RE: Security, Distributed firewalling application...long ;-)

["Simpson, Brett" <Brett.Simpson () hsn net>]

One application that works well with Iptables is Fwbuilder. It's very
handy for GUI based administration of rules from a central point. Plus
it's free. 

> -----Original Message-----
> From: Sanjay Arora [mailto:sanjay.k.arora () gmail com] 
> Sent: Tuesday, November 29, 2005 7:31 AM
> To: SF-security-basics Mailing List
> Subject: Security, Distributed firewalling application...long ;-)
>
> List:
>
> We are a small company with a (very short) shoe-string budget 
> running CentOS 4.2. I am a newbie sys-admin and am planning 
> securing the Network as follows, please comment on design and 
> if known suggest a GUI & policy based ruleset generator that 
> can additionally (preferably rsync the ruleset over ssh) to 
> the target machine & reset the ruleset.
>
> WAN: A DSL link firewalled by an IPtables firewall, currently 
> running IPcop on this...may shift to monowall or pfsense..or 
> maybe add additional rulesets to the IPcop box itself. ssh, 
> http, pop3, imap, smtp redirected to internal IP space 
> (192.168.) DMZ server running web-apps and is the vulnerable target.
>
> DMZ: Want to close all ports (in/out) on the DMZ server 
> except for the above services, with logging of all attempts 
> from inside the lan or outside.
>
> LAN: 4 Servers running various services according to their 
> jobs. Want to explicitly close all ports (in/out) except the 
> required ones with logging of all attempts.
>
> Other things to be done: 
>
> 1. Running an IDS on the local network (Snort).
> 2. Block all outgoing mail except from the official 
> mailserver & running anti-spam & antivirus on all in/out 
> mails, with a copy of all logged for archival/forensics purposes.
> 3. Block all outgoing ports except as required and log all 
> attempts to connect to blocked ports from inside or outside.
> 3. Install an application to get all iptables logs from all 
> servers including the perimeter firewall, into a database.
> 5. Get data from the perimeter IDS & LAN IDS into the database.
> 6. Extrapolate the database on regular basis for re-evaluation.
>
> Comments are invited on the above. Also suggestions of open 
> source & free projects that can help my deploy the policy 
> based firewalling and all the above.
>
> Why I need a GUI & policy based framework for implementing my 
> firewalls, when my requirements are static? Well, I may need 
> to add additional role to a server on the LAN, if any other 
> server fails. In fact, I intend to keep the services prepared 
> on alternate servers, only not deploy them redundantly. 
> Secondly, never know when needs change and something that is 
> easily configured and deployed would adapt better.
>
> Also, I have a question that needs answer. How do I allow IMs 
> like yahoo, msn, icq and transparently proxying & logging all 
> business chats...staff will be aware from IT policy that all 
> email/IM are recorded. We plan to run a Jabber server for 
> Enterprise IM but how to control the IMs?
>
> Please critique..bang my head on floor & caution on the 
> drawbacks of the approach...advise...provide links/learning 
> resources...share experiences...and help me get it right.
>
> With best regards.
> Sanjay.