October 17th, 2003, 06:41 PM
Ultimate Lead boxen
I want to place a security box outside of my router to the outside(internet)......On this box, I should have an IDS/Firewall/TrafficGrapher/TarPit....Of course it will be running linux...........But my problem is selecting software to use for this purpose. It will be under moderate loads(30-50k) @ all times........Any ideas for what to use and/or what I should put on the box?
256 mb ram
9 raid 5 scsi
October 17th, 2003, 10:20 PM
Dumb question but why outside of your lan??
And what exactly is this box's purpose?? Based on the items you've chosen, it sounds like a honeypot or IDS/Firewall (generally, it's preferable to separate services so single box for IDS, single box for firewall, etc.)
My preferences (if it were me):
TrafficGrapher: tcpdump with an interface created in php or something like that
October 17th, 2003, 10:30 PM
i dont get the idea, you already have a router..what for the box you put outside ? As i know , if we dont have a router, we can use a computer as a router.
May be someone could make more comprehensive explaination about it ?
October 18th, 2003, 12:00 AM
clarification of layout of network
Well this is how information will route into the network.........the connection to the Internet is coming off the provider's transmission medium.......then it will hit the ultimate boxen(security).........then it will hit another box for traffic shaping(Pentium 4), then it will hit a simple cheap router(Cisco 2500).........then the computers will attach to the router for DHCP, etc.......The design will be mainly of M&M security(hard outside, chewy inside).......
October 18th, 2003, 12:44 AM
Forgetting to protect strongly your inside will probably lead you to problems, but it is not directly related to your question. I agree totally to what MsMittens said, you should use one box for your firewall/traffic grapher and another one for your IDS. This second box could be deeper in your network since you can already watch a lot of information with your first box, and since you should be more frightened about what enter than about what is blocked (even if monitoring what is blocked give a lot of useful informations also). This solution would also curb down possibilities of ttl based tricks in TCP packets.
Life is boring. Play NetHack... --more--
October 18th, 2003, 01:01 AM
As you desire to use Linux, I suggest SE-Linux. While it is true that other more secure Linux solutions exist, this is the best free one.
October 18th, 2003, 06:51 AM
I'd move the IDS to the Pentium 4 box ("traffic shaping"), otherwise it will pick up ALL traffic external to you and what doesn't necessarily go to you. The IDS is the "burgalar alarm" when someone breaks into your network, after they've gone past the firewall.
Otherwise, sounds like an interesting setup.
October 20th, 2003, 07:40 PM
I agree with what MsMittens suggests in terms of software, but IMHO I would use MRTG for a traffic grapher rather than tcpdump. Although I've never used tcpdump before, I know MRTG is built specifically for graphing trends such as bandwidth. I'm not sure if tcpdump can do this.
it's available for *nix and Windoze
just my $.02