|The only way to completely secure a computer is to never turn it on.|
- Anonymous Quote
Any and all trademarks mentioned in this text are property of their respective owners.
The goal of this presentation is to provide you with the info necessary to
determine the hardware and software needed to set up a gateway/firewall that
you can use to safely and effectively connect your LAN to the Internet.
Specifically, I'll answer the following questions:
Keep in mind that this presentation will not specifically tell you how to set up firewall rules or NAT (ip masquerading), nor how to install and configure any Linux distribution or any software, other than to point you to the appropriate information sources. Rather, we will be providing you the info you need in order to make sound decisions regarding the hardware and software needed for your particular gateway/firewall situation. In addition, you may have to contact your ISP (or Linux users whom you know have used Linux to connect to your ISP) for connection information.
It is also important to keep in mind that networking, although possible for mere mortals, can be fraught with frustration and problems. When all goes well, it can be quite easy to set up a small network, and life is grand. Bear in mind that there are many people who do network consulting or administration for a living. This is true precisely because installing, configuring and trouble-shooting a network can sometimes be an extremely difficult task. If you find yourself having significant problems setting up your own network, you may very well want to consider paying someone to do it for you.
What is a gateway/firewall, and why do I need one?:
A Gateway is a computer or dedicated hardware device that connects a LAN (Local
Area Network) to another network, typically the Internet. A router is one
example of a device that acts as a gateway. A Firewall is a computer or
dedicated hardware device that protects a LAN or computer from potentially
hostile network traffic. The functionality of gateways and firewalls is
sometimes combined so that one device provides both, but it doesn't necessarily
have to work that way.
With the proliferation of small office and home networks, it's pretty easy to see why you would want a gateway: Everyone wants to be on the Internet these days, don't they? And the way to connect your LAN to the Internet is via a gateway. It may not be quite so easy to see why anyone would want a firewall though, so let me enlighten you. The Internet is no longer the safe playground it once was. Viruses, worms, root kits, exploits, crackers and script kiddies abound, and the situation is not getting any better! The time it takes from the discovery of a vulnerability until it is exploited is constantly decreasing, and sometimes it takes less than a week before black hats start taking advantage of it. How can you run all sorts of potentially crackable services on LAN, yet still have the benefits of being connected to the big bad Internet? With a firewall, that's how.
As an example of the difference a gateway/firewall can make, let me recount a couple of anecdotes from my own experience: I've been using Linux to directly connect to the Internet since 1994. Since then, I've had machines cracked twice. The first time was back in 1998. I had a server that acted as my gateway, and it was doing NAT (Network Address Translation, commonly known in Linux circles as IP masquerading) and no firewall rules. After the intrusion, the system was wide open and the miscreant had full root shell access that he had been regularly using for at least a week before I even discovered it. And the only reason I discovered it was because he was trying to ping flood someone over my dial-up connection. One day I was trying to surf the web, and pages were taking forever to come up. I did the usual trouble-shooting to see what was causing the slowdown, but 'ps' and netstat didn't show anything at all. But when I took a look at my modem, the transmit and receive lights were solid red: The line was maxed out. And as soon as I disconnected and reconnected it was maxing out again! But I finally managed to figure out that I was cracked. I had to re-install my whole system, and I never did know how they got in.
More recently (just this last month as a matter of fact), my server was cracked again. Even before I did my post-mortem forensics (Yep, since '98 I'd learned quite a bit about security) I had my suspicions about how they got in. Because I keep abreast of security issues, a few months ago I became aware that my secure web server was exploit-able. But because I had recently built a newer machine to turn into a replacement for this server, and was still in the process of setting it up, I decided to take a chance on leaving the exploit-able one up until the new one was ready. After all, it would only be a few months, and I'm only a little dial-up corner on the Internet, right? Wrong! It doesn't matter who you are or how insignificant your little network is, sooner or later, someone will try to crack it. For that matter, you may already have been cracked and not even know it! But a firewall can make a difference, and it did this time. Since '98, I had put in a separate machine as a gateway/firewall, and it has the only public IP address on my network. The rest of the machines use private IP addresses behind the firewalls NAT, with the ports that provide public services (HTTP, SMTP, SSH) being forwarded to the the machine that acts as my web/mail/file server. Furthermore, it is not the same machine acts as my file/web/mail server. When I got cracked this time, the cracker's attempt to set up their own private little ssh access server failed, and thus he did not gain root shell access! And the reason is because of the firewall is a separate machine from the web server. When he exploited the web server, his rootkit set up a secure shell server on an odd port. However, that was on the web server, and of course, my gateway/firewall wasn't doing port forwarding for that odd port he used. And even if he did try to alter the firewall/port forwarding rules, it would have done no good, because he was on the wrong machine! So in all, the amount of damage done was much less than during the first incident, and all because of a gateway/firewall on a separate machine.
Now you know why you want one, but just what is a firewall, anyway? What exactly does it do? To explain it in layman's terms, let me use an analogy: Remember when we were kids, how fascinating it was to watch little insects and animals do their thing? And to get a closer look, we'd often go find a jar so we could keep the little critters from going anywhere. But what happens when you put the lid on without first poking tiny holes in it, do you remember? Right, the critters died! So the tiny holes let the air in and out, but not the critters. And that's similar to how a firewall works: it puts a firewall lid on the jar that is the Internet, and through tiny little holes (the firewall rules) it lets only the air (that is, the network traffic that we deem safe) in or out.
By now it should be obvious to you why you not only need a gateway to connect to the Internet, but a firewall as well. And being that most often one device performs the work of both (although it doesn't have to be that way if you prefer not), I'm going to talk about them as one device for the rest of this presentation. henceforth, I'll usually refer to this single device as a gateway or a firewall, depending upon when the details pertain to one or the other, and occasionally I may refer to it as a gateway/firewall as need be.
What hardware do I need to set one up?:
By far, the easiest way to implement a gateway/firewall is to go out and buy a
dedicated hardware device. If you're one of those who prefer NOT to
do-it-yourself, or you'd rather not spend the significant time and energy that
it takes to set up a Linux box to be your gateway/firewall, then this is the
best way for you. These over-the-counter devices are usually called
DSL/cable-modem routers, and are available at most computer equipment retailers
(CompUSA, BestBuy, etc.). The prices are very affordable, costing from $50 to
$100, so there's no reason why you'd need to set up a Linux box to do this,
unless you really prefer to do the requisite hacking it will take to create one
from scratch. And the only software you'll need will be included with your
purchase. However, there are folks who would rather set up a Linux box, so
here's a list of reasons why you'd want to do so:
With the last reason, you'll want to keep in mind that older hardware, especially pre-Pentium hardware, often presents compatibility issues that have to be resolved. I highly recommend using Pentium class equipment or better to set up a Linux box, unless you're willing to do some very serious hacking. So you say you still want to use a Linux box? OK, here is a list of minimum hardware requirements that you'll need to meet in order to do so:
As far as memory goes, you can never have too much, but I recommend at least 8 Megs above the minimum required by the Linux distribution you choose to install. Keep in mind though, that the more services you want your gateway/firewall to perform (such as a DHCP server, or a caching name server), the more memory you'll need.
The amount of storage needed, and the type of device you use for storage will vary, depending on the Linux distribution and any additional software you choose to install. Some distributions that are specifically aimed at providing gateway/firewall services are meant to work right from a floppy, or you may want to customize a CDROM-based distribution, so you might not even need a hard drive. We'll talk more about that in our next section.
The number and type of ethernet adapters you will need depends on your particular circumstances, but as a general rule, two 10/100 adapters will be ideal. Even if you are using a dial-up connection, having two dual speed interfaces will be more versatile, in the likely event that your needs change down the road. The basic idea is that you have one interface for the Internet side of the gateway/firewall, and one interface for the LAN side. Otherwise, if you connect your LAN to the same network segment (read hub or switch) as your Internet connection, it defeats the purpose of having a firewall, and your DSL/cable-modem then becomes the gateway.
What software do I need to set one up?:
Obviously, to set up a Linux gateway/firewall, you'll need Linux. However,
what is not so obvious is which Linux distribution to choose. Although you
could probably use any one of the well-known distros, you'll want to do a
bare-minimum installation in order to make your gateway/firewall more secure,
and this can be rather difficult with some of them. An alternative is to use
one of the specialty distros that are either designed to be used as a
gateway/firewall, or that allow you to "roll your own".
In my personal experience, Slackware and Debian are two of the standard distributions that allow you to install a very bare minimum system. Of the two, I find Slackware to be the easiest to configure, because its BSD-style init scripts are much easier to customize than Debian's SYSV-style init scripts. However, Debian's package management and wide range of available packages make it much less likely that you'll to have to compile a software package from source. Regardless of which distro you choose, make sure your kernel is configured to do firewalling, IP filtering, and IP masquerading, or that the appropriate modules are available. Although most distros pre-configure their kernels for firewalling and masquerading, if yours doesn't, you'll need to recompile the kernel with those options enabled.
Once you've installed the bare-minimum Linux, the software you install thereafter will be determined by your needs. Remember, if you want to do any custom programming, or compile packages from source, you'll need to install the programming tools that come with your Linux distribution (such as gcc, ldd, ar, perl, etc.) And although you can create an extremely sophisticated gateway/firewall setup, remember that the more complex the machine, the higher the security risk. So the first thing you'll want to do is turn off all unnecessary services that could potentially allow the gateway to be compromised (and remember to firewall any service you have to leave running). For the highest security, I recommend no daemons/services other than needed to establish your connection to your ISP, not even secure shell access, and use a monitor and keyboard if you need access to the machine. However, this is not very practical for a "headless" gateway/firewall machine, so you'll probably want to at least run sshd so you have remote access to the machine. Regardless, DO NOT ENABLE TELNET ACCESS, as it transmits passwords in clear text. To enhance the security of the secure shell daemon, run it on some arbitrary high port (but don't forget which one, eh? ;^). Make sure you do not install or run any NFS client/server software, and that you remove "-bd" from sendmail's start-up command-line so that it doesn't accept connections on port 25, yet still processes the queue. I recommend turning off inetd/xinetd altogether, as there is nothing there that a gateway/firewall is likely to need. You should also make sure to disable the start-up of the LPD (printer) services, and make sure that if you installed a web server that you disable it too. Although you do want syslogd running, make sure that it doesn't accept connections from remote hosts, and you really should configure it so that it logs to a server running on your network for easier monitoring. There may be other services running, so the idea is to turn off everything except what is needed to successfully run the gateway. Finally, make sure you only add one non-root user whose username is unique to the gateway/firewall box. Moreover make sure both the root and non-root passwords are likewise unique to this machine.
Now that you've turned everything off, let's take a look at some of the software you might want to install and actually turn on as a part of your gateway/firewall. Aside from the IP filtering/masquerading tools, which most likely are a part of your Linux distribution, you will need a way to get your gateway/firewall to connect to your ISP. I use a dial-up connection, so for me the software that does the trick is pppd (the Point-to-Point Protocol daemon), which came with Slackware. Because pppd takes care of the IP address assignment, and can be configured to set up the appropriate routing, I don't need software that deals with IP address assignment. Folks who use a DSL/cable-modem may not be so lucky, and may have to install a DHCP (Dynamic Host Control Protocol) client to handle IP address assignment, and some of them may be even worse off and have to install PPPoe, which handles Point-to-Point connections over ethernet.
We've covered the software that is absolutely necessary for a gateway/firewall machine, so let's take a quick look at some perks that you might want to add. If you're like me, and want to allow visitors with a laptop to connect to your network, you might want to have your gateway act as a DHCP server and dynamically hand out IP addresses as needed, so a DHCP daemon (dhcpd) is in order. As well, I like all my machines to keep accurate time, so my gateway also acts as an NTP (Network Time Protocol) server running ntpd. If you have a gutsy machine with lots of memory (64 Megs or better), you might even want to run a caching-only nameserver, but that would overwhelm my little 486/66 with its mere 16 Megs. Remember though, the more you run, the greater the security risk, and the whole idea of using a firewall is to enhance security, not decrease it.
If you're setting up a Linux firewall, doing the rules by hand can be painstaking, and although you learn a whole lot more about the underlying protocols, you may want to avail yourself of one of the various firewall configuration tools available. There is even a website that provides one online http://www.linux-firewall-tools.com/linux/firewall/index.html Although it might be fun to plunk around with, I don't know how much trust I'd put in it to create my actual firewall rules. ;^) There are GUI tools too, but if you choose to use one, find one that allows you to create a rule set that you can export, because you really shouldn't be running a GUI environment on your firewall, eh?
Where do I go for more information:
So now that you've an idea about what to install, let's take a look at where to get
some of this software and information about using it. First, there are two very
good books that I highly recommend:
For a long time this was the only book regarding Unix and Internet security, but it didn't matter because it was an all-encompassing definitive reference. And even now, with the proliferation of Unix/Linux/Internet security books, it still the one book to get if you can only buy one.
This book not only gives you the big picture about firewall necessity, design, and use, it also gives very specific examples. A good book to read before you design and set up your own firewall.
Both books are well worth even their list price, but if you can most likeley get them cheaper. As to the software you may want to install, remember to check that your Linux distribution includes a pre-packaged version first. If not and you need to "roll your own" from source, or if you need more info about the software, here's a list of links:
PPP Daemon for Linux, Solaris 2, *BSD, SunOS 4, Digital Unix, SVR4, NeXTStep, and Ultrix. This allows Unix machines to connect to the internet through dialup lines, using the PPP protocol, as a PPP server or client. Works with 'chat', 'dip', and 'diald', among (many) others. Supports IP, TCP, UDP and (for Linux) IPX (Novell).
rp-pppoe is a PPPoE client and server suite for Linux, NetBSD, Solaris, and Mac OS X Beta. It is fully RFC-compliant and supports cookies, relay-IDs, and multiple simultaneous PPPoE discovery phases. It is cleanly coded and fairly efficient, and supports kernel-mode PPPoE on Linux 2.4.x.
The ISC Dynamic Host Configuration Protocol Distribution provides a freely redistributable reference implementation of all aspects of the DHCP protocol, through a suite of DHCP tools:
NTP is a protocol designed to synchronize the clocks of computers over a network. NTP version 3 is an internet draft standard, formalized in RFC 1305. NTP version 4 is a significant revision of the NTP standard, and is the current development version, but has not been formalized in an RFC. Simple NTP (SNTP) version 4 is described in RFC 2030.
If you want to use Linux to set up a full-fledged router (but be ready for some very serious hacking) you'll want to take a look at Zebra:
The SYRLUG website also has a complete and fairly recent collection of HOWTOS. Here is a list of titles you may want to take a look at:
A small distribution for building routers.
Coyote Linux is designed for use by those wishing to share an Internet connection that is provided via an ethernet connection with other computers that are connected to a local area network (LAN). These types connections include cable modems, DSL lines and leased lines. The primary focus of the Coyote design is to make it as easy as possible toconfigure and use.
Using KYZO's unique LinuxROM distribution, a PizzaBox Server boots and runs entirely from a bootable Flash ROM giving the server system security, reliability and ease of use not available form hard disk based operating systems.
Routerlinux is a uClibc/BusyBox based GNU/Linux distribution that is designed to run from a DiskOnChip (or other solid-state storage device). Its intention is to turn "industry-standard and affordable" embedded x86 hardware into full featured routers using 100% open source software
Astaro Security Linux is a new firewall solution: It doesstateful inspection packet filtering, content filtering, virus scanning,VPN with IPSec and much more. With the web-based management tool and theability to pull updates over the Internet it it is pretty easy to manage.It is based on a special hardened Linux 2.4 distribution, most daemonsare running in change-roots and are protected by capabilities.
Devil-Linux is a mini distribution especially designed for a firewall and promises easy customization. Devil-Linux Boots from CD so there is no need for a harddisk. It supports Intel 486 and higher processors and uses the latest Linux kernel.
Fli4l is a single floppy Linux-based ISDN, DSL and Ethernet-Router. It is designed to convert old computers (486's) into productive network machines.
floppyfw is a static Linux router with firewall-capabilities. It is based on packages from Debian.
Linux distribution based on the Linux Router Project and Coyote Linux. This distribution offers a preconfigured router/firewall to provide dhcp and time services to any home or small business LAN.
Gibraltar is a Debian GNU/Linux-based router and firewall package that boots directly from CD-ROM. Comes in commercial and free versions.
IPCop is a complete Linux distribution that is designed to protect home or corporate networks from attack. It is based on SmoothWall, another security conscious distribution.
Distribution geared toward those who have unused older equipment that they want to convert into firewalls.
When you boot your computer from the White Glove CD, it instantly becomes a Linux powerhouse. It comes complete with firewall software, drivers for most Ethernet cards and Disks, a wide range of networking and other amazing tools, and even complete and secure web and DNS servers. It includes an on-CD manual and tutorial, menu-based services from the X11 graphical user interface, and a set of tools that meet or exceed those you are used to today. It's easy to use, easily fits in your shirt pocket, fast to boot and run, reliable, secure, and inexpensive.
GENDIST (the Linux Distribution Generator) allows you to create your own special mini-distribution. It creates a makefile-based build system for your distribution, and helps you to automate the following three tasks: maintaining your root filesystem, maintaining your "CD filesystem" (in case you create a bootable CD), and packaging everything on media. GENDIST 1.4.7 (Stable) was released December 29, 2002.
Keeper Linux fits on two floppy disks. It is designed for use in specific application areas, such as dedicated network gateways, firewalls and the administration of remote systems. Release 1.1a came out March 14, 2002. Version KLX-2.01, released April 23, 2002, boots directly from CDROM with its root filing system in ramdisk (no hard disk required).
FREESCO (stands for FREE ciSCO) is a free replacement for commercial routers supporting up to 3 ethernet/arcnet/token_ring/arlan network cards and up to 2 modems. Mirror sites are available in Canada, Europe, Russia, and South Africa.
BBLCD is the acronym for Bernhard's Bootable Linux CD or Build your own Bootable Linux CD. BBLCD is a toolkit for building your own bootable Linux CD from your favorite (and possibly customized) distribution. It uses, more or less, an intelligent cp -a / /dev/cdrom to create a CDROM from an existing system. Version 0.7.7 was released April 9, 2003.
Timo provides an easy way to generate a rescue system on a bootable CD, which can be easily adapted to your own needs. The project has evolved into a "Debian on CD" project, so it's not only possible to use the system as a rescue CD, it is also possible to install a whole Debian system on CD. Works with other distributions as well.
TrX is a project that aims to produce a Debian GNU/Linux-based desktop router and firewall package based on Knoppix. This system will be bootable directly from CD-ROM, so hard disk installation will not be necessary. The initial Freshmeat release of TrX, version 3.2, was made available March 12, 2003.
Some Firewall Tools:
Here are some links to various firewall tools and websites, again in no
Guarddog is a GUI firewall configuration utility for Linux systems. Its goal is to provide an easy way to build firewalls for novice to intermediate users, and users who would rather not deal with shell scripts and ipchains/iptables parameters.
Firestarter is a free firewall tool for Linux machines that provides a user-friendly Gnome2 optimized GUI that works in KDE too. It has a wizard that customizes the firewall to your needs, and it provides advanced firewall and tuning features.
An Object-oriented GUI and set of compilers for various firewall platforms. Currently has implemented compilers for iptables, ipfilter and OpenBSD pf. Was featured in May and June 2003 editions of the Linux Journal.
Ipmenu is a text-based user interface to Netfilter/iptables and Linux policy routing or traffic control, allowing you to edit firewall rules and configure the firewall to "mark" packets for policy routing or for class based queueing (CBQ).
IsinGlass is a script which is meant to make the average user's machine more secure when connected to the Internet, for example, when dialing up via a local ISP. The problem is that the average machine is running daemons (background processes) that the average user doesn't even know are running. Many of these have exploits which can allow another user on the Internet to gain access.
Mason is a tool that interactively builds a firewall using Linux' ipfwadm or ipchains firewalling. You leave mason running on the firewall machine while you are making all the kinds of connections that you want the firewall to support (and want it to block). Mason gives you a list of firewall rules that exactly allow and block those connections.
Mason was specifically designed to make it possible for anyone with the ability to generally find their way around a Linux system to build a reasonably good packet filtering firewall for any and every system under their control. It takes care of all the low level grunt work; all you need to do is follow the instructions and be able to run all the TCP/IP applications that need to be supported.
The SINUS firewall is a free and easy way to protect your network. It provides filtering of all header fields in the IP, TCP, UDP, ICMP, IGMP packets, intelligent RIP and FTP support, an easy to understand, text-based configuration, a graphical management interface for configuration of several firewalls, and several other features.
The ipfwadm dotfile module is intended to make setting up IP Masquerade and basic firewalling on a small network easier for Linux users who aren't professional network administrators. It utilizes Jesper Pedersen's Dotfile Generator to provide a GUI shell around the ipfwadm command. It also automates some of the confusing and obscure details of firewall and IP Masquerade configuration. It is not, however, intended to be a replacement for an experienced network administrator in a critical environment.
fBuilder is a web-based utility for building and configuring your ipchains or iptables based Linux firewall. Written by the author of fwconfig, our fBuilder product line brings you many new and exciting features that will fit your firewall creation needs. InnerTek Software currently offers two versions of fBuilder: fBuilder Lite - a free version of fBuilder that includes a standard set of features and the commercial fBuilder Plus - which includes edit, insert, and delete capabilities for firewall rules, automatic back traffic rule creation, log reporting and export capabilities.
The Bastille Hardening System attempts to "harden" or "tighten" Unix operating systems. It currently supports the Red Hat, Debian, Mandrake, SuSE and TurboLinux Linux distributions along with HP-UX and Mac OS X. We attempt to provide the most secure, yet usable, system possible.
harden_suse is system security script for SuSE Linux only. It makes several changes to the system configuration to make the operating system very secure and therefore very resistant to local as to remote attacks.
A tutorial that can help you secure your Linux machines.
By now you should have the information you need to decide whether or not you want
to buy a commercial gateway/firewall device, or use a Linux box and build your own.
If you want to build your own, you should have a rough idea what kind of hardware
and software you will need, and some basic configuration tips. As well, you should
now be aware that there are several informational resources available in print
and on the web. To sum up what we've covered: