Hello, as i mentioned in my hello thread, i am working on a project to implement a Unix Firewall server for our network.

Obviously there are some basics that would need to be ironed out before i can think of doing this right. Now distro of Unix aside for now, this is what i am thinking for first steps.

Obviously, deciding i want a fire wall.
Figure out topography. Know where the server will sit when it comes to the network topography.
Decide if i want exclusive or inclusive (I am planning on Inclusive so it is more secure, yes i know it will require a lot of checking up on in the beginning.)

Essentially, at this point, what i am looking for is some advice. what do you all recommend?

Any questions you may have to assist in a good implementation of said Software Firewall? Any advice at this time would help a great deal. I figure one this is all ready to go, then i will be ready to worry about the scripting and setup of the firewall protocols and so on. Which is going to be a task in of itself. At least i have used Linux before, so i have SOME idea what i am doing.

-Path

SO, me and my LACK of experience have just been schooled.

We are going to have a server, 2 NIC's. SO now here comes the BIG picture, which is actually really small.

We will have the internet coming through to the modem which will proceed to the Firewall (Hardware) then fomr there to the UNIX Firewall server, then out to the network. So i will need to figure out how to route, have the signal come in on eth0 and then go back out on eth1. Then setup my rules in between.

Now, i was thinking of using FreeBSD, for testing purposes, can not beat the price. And if it works then possibly purchasing a UNIX Distro. I am all for companies who provide good product to get recognition for it.

Does anyone have any tips that i should know when embarking on this endeavor? Things i should know about FreeBSD that will make this process, easy or harder to accomplish?

Without wanting to start a flame war, for what you have described I would use OpenBSD, not FreeBSD. OpenBSD has an excellent track record for security, and it comes with a built-in firewall called "pf" which is highly configurable and allows all manner of traffic manipulation. OpenBSD is free to download and runs on many architectures including i386 and sparc. To enable routing on an OpenBSD box, read this.

OpenBSD Project Homepage
OpenBSD FAQ
OpenBSD pf FAQ

Can you clarify your network config? Is it really:

INTERNET -> Modem -> Hardware Firewall -> New Firewall -> LAN ?

If you're going to be doing any hosting or public access boxes (e.g. web server) these should be situated between your two firewalls in a DMZ or alternatively hand off a seperate interface.

HTH
Nick

Actually, ya... we, the current IT Team, inherited this mess from another guy. We used to have ONLY a soft firewall, MS Internet security or some such crap like that. Oh ya this network was a huge mess. At least NOW we have a hardware firewall in place.

But yes, it does go from Internet > Modem > Firewall (Hardware) > *.*.2.* Network. we have 2 outs form the firewall, the other one goes into another 2 network switch. (Replication).

You can see why it is we need some better security in this place.

What i want is to have an inclusive system. Sort of a redundant soft backup, what ever gets through the exclusive Hardware firewall, can be stopped one it hits the Unix Firewall in the way. That is the plan anyway. I am hoping with the tips and tricks people like yourself offer, this company can tight up security something fierce. We get blasted with viruses like nobodies business, well we are BETTER now that we have some new firewall policies in place. we went form like 10K in a week to 20 even.

Security is a nightmare in this place. they have been so used to being open that the idea of closing them off is a threat to them for some reason. So we have to do things slowly, bit by bit we have cleaned things up nicely. Things are running a LOT smoother now than they used to be, that is for DAMN sure.

so OpenBSD you say? Hmmm. And i agree no flam warring, facts only, opinions are important, but statics are more important, that is what my Bosses care about when they sign off on buying this stuff

I look forward to more replies, and i will give those links a look see.

thanks.

Well, OpenBSD is free so that price is always a winner in my book! As for hardware, this is of course dependent on the number of packets / size of the pipe you've got connected. An old pentium box will handle T1 speeds with relative ease. After you're read up on the basics of OpenBSD and pf, check out CARP - this allows you to have redundant OpenBSD firewalls which failover in the event of a problem, and it is very configurable.

From what you described above, it sounds like you're trying to achieve redundancy through a partial mesh... it is worth remembering that the "hardware firewall", modem and link to the ISP are all single points of failure which could make all your other efforts moot. BTW, what is this other hardware firewall? Diagram below shows how you might get OpenBSD/pf/CARP in place... but it also shows your single points of failure!



Also, what measures are you taking to inspect traffic for malicious types? Are you running some form of mail/web inspection (MAILSweeper/WEBSweeper or maybe squid/postfix with clamav?)

Nick

We use MS EXchange and Active Directory *Cries*. We have Norton 9 Pro on the exchange server which does active scans of workstations throughout the network as well as in coming e-mails. We have recently had the Firewall scan all incoming traffic for certain types of files. We made the scan inclusive for certain common file types example Excell. No excel files of ANY sort get in unless they fit the rules.

When i said "Statics are more important" i am sorry i meant Statistics are more important.

Anyway, so that image is an idea of how it should all be run then? Now to give you an idea of our rack setup... *cries some more*.

To give you an idea of our topology...

we have 1 server rack. with 20 servers (Various sizes) which all plug directly into our Switch stacks.

Our switches hehe. we have 8 patch panels with 24 ports each, these plug directly into the switch stack as well. we have 3 fiber boxes which connect the back (warehouse) to the front, and int he back we have more switches and work stations we are running off of. I can create a visio quick diagram of our server rack and switch/modem stack if that would help with the advice in setup. I will start working on one, it won't take long, and i am sure it would help everyone understand things a bit better.


Question... i am assuming that if OpenBSD 1 fails, signal is still coming from OpenBSD 2, which will allow the network to remain online. Obviously if Hardare firealla fails it all goes down, but nothing we can do about that at presant. And when you say switch 1 and 2 that is just generic names, since they are all on the 2 network right? No matter how we look at it, there is redundat signal coming in PAST the first hardware firewall point. (Looks good, nice and clean).

BTW i like the cloud :-P

Windows/AD/Exchange does not have to be a security nightmare - provided you patch, configure and administer the boxes properly (and that advice goes for ALL systems). You would benefit from checking that you have a secure baseline build for your Win2k/2k3 boxes (maybe use the NSA SNAC hardening guides?) and a proper patching mechanism in place (e.g. SUS or SMS). Configuration change management and proper documentation should be order of the day across ALL corporate systems.

If you're sending/receiving mails to/from outside, you should be running an SMTP proxy in a firewalled DMZ - this allows you to trap mails and scan them for the nasties, before they reach your exchange server. Again, OpenBSD running Postfix, ClamAV and SpamAssasin would be well placed here. Same goes for your web traffic - setup Squid on another box in the DMZ and inspect all traffic - ban your prohibited file types there. Log mails/web traffic which violates policy and set the systems to mail your admin team.

The diagram I attached above was how I saw what you described. It isn't necessarily the best way to go. Personally, I would remove the "hardware firewall" and let the OpenBSD boxes be your firewalls/routers to the outside world, then configure some DMZs for the semi-public services such as web servers and mail/web proxies. If you're on dialup, attach a modem to each OpenBSD firewall yourself and let it handle the dialup needs during failover. If you have DSL/leased line, speak to your ISP and see if they can supply you with some sort of redundancy at that point (maybe even an ISDN backup for your fixed link) with an upgraded device. Also consider two separate ISPs to provide services, in case one goes belly up.

Nick

HERE is an IDea of what our serve room looks like. as far as the server racks and the switch racks go. There is more to the room, and more stuff in it but this is the stuff we are talking about. The Modem is T-1 that is our only signal coming into the building for Internet.

DAMN i created the file but i can not insert the image, it is not hosted anywhere. I am going to send it to your Forum box, assuming i can, so you can see what i am working with.

When you get it, you will see our rack. What i would LIKE to do is in the rack put 1 or 2 for redundancy, OpenBSD servers in there, to run the firewalls. Now these will be Xeons with like a gig of RAM so i would almost use them for more than just firewall purposes, but that is just a possibility, i am sure we can get a low end server for this purpose. ALL of our Servers are DELL or worse... (Supermicro). I am encouraging my company to switch to IBM servers or something else. Either way, i will try to send you the file so you can see what we have NOW, and that will help define possible advice for this project.

Sending now.

Apparetly i can not send you a message... SO i will try and see about getting the imagine hosted or something by 12:30.

Here we go. Hosted the picture on Yahoo.



The image itself kind of sucks, i was trying to save space and not take too long as well. Either way it kind of illustrates our problem :-P

As i said, most of the Racks are Dell 1850 - 1U, Dell 2850 - 2U, Dell 6500 6U.

total of 6 Nortel Baystack switches (48 port) 2 nortel Baystack switches (24 ports). All at the top on the switch rack is just our patch panels. They plug directly into the 2 network switches starting form top to bottom.

If you think this is bad, you should have seen it before my bosses started to clean it all up.

I would advise against using your firewall boxes for anything other than firewalling. The more services you run on a box, the more vulnerable it becomes. Your firewalls should be rock solid bastions of defence. As for your rack config, the physical layout of your boxes in the rack isn't really the issue*, it's the logical configuration you should be more concerned with. Don't just focus on your firewalls, take a layered approach to security models and think about all of the traffic, services, users and data that your systems involve.

I can't view the image you posted. I use ImageShack to host images for stuff like this forum, check it out. Post a visio diagram of your network layout (**NO real external IPs/Addresses or other company identifying information!!**) if you can ...

* I won't go into UPS, power & cooling considerations for now.

I would never post that sort of info ;-) As for cooling, no worries, we had a special AC unit installed for the room, it is currently sitting at 71F right now :-) And as for backup power, we have a HUGE mother of a battery. The whole room is on it, it has enough charge to last for over an hour. Bout an hour and a half i think it is.

Rack Image

I can not get the image to embed in the into the post but the link to it is now above.