LINUX SECURITY --- July 25, 2000 Published by ITworld.com, the IT problem-solving network http://www.itworld.com/newsletters ********************************************************************* HIGHLIGHTS * Firewalling: It's more important than you think ********************************************************************* Firewalling Linux with IPCHAINS by Rick Johnson The basis of securing any network is a decent firewall and the first choice should always a dedicated firewall appliance at the front line that allows reasonable control of traffic entering from the outside. However, firewalling is a task typically avoided by Linux administrators. I continually hear the same reason: "It is too complicated," or my favorite, "It is not that important, I stay up to date on bug fixes and patches". Well, it is that important and does not need to be so complicated. Even with a firewall protecting the server from the outside world, it is always wise to firewall the local box itself. Thankfully, the world of Linux has made it possible with ipchains. Paul "Rusty" Russell deserves tremendous praise for such a well-designed product. If you have tried to firewall any of the current Linux distributions, then ipchains is not foreign to you. I will admit, it can be intimidating for those who are new to firewalls; but for a free, built-in packet filter, it is an indispensable tool for securing your box. The best part is, most distros are configured and ready to use ipchains straight out of the box. To truly do justice to this tool, we would easily need more space than this newsletter provides. Therefore, I will not even pretend to cover it all here. For an in-depth description, you really should read the ipchains HOWTO (http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html). However, if taking the time to learn firewall construction inside and out just does not fin in your schedule, there is still hope. The Linux community has once again provided a number of automatic configuration tools to get you started. A search of Freshmeat.net easily turns up over 25 different tools to accomplish this task. I would like to point out that, while an out-of-the-box tool is great for beginners it should only be used as a starting point -- there is no substitute for a carefully written and diligently maintained firewall script. The tool I prefer for generating a starting ipchains firewall is PMFirewall (http://www.pmfirewall.com). This firewall should work for most Workstations, Servers and Dual NIC routers using a dialup, DSL, Cable or LAN setup. It is restrictive to outside attacks while still being transparent to those inside. Why do I chose PMFirewall over some of the other fine tools available? The answer has nothing to do with one being better than another -- it is far simpler, I wrote it. For those who need it, a step-by-step installation tutorial is available on the Mandrake Linux Web site. (http://www.linux-mandrake.com/en/demos/Networking/IPmasq/pages/ipmasq3.ph p3) Neither this nor any automatic firewall configuration program is as secure as one carefully written by hand but they are great for developing the initial framework. What you choose to do after that is up to you. Resources Internal system security enhancements http://www.linuxworld.com/linuxworld/lw-1999-07/lw-07-ramparts-3.html Securing Linux, Part 2 Advanced Linux security http://www.linuxworld.com/linuxworld/lw-1999-06/lw-06-ramparts.html The back door to FrontPage Meet two open source offerings -- without back doors http://www.linuxworld.com/linuxworld/lw-2000-04/lw-04-penguin_3.html ************************************************************************ About the author ---------------- Rick Johnson is currently the Manager of Security Services for an emerging Managed Service Provider. When not writing, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at rick@pointman.org or on the web at http://www.pointman.org. *********************************************************************
<<attachment: winmail.dat>>