Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Hostile LANs


Howard Lowndes wrote:

I have been asked to set up multiple LANs with Internet access in what I
consider to be a hostile environment - a private uni student dorm
complex.

Basically it will be Linux gateways with most probably Winblows or Mac
boxes on the LANs.

As far as possible I will be locating the gateway boxes in as physically
secure an area as I can, but even so I will need to be looking at
security as regards access to the gateways as well as network security.


For physical security of Gateways, Routers, Firewalls, and Servers, computer
cabinets could be bought from John Turk Data Comms(JTDC) in various sizes. Small, Medium, Large, and Xlarge are available. These cabinets are lock-key cabinets and can only be physically access by holders of keys. (Disclaimer: I am not in anyway associated with JTDC businesswise and do not gain materially from that business).

In this Hostile Lan environment, there are many different ways one could structure security of networks depending on two main considerations: One is the level of security one
wishes to achieve; Secondly, the budget that you have available.

From what information you have provided here, I'd venture to suggest the following:

1. Connect modem directly to the Internet.
2. Directly behind the modem have a bridge-firewall on a minimal-linux-OS.
Bridge-firewall is layer-2 and therefore it can be configured without IP-address so nobody can connect to it other than from a console. Since this box is in a
lock-key cabinet it is doubly secure.
3. Your network behind item 2. say ETH0 is your DeMilitarized Zone (DMZ)
and so this is where you may position your servers like HTTP, SMTP, FTP, POP,
IMAP, etc.
4. Another interface behind item 2. on your Bridge-Firewall say ETH1 is your
UserLan and is secured by Firewall. This Firewall is configured so that
every Service is disallowed to start with. You may open-up each specific service as they are required. In this way you have full-control as to what is going-through this
particular network. I'd use www.shorewall.net as my open source firewall
as it is easy and simple to set up and most of all it is flexible and actively maintained
by its developer with the support of a large community of open source users.

But most important, write down or document what you want to achieve
with your security so you will know if you have achieve success. This
includes a set of Security Policies that you want to implement.

My thoughts so far are:

1. BIOS password has very limited effect.
2. GRUB password to prevent editing the GRUB boot strings.

The above methods are redundant when your servers are physically locked-up.

3. Locked cases with no CD or floppy - how can I prevent USB drives
being attached without disabling the USB bus in the BIOS.  My thinking
here is that I will use the USB bus to connect to the Internet modem and
the Ethernet connection to connect to the LAN.  Perhaps I might be
better off to totally disable the USB bus in the BIOS and use a second
Ethernet connection to connect to the Internet modem.

Locking (or removing) CDs and floppys as well as disabling  USBs  are also
redundant.  As far as I know, this practice  was standard practice when
installing large networks up to and until the early 1990s. This was done to prevent
users from entering data other than through the keyboards. The theory was
that when users are allowed to introduce data through the floppys(No Internet connection at that time) it is possible to infect data and documents in the network.

Also this was done so that users will be unable to steal valued documents,
like confidential info, trade secrets, etc., by downloading them into floppies. This practice was effective at that time because networks are not connected to
the Internet.

Nowadays, external data or documents may be downloaded from the
internet or internal data or documents may be uploaded to an external
computer through the Internet. Fortunately, we have ways to protect
pollution of data from external sources as well as protecting theft of
confidential and trade secret documents nowadays.

4. SNORT on all interfaces.

I'd use this too.

5. Traffic volume monitoring and reporting with traffic shaping for over
quota - what are the privacy considerations here?  RRDTOOLS - anything
else here?

I'd recommend this:

http://www.steveshipway.org/software/

6. Tight access control into the gateway boxes themselves - no user
accounts.

Lock-key computer cabinets and Layer-2 configuration for gateways ensure this.

7. Normal filtering of Internet nasties.


8. How do I look for (possibly infringing) P2P traffic?
9. I will need to allow for HTTP, HTTPS, SMTP, POP3, but what ports
should I allow for the various IMs, a/v streaming, IRC (6667), what
else?  I might also need to cater for IPSec tunnelling - I know what is
needed there.
10. As this is a private dorm complex, what about AUPs between the
students and the landlord.

OK, that's just immediate random thoughts.  Would anyone care to add to
my worry list, esp anyone who has sysadmin experience in a
hostile^H^H^H^Hstudent environment.  :)