Resend following the list crash - apologies for any duplicates
---------- Forwarded message ----------
From: ElephantChild
To: Hamid
Cc: [EMAIL PROTECTED]
Date: Tue, 5 Jun 2001 10:27:37 +0200 (CEST)
Subject: Re: ************ Maximum Security ************* [7:7159]
Organization: (noun) 1. the act or process of organizing. 2. the state
of being organized. 3. a body of persons acting together
for some purpose.
On Mon, 4 Jun 2001, Hamid wrote:
> I want to provide maximum security for my network which is connected with a
> Cisco 3600 router to the Internet.
>
> The network consists of a web-server, mail server, a cache server (Squid) ,
> a security server (TACACS+ Server) and an accounting/billing server. All
> these servers are LINUX servers.
>
> Security considerations are already made on Linux servers, and I am going
to
> configure the Cisco routers.
>
> A Cisco 3600 router will be acting as an Access Server for dial-up clients
> and another C3600 router will be connected to the Internet backbone. Both
> routers must be configured to provide maximum security. (Security
> considerations should be made for the dial-up clients as well as the
> Internet)
>
> Any suggestions on the following topics would be welcome to make this as
> secure as possible :
>
> -Router configuration ( Both routers)
> -Assigning valid/invalid IP addresses to the Servers.
> -Network Plan / Design / Topology
> -Special configuration on the Linux servers.
Short answer: What problem are you trying to solve?
Long answer:
If you really want maximum security, you should power off your routers
and your servers, unplug them, encase them into several ft. of concrete,
and dump them into the Marianas Trench. As that wouldn't let you offer
any Internet or dial-up access, you will have to trade off security vs.
functionality. How much of each, and at what cost, should be in a
requirements document called a security policy, much as for any other
network design process.
If you don't have that document, *ask for it now*. If it doesn't exist,
write it *and have your customer/boss/whatever sign it*, or better, have
the aforementioned critter write and sign it. Then use it to design and
implement your firewall. Here are some references, off-hand:
- Firewalls and Internet Security (Cheswick and Bellovin - AW)
- Building Internet Firewalls (Chapman and Zwicky - ORA)
- Practical Unix and Internet Security (Spafford and Garfinkel - ORA)
- The firewalls mailing list (used to be [EMAIL PROTECTED])
- http://www.securityfocus.org/
- Any web page by Marcus J. Ranum
- The "Site Security Handbook" RFC (don't remember the number, but you
- should be able to search for it on any site that carries RFCs).
Howard mentioned the following resources on a thread long past. Some may
no longer exist or be relevant, so YMMV.
Some other random references, some more theoretical than others.
Network security in general, not just firewalls.
IETF Security Area Advisory Group http://web.mit.edu/network/ietf/sa/
IETF Working Groups http://www.ietf.org/html.charters/wg-dir.html
-- navigate to Security Area for subgroups
RFC 1579 Firewall-Friendly FTP. S. Bellovin.
RFC 2647 Benchmarking Terminology for Firewall Performance. D. Newman.
NSA Rainbow Library. Contains some HEAVY theory, but also lots of
good information.
http://www.radium.ncsc.mil/tpep/library/rainbow/index.html
International Computer Security Association http://www.icsa.net/
contains ratings of specific firewall products
Computer Emergency Response Team http://www.cert.org
(End quote of Howard's words. You may now look up again. :-) )
--
"Someone approached me and asked me to teach a javascript course. I was
about to decline, saying that my complete ignorance of the subject made
me unsuitable, then I thought again, that maybe it doesn't, as driving
people away from it is a desirable outcome." --Me
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7254&t=7159
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
