How to setup a secure network
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: How to setup a secure network

  1. #1
    Junior Member
    Join Date
    Jan 2006
    Posts
    24

    How to setup a secure network

    Hi,

    I'm not sure why, but I feel really paranoid about using my home computer network. I feel as if someone has gotten in, and I don't trust anything (wireless router firmware, notebook firmware, etc).

    I am in the process of rebuilding my network. What order do should I build everything in? I know it sounds like a silly question, but let me elaborate.

    I am going to setup a gateway with openbsd. I am going to install the OS, configure it as best as I can, but at some point I will most likely need additional software. I do not want to go onto the internet w/o having everything locked down. This leads me to a strange situation where I don't want to go onto the internet (due to fears), but I need to to grab software/documentation.

    The only real solution I can think of is to download anything I need ahead of time and burn it onto a CD. I guess my real question is: what do you need to have in place in order to feel "safe" from being attacked? Is a firewall enough?

    I know that there are such things as IDS, but they are only useful for reporting purposes.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    You're paranoid.... No problem with that though...

    Start at the perimeters, (wired and wireless), then work back to the workstations themselves.

    IDS' are great... Snort is the best and it's free... But it's a bit overkill for a home network unless you have extremely sensitive data there.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    You don't list what type of Unix you have running so it's really hard to say. Most of the times IPTables or whatever firewall you use are good but then you need to think about permissions. And of course only using root when needed. Usually sudo can do this for you so you aren't doing things.

    You may want to set a variable so that rm is actually using the -i options.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  4. #4
    Senior Member
    Join Date
    Feb 2002
    Posts
    856
    You may want to set a variable so that rm is actually using the -i options.
    Gore
    Ok, I know that the rm -i option prompts the user before deleting files (which is a good thing if you want to make sure you don't accidentally wipe out your system), but how does this help with system security? Sorry, if this is really obvious, but I don't know.
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  5. #5
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Everyone who's used Unix for more than an hour has wondered what "rm -rf /" does. And as you said it stops you from screwing up. A secure system isn't just firewalled, it's protected from the users themselves.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  6. #6
    Senior Member
    Join Date
    Feb 2002
    Posts
    856
    Originally posted here by gore
    Everyone who's used Unix for more than an hour has wondered what "rm -rf /" does. And as you said it stops you from screwing up. A secure system isn't just firewalled, it's protected from the users themselves.
    Ok, thank you.
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  7. #7
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Yea I think the best way of thinking about that is this:

    "UNIX was never designed to stop you from doing stupid things. That would also stop you from doing clever ones.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  8. #8
    Junior Member
    Join Date
    Jan 2006
    Posts
    24
    I am going to be making the gateway OpenBSD. The gateway will have no services running on it, and serve only as a router/firewall.

    An internal server will host an SSH/VPN server. There will also be an internal only mail server. All other services will be turned off.

    Here are the things I'm planning on doing to secure the machines:

    - Setup a tight firewall (authpf on the gateway)
    - Setup AIDE/integrit
    - Good permissions
    - chroot jail for all services

    There will also be a DMZ setup for my roommate's wireless network.

    What else should I do to secure this network?

  9. #9
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716
    What services do you need to make available to the internet?
    This is the root of your security issues, if you are concerned
    about someone attacking you out of the blue.

    If you offer no services to the net, your only problem is the connections
    that you solicit; whether you have a browser that permits websites to
    screw with you; if you execute e-mail attatchments; if you run illegally
    cracked software. These problems can't be cured by a firewall, because
    you will wind up config'ing it to allow the insecure things you insist on doing.
    If you avoid the promiscuous behavior, the "protection" is redundant,
    like a condom is only needed with an unclean partner.
    I came in to the world with nothing. I still have most of it.

  10. #10
    Junior Member
    Join Date
    Jan 2006
    Posts
    24
    That's a very good point. Now that I think that it, your comment makes a lot of sense. If I don't have any services running, the only issues I can run across are those that I bring in.

    For some strange reason, I always think that being compromised is "magic," but it clearly isn't now that I try to think of examples of how someone could get in.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides