I've got an Cisco dial-in ISDN-router to connect a LAN to the InterNet. Mr. Boss wants a firewall to be placed behind the Cisco. Now I thought I could set up an old 486/40 box with two NICs and SuSE 7.0 to do the trick. It's no problem to install the box with an own dial-in device (modem). It does firewalling and masquerades the LAN nicely. If I switch of masquerading and set the world device to eth1 (towards the Cisco), it stops incoming packets from the LAN. I can watch them com in on eth0 with tcpdump but they don't show up on eth1 of the "firewall" PC. They come through when I enable masquerading again but then I get double MASQ and my LAN boxes get confused. How can I solve this with yast ? I'd rather not set up own rule sets before I get deeper into the topic. I'd like at least the protection that the SuSE dudes could produce with their sophisticated script. Btw. I asume real clever hackers get in almost everywhere but they are rare. On the other hand there are thousands of script kiddies scanning The Net when they are home from school or the whole day if they have a flat rate. Their scanners are pounding our Cisco which presumably doesn't offer services to the outside itself but does masquerade our LAN. Is there a potential danger that a subseven probaply lurking in a LAN-box could answer the call of such a scan and offer it's services to the attacker ? In other words doesn't masqurading itself offer a good deal of security since it hides our PCs ? Later Andreas
I'm not quite sure of your exact setup here, as you don't specify everything. I really need to know what services your internal clients require. You do say something about double Masquerading, so I assume that you infact have a private range (ie 192.168.x.x/24 etc) on you LAN. If you are running PAT (which works very similar to Masquerading on linux) on your cisco as apposed to NAT. (I am going to assume that you ARE running PAT as that would be the setup u would use is you only have 1 ip given to you by your isp) If not the setup I recommend would be different. Anyways, going on these assumptions... If you only need web and ftp access I would forget the SuSEfirewall script, and just run a stripped copy of suse running squid. I would block all IP's outbound on the cisco, and take away the default route from your workstations. Only give the suse box a default gw. You can check that your suse box is sufficiently secure by running the command "netstat -nat" the ONLY thing you should have "LISTENING" in this scenario is port 3128 (which is squid's default port) Anything else you have running is a potential security hole (vulnerable from your internal network only to be sure, but still a possible hole) If you DO need masquerading/PAT from the internal network, ie to check external pop accounts, I would probably still not use the SuSEfirewall script. Please don't get me wrong, I the SuSEfirewall script is Awesome, but linux packetfiltering is really not any more advanced than a properly configured cisco. (ie. SuSEfirewall is a GREAT frontend config tool for IPChains, but IPChains is the limiting factor here.) If we were talking about NetFilter on a linux 2.4.x kernel, then I would say go with linux and not the cisco (although you would still be limited by the fact that you do not have enought IP's to actually route an IP to you suse box) If you are not confident of your ability to configure cisco ACL's (or if your cisco is running an old version of IOS without good filtering and you don't have enough ram on it to upgrade to a decent one) you could use two private subnets, one on each if of the linux box, route all of your workstations via the linux box, attach the cisco to the other interface, and do the filtering on the suse box, and the PAT on the cisco. This will give you double protection. I would do it like this: [LAN (192.168.0.x/24)] --(eth0 192.168.0.1) [SuSE] (eth1 192.168.1.1) ---- --{wrapped for readability}-- (et0 192.168.1.2 [cisco] (live ip here)--[Internet] To answer your question re security and PAT (You are almost certainly running PAT and not NAT) Yes, PAT for the most part only allows outgoing connections with the exception of DNS and someother UDP connections. (UDP is connectionless and as such is tricky to NAT/PAT/Masquerade/Firewall) Bah, I think I have typed enough based on assumptions about you setup. If you have further questions, just ask, and I'll clarify.. Cheers Nix At 02:53 AM 9/10/2000, you wrote:
I've got an Cisco dial-in ISDN-router to connect a LAN to the InterNet. Mr. Boss wants a firewall to be placed behind the Cisco. Now I thought I could set up an old 486/40 box with two NICs and SuSE 7.0 to do the trick. It's no problem to install the box with an own dial-in device (modem). It does firewalling and masquerades the LAN nicely. If I switch of masquerading and set the world device to eth1 (towards the Cisco), it stops incoming packets from the LAN. I can watch them com in on eth0 with tcpdump but they don't show up on eth1 of the "firewall" PC. They come through when I enable masquerading again but then I get double MASQ and my LAN boxes get confused.
How can I solve this with yast ?
I'd rather not set up own rule sets before I get deeper into the topic. I'd like at least the protection that the SuSE dudes could produce with their sophisticated script.
Btw. I asume real clever hackers get in almost everywhere but they are rare. On the other hand there are thousands of script kiddies scanning The Net when they are home from school or the whole day if they have a flat rate. Their scanners are pounding our Cisco which presumably doesn't offer services to the outside itself but does masquerade our LAN. Is there a potential danger that a subseven probaply lurking in a LAN-box could answer the call of such a scan and offer it's services to the attacker ? In other words doesn't masqurading itself offer a good deal of security since it hides our PCs ?
Later Andreas
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Tue, 10 Oct 2000 20:47:54 +0800, you wrote:
To answer your question re security and PAT (You are almost certainly running PAT and not NAT) Yes, PAT for the most part only allows outgoing connections with the exception of DNS and someother UDP connections. (UDP is connectionless and as such is tricky to NAT/PAT/Masquerade/Firewall)
Two Qs: 1) What's the difference between PAT and NAT? 2) I'd like some more information about how secure is a (private-IP) intranet behind a router performing NAT/PAT or similar (which obviusly has got a real IP address). My personal thoughts are that if the NAT device isn't implementing any port forwarding to any internal machine, the said machine is safe. Correct? So, the intranet would be safe for external attacks (supposing router access is not granted and its configuration is safe from hackers) without needing a fw or router-filters, isn't it? Am I missing some interesting points? Regards.
* systemx@madmail.com wrote on Mon, Oct 16, 2000 at 10:15 +0200:
On Tue, 10 Oct 2000 20:47:54 +0800, you wrote: 1) What's the difference between PAT and NAT?
PAT is port address translation and similar to Masquerading. Every connection from inside ist translatet to a port of (usually?) ONE external (real) IP address. NAT (network address translation) translates IPs to IPs. If you have i.e. ten real IPs, you could allow ten connections. Every internal IP is translated to one external IP. You may translate Networks to other networks, i.e. 192.168.0.0/24 to 1.2.3.0/24 or so, which is not very common since you would need a lot of external addresses. But with this method it's possible to connect such a machine from outside to a different port, which is impossible with simple PAT (but there are ways like ip_masq_ftp module)
2) I'd like some more information about how secure is a (private-IP) intranet behind a router performing NAT/PAT or similar (which obviusly has got a real IP address). My personal thoughts are that if the NAT device isn't implementing any port forwarding to any internal machine, the said machine is safe. Correct?
Well, it's safe like behind a good firewall, yes. But there are still a lot of attack methods. The simplest form is an email worm. Viruses can still intrude with ftp/http transfers of course. A trojaner can connect to some attacker (since it's an outgoing connection). If you use unsecured protocols (i.e. telnet) it's possible to do session-highjacking; This may be dangerous. Other attacks like DNS spoof work, and last but not least the entire network is never more secured like the firewall itself; if the firewall get's hacked (by a buggy FTP or similar) you're lost ;) So do not run any services on the firewall, maybe ssh, but not more.
So, the intranet would be safe for external attacks (supposing router access is not granted and its configuration is safe from hackers) without needing a fw or router-filters, isn't it?
Well, doing Masquerading is an (implicit) firewall filter rule telling: do not allow connections initiated from outside to inside, only from inside to outside is allowed (inside means the secured network). But that's not the maximum security of course. If you have one trojaned machine inside your network, your security is lost, since the machine is allowed to do anythink (connection to a outside attacker, steal data from inside and send it out and so on). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (4)
-
Andreas Fiesser
-
Nix
-
Steffen Dettmer
-
systemx@madmail.com