network testing

I need some advice on network lockdown, i am purchasing a sun box, and installing solaris 9, anybody got some advice or links for locking down solaris? I am getting cox cable, high speed internet connection. And i wanna use the sun box as a firewall/gateway, so it goes like this, internet -> cox -> cable modem -> sun box -> linksys router bsfr41 -> internal network. i am using on the internal network win xp, 2000, and red hat 8. Also some help w/ pen testing would be useful too, and any service that need to be shutdown to make it more secure. What kinda tests, how to perform them, tools, etc. Would like to run my own small webserver, ssh, ftp, and spam filtering. Would i need to enable port fowarding on the router and sun box? And would it be better to enable the dhcp on the router or sun box. Is DNS for big networks? Thinking about trying to set that up. Doing all this for learning more about network security. Any help would be VERY grateful. Thanx
-incideagent

well I can't really help you with configureing solaris as I have never used it, but if you have FTP, telnet, and ssh running on the sun box then you dont' need to port forward since its not behind the router. As far as enabling DHCP, it depends if your sharing files. If you sharing files behind the router then I would use static IP's otherwise, you'll have to remap network drives everytime you restart the computers.

For network security toolls may I suggest Nmap http://www.insecure.org and Languard http://www.gfi.com

yeah forgot about doin static ips, might share drives from time to time to copy updates and all.

Why not put the sun box behind the router? I think you can set up the sun box to do your NAT and firewalling. Although I think your Linksys router has a very limited firewall capability.

Personally I would run DHCP on the router. If you have your sun box in front of the router handing out addresses, you would have to push DHCP through the router, which i don't think you can do with the linksys (Im not positive about that one.)

You would need to enable port forwarding if you want anyone on the outside to access your servers on your internal network. Usually DNS is used in large networks, you can run DNS if you want, it isn't necessary, but its good if you want to play around with it.

In terms of services to shut-down to be more secure. Basically shut-down services that aren't needed (ie. sendmail, telnet, ftp, etc.....) if you need services like telnet for example, use SSH or SFTP instead of the the insecure FTP.

sorry if this seems scattered...just got into work and doing too many things at once.

hmmm...do I have my priorities straight? :p

anyways...hope i could help.

I thought u are supposed to put a firewall in front of a network, im prob gonna run the services behind the router on a server, dont know what os, but kinda leaning towards w2k3 server, the free one they send out, just got it. gonna test it out, prob run it on one of my older 500 compaqs. im prob gonna enter static ips for better puter magnament.

Quote:

---

Originally posted here by incideagent
I thought u are supposed to put a firewall in front of a network.

---

I could swear I've heard that you can get a Linksys router that doubles as a firewall. If that's the case, you could kill two birds with one stone and use the Solaris for something else. I wouldn't hold me to it though...looking through bestbuy.com with no luck.

On a side note, cable modems usually aren't really optimized for upstream traffic (traffic traveling out from your machine) like that. They're more intended for downstream traffic.

alpha

Linksys Firewall Router Link

http://www.bestbuy.com/site/olspage....oryId=cat01029

Solaris:

Pretty decent admin scripts/help/FAQ's: www.sun.com/bigadmin
Good place for precompiled packages (and sources): www.sunfreeware.com
Decent documenation: docs.sun.com

There is a program called 'yassp' that you should run that automatically locks
down the box. WARNING! IT DOES A VERY VERY VERY GOOD JOB OF TIGHTENING DOWN,
and you may have to adjust things afterwards to make them work.

Big things:

Install the latest patch cluster. Make sure you check file permissions and daemons afterwards, patch clusters tend to turn things back on that were off.

Turn off everything in /etc/inetd.conf (ESPECIALLY SADMIND, major vulnerability right now). You don't need any of it to run Solaris of XWindows properly. If you think you need telnet, think again, download and install OpenSSH. If you aren't
running services, it is much more difficult to attack.

Use tcpwrappers to limit access to services you absolutely must do with out.

Turn off as much as you can under /etc/rc2.d and /etc/rc3.d as you can. Minimally:

S00set-tmp-permissions -> ../init.d/set-tmp-permissions
S01MOUNTFSYS
S05RMTMPFILES
set-tmp-permissions -> ../init.d/set-tmp-permissions
S20sysetup
S22acct -> ../init.d/acct
S69inet
S72inetsvc
S74syslog
S75cron
S75savecore
S88utmpd

You don't need anything under rc3.d. In case you do, rather than deleting these files, move them do a directory under where you are like no.

Tweak your TCP/IP stack for much improved performance. Look for 'tweaking the tcp/ip stack for fun and profit'.

Check all your files and turn off the setuid and setguid files where possible (there are lists floating around the internet to tell you what you need).

Use sudo to control access with a well written policy (ALL : ALL is not a good one).




Solaris is more than capable of running all those services, I recommend against running too many in the same place. After all, if someone hacks your web server, do you really want them having access to DHCP assignments, DNS, etc?

If you need more info, let me know.

/nebulus

incideagent, I'm not sure about the logic of putting the solaris box in from of the linksys. IMO, the linksys is less likely to be susceotible to you making a mistake in it's config thus is is more logical to place the linksys first.... You can port forward any ports you want to the solaris box and have it handle it. That way the least risky box is in front and the more risky is limited to what can be sent to it......

Just my opinion......

alrigt thanx for the help, especially nebulus. i got the box, its a ultra enterprise 1, 2 4gb hd. didnt come w/ monitor or keyboard. he said i needed a null modem cable, i have some cables but dont know if it a null modem cable, one side is serial goin to my windows machine, the other goin to port A on the sun box which is a printer like connector. trying to get it using hyperterm, but cannot get the banner to show, so i can boot off cd to start installation. tried com1 and 2 and cant get it to work, do i need a different null modem cable, like on w/ jus two printer like connections, or can i stick w/ this one? and if so, what am i doin wrong?

You probably need a 9-pin to 25-pin null modem serial cable. The system should have shipped with one. Hook it up to your serial port, connect with hyperterminal using 9600, 8,N,1. Hit enter a couple of times and you should get a lom prompt. Type: poweron

You will probably at that point get a 'ok' prompt. If you want it to auto boot:

setenv auto-boot? true

To see a list of other variables: printenv.

DO NOT MONKEY WITH THIS UNLESS YOU KNOW WHAT YOU ARE DOING. You can seriously hose things up, this is your EPROM. It should at this point, issue a boot command, then take the default argument of disk. Assuming you have everything hooked up right, you should then see the Sun Solaris banner, and the install script will automatically fire off (assuming you have bought this new).

Hope that helps.

/nebulus