http://www.2wire.com

  9. Buy a firewall • www.cnet.com • www.buy.com • www.pricewatch.com • Go to any of these sites and search for “firewall”

  10. My firewalls • First try – Redhat 5.2 with ipfwadm • Getting better – RedHat 6.2 with ipchains • Today – RedHat 7.3 with iptables/netfilter

  11. Building your firewall • Hardware • Software

  12. Hardware • Doesn’t have to be current or state of the art hardware • While you can use a 486 system, I would recommend a Pentium, any old Pentium. • You should be able to find a 100 to 400 Mhz Pentium motherboard almost anywhere in the used equipment market

  13. Hardware • You need: • Motherboard and processor • Case/Power Supply to match • Memory • Video card/monitor • Keyboard/mouse • Floppy/CDROM drives • Hard drive(s) (total space at least 1.5 Gb) • 2 network cards

  14. Hardware • Memory • 32 MB minimum • 64 MB good • 128 MB better • None of the hardware needs to be “State of the Art”

  15. Software • Several Options are available • LRP (Linux Router Project) • LEAF (Linux Imbedded Appliance Firewall) • CD-Linux • DIY • Many others, not mentioned here • Use google.com

  16. Linux Router Project • www.linuxrouter.org • Boots from a single floppy disk • Minimum hardware required • Based upon the 2.2 Linux Kernel • Seems to be falling into disuse

  17. Linux Imbedded Appliance Firewall (LEAF) • Follow-up to the Linux Router Project • Single floppy boot image • Also seems to based upon the 2.2 kernel • For more information: http://leaf.sourceforge.net/ http://lrp.steinkuehler.net/

  18. CD-Linux • Yet another Linux distribution • One where the majority of the files can be located on a read-only medium, such as CDROM. • More secure since there is no way to change the system without creating a new CD • Hard to keep current for the same reason • www.cd-linux.org

  19. Do it Yourself Things you will need • Basic Hardware • RedHat Linux version 7.3 • If you’re going to build it, you MUST • Protect it • Keep it current

  20. Do it Yourself Things you will need • To protect your system you need: • TCP wrappers • A log scanner • A firewall configuration file • Network Time Protocol • Tripwire • To keep your system current you need: • An rpm update manager

  21. TCP Wrappers • Started from inetd • Controls access to other daemons started from inetd • Uses configuration files to determine access • /etc/hosts.deny • /etc/hosts.allow

  22. Secure Shell • An implementation of the Secure Socket Layer (SSL) • Free for Educational and non-commercial use • Commercial version available • Developed at The Helsinki University of Technology • Available on the Internet • Included with RedHat Linux 7.0+

  23. Secure Shell • Automatic authentication of users • Multiple strong authentication methods • Authentication of both ends of connection • Automatic authentication using agents • Encryption and compression of data • Tunneling and encryption of arbitrary connections

  24. Secure Shell • Cryptographic algorithms available • Triple DES (Default) • Blowfish • Twofish • Arcfour • Idea • Cast • RSA

  25. LogCheck • Linux logs a tremendous amount of info • People just don’t read logs • Most of what is in the logs is normal • The normal stuff hides the important stuff • Let the computer read the logs and separate the important stuff from the junk

  26. LogCheck • Written by Craig Rowland • Scans logs for interesting entries • Free • Now called LogSentry • Available for download at • http://www.psionic.com/abacus/logcheck/ • Runs hourly

  27. LogCheck • LogCheck uses four configuration files • logcheck.hacking • logcheck.violations • logcheck.violations.ignore • logcheck.ignore • Files are applied in the order shown • Every line is a “regular expression”

  28. LogWatch • Another Log Analyzer • Distributed standard with RedHat 7.2+ • Written by Kirk Bauer <kirk@kaybee.org> • http://www.kaybee.org/~kirk • Configuration files in /etc/log.d • Runs once a day • Does not appear to be as easily configured as logcheck

  29. Logrotate • Comes with RedHat Linux • Debian does something Different • Slackware doesn’t do this at all • YMMV • Freely available from Redhat.com • Should build on any version of Linux

  30. Logrotate • Check and update /etc/logrotate.conf • Allows for keeping old logs • Keeps logs from filling up disk • Different logs can have different parameters • Can also use files in the directory /etc/logrotate.d

  31. RPM Update Managers • Updateme • Up2date • Apt-rpm • Autorpm

  32. updateme • Locally written UGA utility • Checks for new versions of software • Can be configured to use any RedHat distribution site • Configuration file • Command line argument • Support status uncertain

  33. /usr/local/etc/updateme.cf site=acs-mirror.ucsd.edu updatedir=/linux/redhat/updates/7.3/en/os/i386 site=sunsite.unc.edu updatedir=/pub/linux/distributions/redhat/updates/7.3/en/os/i386

  34. up2date • From RedHat • Requires registration with RHN (RedHat Network) • Free for the first computer • Subscription required for multiple computers • Requires X-11 on the computers to be managed

  35. APT-RPM • A port of the Debian APT (Advanced Package Tool) program used to manage updates. • Requires that the site providing the updates have a special “apt” index which must be created each time it’s content changes. • Not enough sites do this yet • http://freshrpms.net/apt/ or Google

  36. AutoRPM • By Kirk Bauer • Can download updates for later installation • Can download and install updates • Can do automatic updates or queue for later • Requires a bit of configuration work • I like this one

  37. Firewall configuration files • http://www.linux-firewall-tools.com/linux/ • http://www.linuxguruz.org/iptables/ • The script I have been using is available on this second web site as “IPTABLES Masquerading Firewall” or rc.firewall_023.txt

  38. Firewall configuration files • I like this file for several reasons: • It uses the “state” condition of connections to determine if they are allowed or denied • It is more thorough in it’s handling of icmp traffic • It has provisions for port forwarding for services operated on machines located on the local network. • Download it

  39. Tripwire • Monitors system for modified files • Many versions, most commercial • Tripwire for linux is open source under GPL • http://sourceforge.net/projects/tripwire • Distributed with RedHat 7.2+ • tripwire-2.3.1-10.i386.rpm

  40. Tripwire • Uses passwords and cryptographic signatures to protect configuration files • Default configuration may take some fixing • Comes with many non-existent files defined • Run it once and use the output to edit the twpol.txt file. You probably also want to remove /root and /var/log from checking. • Run from cron once a day to audit system

  41. Tripwire • When something changes • Tripwire will find it. • If it’s OK, then run: • tripwire --update –r /full/path/to/latest/report.twr • If it’s NOT OK, then you may have been compromised • Tripwire and AutoRPM may not play well together, giving some false positives

  42. NTP (Network Time Protocol) • Developed by Dave Mills at The University of Deleware (mills@udel.edu) • Sets computer clock automagically • Previous version is xntp-3.5.93 and is on the RedHat 6.1 CDROM • Current version is ntp-4.1.1 and is on the RedHat 7.3 CDROM

  43. NTP • Can set the clock from various sources • Reference Time Standards • Broadcast Standards (WWVB) • GPS receivers • Network • Configuration File • /etc/ntp.conf

  44. NTP • Network Time Standards • Public vs Private • Primary vs Secondary • Server List • http://www.eecis.udel.edu/~mills/ntp/servers.htm • Pick a server near you • Use a “Public” server • Do NOT use a “Primary” Server

  45. Backups • I’m usually a big fan of frequent backups, but in the case of the firewall, it really isn’t necessary. • Back up a few of the more critical files which would be a pain to re-create. The rest can be easily rebuilt. The main file I keep copies of is my firewall config file.

  46. Sign up for a bug fix list Go here and sign up for the redhat.com watch list. They will send you e-mail every time there is a bug fixed in RedHat linux. You NEED to know this… https://listman.redhat.com/mailman/listinfo/redhat-watch-list/

  47. References • LINUX HOWTO documents • Should be on your Install CD, or from http://metalab.unc.edu/LDP/

  48. References • SSH • http://www.ssh.com/ (commercial version) • http://www.ssh.org/ (educational version) • LogCheck • http://www.psionic.com/abacus/logcheck/ • NTP • RFC 1796 • http://www.eecis.udel.edu/~ntp/

  49. References • General Security References • //www.alw.nih.gov/Security/security.html • //www.usg.edu/oiit/support/security/ • //csrc.ncsl.nist.gov/ • //www.cert.org/

  50. Firewall references http://www.linux-firewall-tools.com/linux/ http://www.fwtk.org/ http://www.fwtk.org/mason/ http://rcf.mvlan.net/ http://tickle.unco.edu/cs442/weitzel/research.html http://tickle.unco.edu/cs442/weitzel/execute.html http://www.linuxsecurity.com/feature_stories/kernel-netfilter.html

More Related