[H-GEN] Good practice and home networking

Robert Brockway robert at timetraveller.org
Sat Sep 22 00:45:33 EDT 2007


On Sun, 9 Sep 2007, bjf at bjf.id.au wrote:

> When I went through uni, the advice there was that services should never 
> be run on the internet-facing router.  Does this still hold?

H Ben. I agree totally wirk Mark and Greg that there is no one right 
answer.  Security is a cost-benefit analysis.  Good security can be costly 
in $ & human time.  But then the loss of important personal or business 
data can be very serious.

For a company running servers on-site it may indeed be desirable to run a 
firewall with a minimum of services but that is only part of the story 
(more on this later).

Note that I refer here to a firewall running a minimum of services.  To 
run no services would mean giving up ssh to the box (although you could 
bind sshd only to the internal interface).  I call a box running a minimum 
of services on it it a "dedicated firewall".  Some organisations may 
terminate a VPN on the firewall rather than in the DMZ.

One common scenario I've found is for people to run a dedicated firewall 
at home (or in a small business).  They then use Destination NAT (DNAT) to 
poke a bunch of holes in the firewall to make several ports on servers 
inside their LAN directly accessible to the Internet[1].  This is no 
better (and in some cases actually worse) than running those services on 
the firewall itself.

[1] At this point the firewall may have become Swiss cheese: all soft and 
gooey with holes in it.

It may make sense in the home environment to run services on your 
"firewall" while keeping your important personal data away from the 
Internet on a seperate box that runs no services at all.  If your firewall 
gets 0wned at least they don't have the really important data yet.  This 
could be seen as an application of "defence in depth" for the home.

> * A three-legged firewall is one option: one side connects straight to 
> the internet, the other side connects to my internal network, and the 
> third side connects to machines on a DMZ subnet.  Do any HUMBUGgers 
> bother running this kind of setup at home?

Running a DMZ is great from a security POV but requires more investment in
hardware and more time to setup & manage.  If you are familiar with
networking and 3 legged firewalls it probably doesn't take too long to get
this going.  Alternatively you may just find it a fun project which will
teach you something about firewalling and which may be useful in your work
one day.

When I've built networks for small companies I have encouraged the use of
a dedicated firewall and a DMZ.  Any DNAT ports opened up are pushed in to
the DMZ.  No direct access to the internal LAN from outside is allowed.
VPNs and ssh access from outside can terminate in the DMZ.

Access from the DMZ to the LAN is heavily restricted. As a result if
anyone compromises a server running in the DMZ their ability to impact the
organisation and steal info is minimised.  Someone taking control of the
servers in the DMZ should still have a hard time getting in to the LAN
where all the really juicy info is kept.

One possibility today is to run a bunch of virtual servers in the DMZ
reducing the total number of real servers running in the DMZ.

> * Does anybody have any opinions whether I'd be better off using a Linux 
> of OpenBSD OS on a PC-based router?  Specifically, is the network packet 
> filtering support in OpenBSD powerful enough to warrant a second look?

I like PC firewalls due to the ability to customise the setup.  For 
example, at home right now I have a DSL & cable connection.  I'm using 
iproute2 to provide external access to some boxes over the DSL & some out 
of the cable (for various reasons).  If the DSL drops all boxes start 
using the cable.

> * Going even further (and possibly, completely over the top), I've heard 
> of people using two routers, with the middle segment being designated 
> their 'DMZ' network segment where they put machines exposing external 
> services. Does _anybody_ bother with this in an enthusiast/home setup?

I'm not aware of anyone doing this in the business world - the 3 legged 
firewall is typical.

> * What sort of machine/network monitoring and IDS tools do people use on 
> their home networks these days?  Tripwire?  Anything else?  Granted that 
> I'm not running a bank or have anything of real value on my network, but 
> it would still be a pain in the butt to reinstall a cracked machine.

Quite a lot of tools are available.  You can even tie an IDS in to
iptables and have it dynamically bring up rules based on current attacks. 
It all depends on the results of your cost-benefit analysis (which doesn't 
need to be terribly formal).

Cheers,

Rob

-- 
"With sufficient thrust, pigs fly just fine..."
 	-- RFC 1925 "The Twelve Networking Truths"




More information about the General mailing list