firewall configurator Was: Firewall administration.

["Magossa'nyi A'rpa'd" <mag () bunuel tii matav hu>]

On Wed, 8 Oct 1997, Bennett Todd wrote:

> Hmm. I really like this goal. Combine these thoughts with other threads that
> have been dangling --- including Brent Chapman's packet filtering paper which
> I hit chasing a link from the Sinus Firewall docs, and mjr's remarks in this
> forum about canned security stances --- and we have the makings of a nice tidy
> small project.
>
> Linux+ipfw+fwtk has all the bits you need to assemble a nice firewall. So what
> someone needs to do is roll up a handful of nice boilerplate configs ---
> ``security stances'' --- and then whip up a nice user-friendly front-end that
> offers a choice among the stances, with high-level descriptions to help the
> user pick the nearest match to their needs, then uses the chosen stance as an
> initial state for a gui front-end, which offers enable/disable choices on
> services, with explanations of risks that pop up whenever you try to enable
> something to tell you why you might not want to.
I don't like the idea of GUI when we are talking about security. A security
administrator should not feel that he/she understands the thing if it isn't
the case. I've half-made a tool which generates the necessary config file
from a global security policy definition and a local one. It is intended to
run with the TIS software, and will hopefully know much more than that.
It generates the network starting and stopping scripts yet, and a hosts
file. The code knows more than that, though.
It is written in tcl, so if you like nifty interfaces, just go on.
In some respects it will (hopefully) know more than Gauntlet:
-notion of state. It is useful if you want to implement a policy which
depends on time, or responds to an ongoing attack with tightening the rules.
You can also use it for automatic hotswap of firewalls (it is against the close
on fail philosophy. I warned you.)
-centralized management. You can define a default security policy, and
define the details on a per firewall basis. I assumed that you run it on the
central firewall manager host, and just download the files to each firewall
(after inspecting them).
-it maintains a consistent notion of routes, which is necesssary in an
environment full of VPNs.
In some respects it is less than Gauntlet, due to limitations of the fwtk:
-less type of gateways
-less type of authentication
-it isn't a full system, even with fwtk and the vpn package

-----
It is at http://hal2000.hal.vein.hu/~mag/fwconf.tgz
Tell me what you think about that.
-----

To have a full-featured firewall, you almost definitely need this when it is
finished, fwtk with the transproxy patch, tripwire, and a way to deal with
logs. In some setups the vpn package, udprelay, and/or the linux posix1.e
stuff would needed.
I also thought about content filtering in the way mimesweeper does. Given
the current set of conversion tools, I think that a Linux equipped with them
and a dosemu to run foreign virus scanners is a very good platform to
implement it. I guess that making a minimal version which does email
scanning recursively, knows 2 or three mime and file types, and uses 2 or
three scanners for the sake of demonstration would take one or two weeks in
perl or tcl. The problem here again the safe caranteen for this stuff. Having
a Bx system would be nice for that (though I don't know any which runs a DOS
emulator), but the posix 1e stuff and chrooting can be useable. The other
problem that I don't have even a half day for a creativity like this.
About the content filtering: I wouldn't do it on the firewall, of course,
and it has its limitations, of course. But I feel that would make the
scenario more consistent. 

> Base it on a minimal Red Hat install, and it'll be easy to add and remove
> chunks of software with RPM, and to support updating to track new versions.

I would use Debian, as I feel it is superior in security. It is subjective
opinion, and I'm not willing to join in a distribution flamewar. And I would
only _base_ the firewall distribution on a mainstream one, as it still
should have a lot of changes to that (no doc and development tools on the
system, tighter permissions [on my test firewall there is only one setuid
root program, and there would be none if I had the time to change to the 1e
stuff], and more controlled environment). I would include even the kernel
souce trimmed down [modules and some other stuff cut] and patched for 
nonexec stack.

---
GNU GPL: csak tiszta forrásból