|
-
February 25th, 2006, 09:25 PM
#1
Junior Member
How to setup a secure network
Hi,
I'm not sure why, but I feel really paranoid about using my home computer network. I feel as if someone has gotten in, and I don't trust anything (wireless router firmware, notebook firmware, etc).
I am in the process of rebuilding my network. What order do should I build everything in? I know it sounds like a silly question, but let me elaborate.
I am going to setup a gateway with openbsd. I am going to install the OS, configure it as best as I can, but at some point I will most likely need additional software. I do not want to go onto the internet w/o having everything locked down. This leads me to a strange situation where I don't want to go onto the internet (due to fears), but I need to to grab software/documentation.
The only real solution I can think of is to download anything I need ahead of time and burn it onto a CD. I guess my real question is: what do you need to have in place in order to feel "safe" from being attacked? Is a firewall enough?
I know that there are such things as IDS, but they are only useful for reporting purposes.
-
February 25th, 2006, 09:43 PM
#2
You're paranoid.... No problem with that though... 
Start at the perimeters, (wired and wireless), then work back to the workstations themselves.
IDS' are great... Snort is the best and it's free... But it's a bit overkill for a home network unless you have extremely sensitive data there.
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 25th, 2006, 10:45 PM
#3
You don't list what type of Unix you have running so it's really hard to say. Most of the times IPTables or whatever firewall you use are good but then you need to think about permissions. And of course only using root when needed. Usually sudo can do this for you so you aren't doing things.
You may want to set a variable so that rm is actually using the -i options.
-
February 25th, 2006, 10:59 PM
#4
You may want to set a variable so that rm is actually using the -i options.
Gore
Ok, I know that the rm -i option prompts the user before deleting files (which is a good thing if you want to make sure you don't accidentally wipe out your system), but how does this help with system security? Sorry, if this is really obvious, but I don't know.
For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
(Romans 6:23, WEB)
-
February 25th, 2006, 11:14 PM
#5
Everyone who's used Unix for more than an hour has wondered what "rm -rf /" does. And as you said it stops you from screwing up. A secure system isn't just firewalled, it's protected from the users themselves.
-
February 25th, 2006, 11:16 PM
#6
Originally posted here by gore
Everyone who's used Unix for more than an hour has wondered what "rm -rf /" does. And as you said it stops you from screwing up. A secure system isn't just firewalled, it's protected from the users themselves.
Ok, thank you.
For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
(Romans 6:23, WEB)
-
February 26th, 2006, 12:20 AM
#7
Yea I think the best way of thinking about that is this:
"UNIX was never designed to stop you from doing stupid things. That would also stop you from doing clever ones.
-
February 26th, 2006, 02:26 AM
#8
Junior Member
I am going to be making the gateway OpenBSD. The gateway will have no services running on it, and serve only as a router/firewall.
An internal server will host an SSH/VPN server. There will also be an internal only mail server. All other services will be turned off.
Here are the things I'm planning on doing to secure the machines:
- Setup a tight firewall (authpf on the gateway)
- Setup AIDE/integrit
- Good permissions
- chroot jail for all services
There will also be a DMZ setup for my roommate's wireless network.
What else should I do to secure this network?
-
February 26th, 2006, 03:13 AM
#9
What services do you need to make available to the internet?
This is the root of your security issues, if you are concerned
about someone attacking you out of the blue.
If you offer no services to the net, your only problem is the connections
that you solicit; whether you have a browser that permits websites to
screw with you; if you execute e-mail attatchments; if you run illegally
cracked software. These problems can't be cured by a firewall, because
you will wind up config'ing it to allow the insecure things you insist on doing.
If you avoid the promiscuous behavior, the "protection" is redundant,
like a condom is only needed with an unclean partner.
I came in to the world with nothing. I still have most of it.
-
February 26th, 2006, 03:59 AM
#10
Junior Member
That's a very good point. Now that I think that it, your comment makes a lot of sense. If I don't have any services running, the only issues I can run across are those that I bring in.
For some strange reason, I always think that being compromised is "magic," but it clearly isn't now that I try to think of examples of how someone could get in.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
