TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [TCLUG:12807] bad day (more details)




> I'd love it if someone could suggest a scheme for the following situation:
>
> 1. low budget, minimize capital expense
> 2. maximize security
> 3. provide essential internal network services (printing, DNS, DHCP, NFS
> for /home, etc.)
> 4. provide external services (ftp, http, email)
> 5. minimize daily maintenance (this is an unfortunate reality given the
> existence of my pesky full-time job).
>

You said you had Novell BorderManager -- I'm not too familiar with that
project, but it sounds as though you're basically using that as your
firewall/router.  So, given that, my suggestion would be to use two
machines, put one inside the firewall, one outside.

The one inside the firewall does, obviously, your internal network services.
It is not accessible from the outside, unless it is through some kind of
good, secure VPN system.  That would probably have to reside on the Novell
box, so I'll leave the details of that aside.

Your external box is your email/ftp/http server.  All other services are
disabled.  hosts.deny is set up very strictly -- connections to ports other
than the aforementioned are not responded to at all, and trigger a script
which alerts you and adds the offending IP address to a more-or-less
permanent ban list.  Some special rules may be set up in hosts.allow so you
can telnet/ssh in, but only from behind the Novell box, or from wherever
you're likely to be administering this thing.  Fine-tune your ipchains setup
as much as you can -- for example, if there's only one subnet that should be
able to access ftp, make sure they're the only ones who can.

You should be able to set up your firewall so that folks inside can talk to
the external server, but nobody can connect from the outside in.

Theoretically you could do this all on one box -- install two network cards
and connect one side to the internet, and allow http/ftp/etc. on that one,
connect the other to your internal network (non-routable) and set up print
and file services to listen to that interface only -- I have a setup like
this at home.  However, since you already have a firewall, this probably
wouldn't be practical.

Also, you may not have to run e-mail on an external box -- in fact, I'd
advise against it if you can avoid it.  You'd need to arrange for the
firewall to act as a mail relay, but I think Novell can handle that OK.  Not
totally sure, though.

Anything above a Pentium, maybe even a high-end 486, should be more than
adequate for either server -- chances are you can get the hardware donated.

As for daily maintenance, there are a few things you should do on a daily
basis.  Find some good script monitoring tools - something that you can have
run by 'cron' every night that will notify you of bad login attempts, root
logins, major file transfers, alterations of key system files, etc.  Some
folks have already made some good suggestions -- one of the keys to making
security manageable is to automate as much of this monitoring stuff as
possible, and have the scripts ferret out the useful data for you.

--
Eric Hillman
UNIX Sysadmin
City & County Credit Union
ehillman@cccu.com