I have been thinking about a setup for my basic ADSL network at home that
would be somewhat more secure then the usual setup I have seen around for
other users who simply think NAT/Firewalls are the answer. I have yet to
impliment it, but I wonder if someone could critique the abstract idea
before I go through motions of setting up the network.
The reason why I go into so much details is that I am testing my own
knowledge against yours to become a better security minded user. I don't
want my box trying to break into your box. ;)
I have a cisco 678 router (Which I have disabled the telnet as well as web
interface and set the ports to different ports then the default.) Since it
it only interfacable through the management cable, I don't fear a breach for
the router software itself. I do know that if someone where to find the
telnet port, a DoS is possible. And it is using NAT.
I am running a web server (apache) on port 80. The nat addresses this
machine for all port 80 requests. Every machine on the network is running a
form of firewall software, on windows zone alarm, on linux either ipchains
or iptables.
I am thinking of putting a dual-homed host to make the basic network look
like thus:
+----------+
| Cisco 678|
+----------+
|
+--------------+
|Dual-Home Host|
+==============+
|
+---------------+
|USR Totalswitch|
+===============+
|
Other boxs including web server.
I know the USR Totalswitch is completely insecure. On my firware, I cannot
turn off the telnet managment port and I cannot protect against the debug
attack found in the securityfocus archives. Is there a firmware verison that
allows for more security? I have yet to find it. Anyway...
I was thinking of running iptables on the dual homed host, and snort. I am
researching snort heavily at the moment to make sure I understand it's
capibilites. I am more of an ipchains kinda guy, and have just delved into
iptables.
What I want to do is make it so only legit GET requests get to my web server
machine. I.e. GET / HTTP/1.x etc etc and to drop all other kinda of
requests. My feeling on the subject is if I can filter out all other
malformed requests or unrealistic requests, apache will be "saved" from the
majority of attacks.
Should I use snort or iptables to accomplish this? Is it possible with
either? I know I should RTFM...and believe me, I am. But I was wondering
what kind of input I could get from the list as a whole as how to proceed.
I have also been toying with the idea of using LIDS on the server machine to
throw even more modification into the mix...
I guess this is just a call for comments. Thank you for considering this
issue...as it will determine some of my future turns in study for security
as a whole.
"Buffer Overflow in /dev/stomach due to vodka.o!"
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
