- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] Hostile LANs
- From: O Plameras <oscarp@xxxxxxxxxxx>
- Date: Thu, 03 Feb 2005 10:45:30 +1100
- User-agent: Mozilla Thunderbird 0.9 (X11/20041127)
Howard Lowndes wrote:
I have been asked to set up multiple LANs with Internet access in what I
consider to be a hostile environment - a private uni student dorm
Basically it will be Linux gateways with most probably Winblows or Mac
boxes on the LANs.
As far as possible I will be locating the gateway boxes in as physically
secure an area as I can, but even so I will need to be looking at
security as regards access to the gateways as well as network security.
For physical security of Gateways, Routers, Firewalls, and Servers, computer
cabinets could be bought from John Turk Data Comms(JTDC) in various
Medium, Large, and Xlarge are available. These cabinets are lock-key
can only be physically access by holders of keys. (Disclaimer: I am not
associated with JTDC businesswise and do not gain materially from that
In this Hostile Lan environment, there are many different ways one could
security of networks depending on two main considerations: One is the
level of security one
wishes to achieve; Secondly, the budget that you have available.
From what information you have provided here, I'd venture to suggest
1. Connect modem directly to the Internet.
2. Directly behind the modem have a bridge-firewall on a minimal-linux-OS.
Bridge-firewall is layer-2 and therefore it can be configured without
so nobody can connect to it other than from a console. Since this box is
lock-key cabinet it is doubly secure.
3. Your network behind item 2. say ETH0 is your DeMilitarized Zone (DMZ)
and so this is where you may position your servers like HTTP, SMTP, FTP,
4. Another interface behind item 2. on your Bridge-Firewall say ETH1 is
UserLan and is secured by Firewall. This Firewall is configured so that
every Service is disallowed to start with. You may open-up each
as they are required. In this way you have full-control as to what is
particular network. I'd use www.shorewall.net as my open source firewall
as it is easy and simple to set up and most of all it is flexible and
by its developer with the support of a large community of open source users.
But most important, write down or document what you want to achieve
with your security so you will know if you have achieve success. This
includes a set of Security Policies that you want to implement.
My thoughts so far are:
1. BIOS password has very limited effect.
2. GRUB password to prevent editing the GRUB boot strings.
The above methods are redundant when your servers are physically locked-up.
3. Locked cases with no CD or floppy - how can I prevent USB drives
being attached without disabling the USB bus in the BIOS. My thinking
here is that I will use the USB bus to connect to the Internet modem and
the Ethernet connection to connect to the LAN. Perhaps I might be
better off to totally disable the USB bus in the BIOS and use a second
Ethernet connection to connect to the Internet modem.
Locking (or removing) CDs and floppys as well as disabling USBs are also
redundant. As far as I know, this practice was standard practice when
installing large networks up to and until the early 1990s. This was done
users from entering data other than through the keyboards. The theory was
that when users are allowed to introduce data through the floppys(No
connection at that time) it is possible to infect data and documents in
Also this was done so that users will be unable to steal valued documents,
like confidential info, trade secrets, etc., by downloading them into
This practice was effective at that time because networks are not
Nowadays, external data or documents may be downloaded from the
internet or internal data or documents may be uploaded to an external
computer through the Internet. Fortunately, we have ways to protect
pollution of data from external sources as well as protecting theft of
confidential and trade secret documents nowadays.
4. SNORT on all interfaces.
I'd use this too.
5. Traffic volume monitoring and reporting with traffic shaping for over
quota - what are the privacy considerations here? RRDTOOLS - anything
I'd recommend this:
6. Tight access control into the gateway boxes themselves - no user
Lock-key computer cabinets and Layer-2 configuration for gateways ensure
7. Normal filtering of Internet nasties.
8. How do I look for (possibly infringing) P2P traffic?
9. I will need to allow for HTTP, HTTPS, SMTP, POP3, but what ports
should I allow for the various IMs, a/v streaming, IRC (6667), what
else? I might also need to cater for IPSec tunnelling - I know what is
10. As this is a private dorm complex, what about AUPs between the
students and the landlord.
OK, that's just immediate random thoughts. Would anyone care to add to
my worry list, esp anyone who has sysadmin experience in a
hostile^H^H^H^Hstudent environment. :)