How do you Configure a Secure DSL Network?

MorganGoeller asks: "I have an old Pentium 200 w/128 MB of RAM that just got a new 6.4 GB disk, but doesn't have anything on it. I would like to set the new machine with RH 6.1 for either: a standalone file/network backup/pop/nntp/web server (mostly for internal use); a firewall/proxy server; or both. However, I am an intermediate Linux user and am not sure where to begin." Anyone with somehelpful hints or starting tips? Click below for the details.

"I have a home network consisting of 1 linux box (RH 5.2, too chicken to upgrade as I can't have it go down for an extended period); 1 win 98 box (for my wife to use AOL and MS-Office, don't ask) connected to the internet through a persistent 640K DSL connection through US West. I am concerned that my network may be at risk and would be willing (but not excited) to spend some time securing the system if necessary.

My questions:

1. With DSL and DHCP going through USWest's gateway is my system reasonably secure?
2. What is the difference between a firewall and a proxy server? What is the best one to use considering all network data MUST come through my DSL modem before any processing can be done?
3. Is it a bad idea to put other features (file server, etc.) on a system that is a firewall and/or proxy server?
4. How dificult is it to set up a firewall and/or proxy server? I rather like having the mail/news server on my linux box and don't want to give it up (particularly) but I don't often log in from outside the network ...
5. What kind of configuration would you use for this situation? Keep in mind that my wife needs her Win98 machine for work and I need at least one linux box for me (for email, shell scripting, running Matlab, Maple, g++, PERL, Web Programming, etc.)

Thanks,

Morgan"

Try to answer them in order

[drix]

1. Well.. you don't really have a choice. You have to get your DHCP from USWest, no two ways about it. As far as security, the only thing anyone could gain by messing with DHCP transmissions to and from your computer is a useless denial-of-service attack. Nothing to worry about there. DSL in general is as secure as any other internet connection - it's less secure than a dialup line just because you're not connected all the time, but it's not much different than T1 or any other full-time connections in that regard.
   
2. A firewall inspects every packet that it is instructed to and does any one of a number of things to it - drop the packet, permit it, etc. From this basic functionality you can set up security on your box such that certain ports / IPs are allowed to talk to it and others aren't. That's a gross oversimplification. You should check the Firewall-HOWTO that's available all over.
   
   A proxy server simply listens for requests from services (usually web) and goes out and does all the work. For example, Squid, a web proxy server, listens for web requests and then accesses the pages and sends them back to the computer that asked for them. The benefits of this are speed - Squid will remember what pages it's asked to retrieve most frequently, and save local copies of those so it can send them right off the hard drive instead of downloading them when it's asked.
   
   You should note that firewalls and proxies aren't mutually exclusive. Lots of people, myself included, run a firewall to keep the baddies out, and a proxy server to speed things up a bit.
   
3. Lots of people here will say yes. Just think of it this way: it's a bad idea to run any service that you don't need. Redhat 5.2, for example, ships with the mail, web, ftp, samba, nfs, rpc, finger, telnet, etc. servers all enabled. This is pointless; you probably don't need every single one of them (although some people do). Aside from taking up memory and CPU time, all these things you now have running have possible security holes in them. It's nt a linear scale, but disabling half your services would probably cut your chance of being hacked in half, so to speak. One word of advice to you would be to use encrypted sessions for whatever services you do decide to use. Telnet, for example, is just a glorified TCP/IP session, and is plainly readable to anyone that has the means to. Thus, if you're telnetting to your house across the internet, anyone can read your name, password, address, phone number - whatever you're typing in. Definitely I would use SSH and also stunnel for IMAP/POP across the internet. Your box is as secure as you make it - spend a lot of time upgrading to squash bugs, disabling unneeded processes, and using common sense, and you'll make your foes' jobs a lot harder.
   
4. Firewalls are not incredibly hard. It took me about two days of playing with IPCHAINS (the firewall program) and reading the HOWTOS to become proficient. Squid (proxy server), on Redhat, works pretty much out of the box. Only three or four lines to the Squid configuration file to get it up and running. Remeber that you can run other service on your firewall/proxy - mail, news, whatever. I run tons on mine.
   
5. Well, I'm using your configuration. RH 5.2 (too lazy to upgrade, as well) masquerading/firewalling/proxying six Windows 98 boxes, an iMac, and a powerbook. It's worked like a charm for months. I've never, once, had Linux crash. I'm far more worried about my 6 year old hard drive giving out at the moment than I am about the server going down. Good luck!
   
   
   

--
"Some people say that I proved if you get a C average, you can end up being successful in life."

Depends on how specific you want to be.

[DrZaius]

In the 'Real World,' you would never run more than one service on a box. In a home lan situation, you can cheat.

I'm not saying don't keep security in mind, but there shouldn't be anything wrong with using a fileserver for a firewall on a home lan. Just remember that your files are on the internet, so don't do stupid things like public shares.

Ipchains can do some really nice things for you. For instance, you can say, "I don't want any traffic from eth0 going to the rpc ports."

So, if you have two nics in your gateway, and eth0 is plugged into your modem and eth1 is plugged into a hub on your lan, your local boxes could talk rpc to the gateway, but any box on the internet couldn't.

This does take a lot of research. I suggest getting nmap and port scanning. For the most part, you are safe if you can scan from a box on the internet (borrow a shell) and see only a ssh port open, or whatever other services that need to talk to the internet.

As for setting up a file server, just pick a daemon and make sure all of your workstations have clients. You probably want to use samba since it is more secure (relativily) than nfs (aka No F*cking Security). Then again, meet your needs.

Another post on this thread mentioned getting a 486 and setting it up as a gateway. If you do this, and still want to offer nntp and smtp to the outside world, you will have to port forward. There is nothing wrong with that, but it can get messy if you get lazy.

have fun.