Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Unix Firewall Ramble

  1. #1
    Senior Member
    Join Date
    Jul 2004
    Posts
    131

    Question Unix Firewall Ramble

    I have been dicussing a dilema with a few other co-admins and we are quite intrigued by something. I will throw it out here and see what the community has to say.

    The background:
    We are basically and MS and Netware shop. There are 3 admins/support guys. We also belong to a much larger IT structure - have to deal with them on all backbone/demark issues but we operating stand alone for anything pertaining to internal building users/apps/file servers.

    The central Info Sec div. have deployed a firewall product. It is Unix/FreeBDS. They set it up and deploy it to us with instructions on how to tweak.

    The dilema:
    None of us are Unix guys. As stated above, we work on Netware and MS Products. We were working from their readme trying to allow a subnet to enter thru firewall - we saw all this wierd stuff.

    And that got us to thinking, if this firewall ever gets "hacked", how would you know that it is hacked?
    More cowbell! We need more cowbell!
    http://www.geocities.com/secure_lockdown/
    - - -
    \"Is the firewall there to protect you from the outside world or is it there to protect the outside world from *YOU*?\"

  2. #2
    Junior Member
    Join Date
    Oct 2004
    Posts
    3
    I believe it is difficult to detect an intrusion.
    After it has occured (root level) then the OS can be modified to hide processes or other things.
    (using loadable kernel modules, etc)

    There has been an enourmous research in Intrusion Detection, but only rule-based models with signatures have been widely used in industry. Therefore you will never be able to detect a new intrusion, only the ones already in the database.

    Overall, its still under development. There are anamoly-based intrusion detection systems which try to model "normal" behavior of the system so that new intrusions can be detected without a ruleset. The problem with this system is there can be false positives, so you will never truely know if you are being hacked.

    I think most people would prefer not to use intrusion detection today because it requires CPU usage and the Intrusion Detection system itself can be avoided by overloading it with traffic and processing.

    If you are considering an Intrusion Detection System, look at http://www.snort.org/.

    I hope this has been helpful.

  3. #3
    Junior Member
    Join Date
    Nov 2003
    Posts
    13
    I would at least start to consider putting up an IDS box. A very low cost system would be enough to handle the application and if you should choose togo with something like SNORT, or SNORT itself, then the software if free. I would talk with my *nix guys that are deploying this firewall andask what kind of traffic is normal for you to see. Then you would have an idea of what is normal for you network.

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Like any box, if it is compromised there is theoretically no definite way to detect such a compromise. Rule-based IDS only detect things they have rules for.

    Obviously you can be on the look our for "suspcious" activity - look at the system log.

    Really your best bet is to ensure that it is not compromised. It is unlikely that a box with no publicly addressable IP and running no services will be compromised - that is the easiest way of ensuring it is not.

    Such a box could only be compromised through a vulnerability in its routing software / filtering / logging stack. And even then an attack would probably be difficult to mount, and would probably require a fair bit of "insider info".

    I myself have never heard of a box being compromised that was not being used as a client or server.

    One of the problems with these devices is that the most likely compromise vector is if the management system is itself compromised (for example, and administrator inadvertently downloads a trojan'd win32 binary which creates some kind of tunnel for an attacker). This can be mitigated by requiring management to be done from the physical console of the device and having strict policy which forbids the machine's use as an internet client.

    Slarty

  5. #5
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    This is a short post for what could be an article of a response. I recently went to a telecom meeting and one of the keynote speakers was talking about anonmoly(sp?) detection. This place, and many other popping up do intensive scans of your network and then monitor it for changes in bandwidth shaping and over all traffic flow. They target small business, not enterprise level so it may or may not work for you. They spoke about how rule based intrusion detection will eventually split off and do more anonmoly based scanning rather than "known" attacks. Sweet idea.
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    If you are unfamiliar with a *nix type firewall (I'm assuming iptables?) then might I suggest some type of GUI to tweak your rules? I've found fwbuilder to be a great app to build fw rules. You'll find it similar to fw1's policy editor. I love it!

    http://www.fwbuilder.org/
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    Firestarter is another good one.

    firestarter.sourceforge.net
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  8. #8
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    secure_lockdown, could you post here more info about that "instructions" that you have received from your H.Q.?

    im not sure what is "included" on that instructions. packet filter? NIDS? proxy?
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    For those of you that suggested GUIs, the box is running FreeBSD.
    AFAIK the only firewalls on FreeBSD are the default ipfw, Darren Reed's IPFilter and OpenBSD's PF (only on 5.x systems). So firestarter doesn't work as it only supports the Linux firewalls (NetFilter). Fwbuilder does seem to support ipfw and IPFilter.

    secure_lockdown: If they set it up and deployed it it's their job to keep it up2date and "unbreakable" IMO.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    Senior Member
    Join Date
    Jul 2004
    Posts
    131
    exactly what SirDice said. It's FreeBSD - and no GUI. I can't really post the internal tutorial for obvious reasons, but you don't have to manually edit iptables. they made it user friendly - but you still need to know what you are doing.

    personally, i was against this idea of setting up a machine with OS as a firewall. i wanted a dedicated firewall device (symantec,watchguard,cisco) but i got out voted by other IT guys. it mainly came down to money. their case was that for the price of 1 FW device, they can get 3 BDS FW's and cover 3 of our sites.
    More cowbell! We need more cowbell!
    http://www.geocities.com/secure_lockdown/
    - - -
    \"Is the firewall there to protect you from the outside world or is it there to protect the outside world from *YOU*?\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •