network testing
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: network testing

  1. #1

    Question network testing

    I need some advice on network lockdown, i am purchasing a sun box, and installing solaris 9, anybody got some advice or links for locking down solaris? I am getting cox cable, high speed internet connection. And i wanna use the sun box as a firewall/gateway, so it goes like this, internet -> cox -> cable modem -> sun box -> linksys router bsfr41 -> internal network. i am using on the internal network win xp, 2000, and red hat 8. Also some help w/ pen testing would be useful too, and any service that need to be shutdown to make it more secure. What kinda tests, how to perform them, tools, etc. Would like to run my own small webserver, ssh, ftp, and spam filtering. Would i need to enable port fowarding on the router and sun box? And would it be better to enable the dhcp on the router or sun box. Is DNS for big networks? Thinking about trying to set that up. Doing all this for learning more about network security. Any help would be VERY grateful. Thanx
    -incideagent

  2. #2
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    well I can't really help you with configureing solaris as I have never used it, but if you have FTP, telnet, and ssh running on the sun box then you dont' need to port forward since its not behind the router. As far as enabling DHCP, it depends if your sharing files. If you sharing files behind the router then I would use static IP's otherwise, you'll have to remap network drives everytime you restart the computers.

    For network security toolls may I suggest Nmap http://www.insecure.org and Languard http://www.gfi.com
    =

  3. #3

    next

    yeah forgot about doin static ips, might share drives from time to time to copy updates and all.

  4. #4
    Senior Member
    Join Date
    Sep 2003
    Posts
    156
    Why not put the sun box behind the router? I think you can set up the sun box to do your NAT and firewalling. Although I think your Linksys router has a very limited firewall capability.

    Personally I would run DHCP on the router. If you have your sun box in front of the router handing out addresses, you would have to push DHCP through the router, which i don't think you can do with the linksys (Im not positive about that one.)

    You would need to enable port forwarding if you want anyone on the outside to access your servers on your internal network. Usually DNS is used in large networks, you can run DNS if you want, it isn't necessary, but its good if you want to play around with it.

    In terms of services to shut-down to be more secure. Basically shut-down services that aren't needed (ie. sendmail, telnet, ftp, etc.....) if you need services like telnet for example, use SSH or SFTP instead of the the insecure FTP.

    sorry if this seems scattered...just got into work and doing too many things at once.

    hmmm...do I have my priorities straight?

    anyways...hope i could help.
    t.e.k.n.o.

  5. #5

    what?

    I thought u are supposed to put a firewall in front of a network, im prob gonna run the services behind the router on a server, dont know what os, but kinda leaning towards w2k3 server, the free one they send out, just got it. gonna test it out, prob run it on one of my older 500 compaqs. im prob gonna enter static ips for better puter magnament.

  6. #6
    Senior Member
    Join Date
    Jul 2002
    Posts
    117

    Re: what?

    Originally posted here by incideagent
    I thought u are supposed to put a firewall in front of a network.
    I could swear I've heard that you can get a Linksys router that doubles as a firewall. If that's the case, you could kill two birds with one stone and use the Solaris for something else. I wouldn't hold me to it though...looking through bestbuy.com with no luck.

    On a side note, cable modems usually aren't really optimized for upstream traffic (traffic traveling out from your machine) like that. They're more intended for downstream traffic.

    alpha

    Linksys Firewall Router Link

    http://www.bestbuy.com/site/olspage....oryId=cat01029

  7. #7
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Solaris:

    Pretty decent admin scripts/help/FAQ's: www.sun.com/bigadmin
    Good place for precompiled packages (and sources): www.sunfreeware.com
    Decent documenation: docs.sun.com

    There is a program called 'yassp' that you should run that automatically locks
    down the box. WARNING! IT DOES A VERY VERY VERY GOOD JOB OF TIGHTENING DOWN,
    and you may have to adjust things afterwards to make them work.

    Big things:

    Install the latest patch cluster. Make sure you check file permissions and daemons afterwards, patch clusters tend to turn things back on that were off.

    Turn off everything in /etc/inetd.conf (ESPECIALLY SADMIND, major vulnerability right now). You don't need any of it to run Solaris of XWindows properly. If you think you need telnet, think again, download and install OpenSSH. If you aren't
    running services, it is much more difficult to attack.

    Use tcpwrappers to limit access to services you absolutely must do with out.

    Turn off as much as you can under /etc/rc2.d and /etc/rc3.d as you can. Minimally:

    S00set-tmp-permissions -> ../init.d/set-tmp-permissions
    S01MOUNTFSYS
    S05RMTMPFILES
    set-tmp-permissions -> ../init.d/set-tmp-permissions
    S20sysetup
    S22acct -> ../init.d/acct
    S69inet
    S72inetsvc
    S74syslog
    S75cron
    S75savecore
    S88utmpd

    You don't need anything under rc3.d. In case you do, rather than deleting these files, move them do a directory under where you are like no.

    Tweak your TCP/IP stack for much improved performance. Look for 'tweaking the tcp/ip stack for fun and profit'.

    Check all your files and turn off the setuid and setguid files where possible (there are lists floating around the internet to tell you what you need).

    Use sudo to control access with a well written policy (ALL : ALL is not a good one).




    Solaris is more than capable of running all those services, I recommend against running too many in the same place. After all, if someone hacks your web server, do you really want them having access to DHCP assignments, DNS, etc?

    If you need more info, let me know.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    incideagent, I'm not sure about the logic of putting the solaris box in from of the linksys. IMO, the linksys is less likely to be susceotible to you making a mistake in it's config thus is is more logical to place the linksys first.... You can port forward any ports you want to the solaris box and have it handle it. That way the least risky box is in front and the more risky is limited to what can be sent to it......

    Just my opinion......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9

    got the sun box

    alrigt thanx for the help, especially nebulus. i got the box, its a ultra enterprise 1, 2 4gb hd. didnt come w/ monitor or keyboard. he said i needed a null modem cable, i have some cables but dont know if it a null modem cable, one side is serial goin to my windows machine, the other goin to port A on the sun box which is a printer like connector. trying to get it using hyperterm, but cannot get the banner to show, so i can boot off cd to start installation. tried com1 and 2 and cant get it to work, do i need a different null modem cable, like on w/ jus two printer like connections, or can i stick w/ this one? and if so, what am i doin wrong?

  10. #10
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    You probably need a 9-pin to 25-pin null modem serial cable. The system should have shipped with one. Hook it up to your serial port, connect with hyperterminal using 9600, 8,N,1. Hit enter a couple of times and you should get a lom prompt. Type: poweron

    You will probably at that point get a 'ok' prompt. If you want it to auto boot:

    setenv auto-boot? true

    To see a list of other variables: printenv.

    DO NOT MONKEY WITH THIS UNLESS YOU KNOW WHAT YOU ARE DOING. You can seriously hose things up, this is your EPROM. It should at this point, issue a boot command, then take the default argument of disk. Assuming you have everything hooked up right, you should then see the Sun Solaris banner, and the install script will automatically fire off (assuming you have bought this new).

    Hope that helps.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •