 | Chapter 21 Firewalls |  |
| Chapter 21 Firewalls | |
To make the firewall setup effective, the gate should be a pain to use: really, all you want this computer to do is forward specific kinds of information across the choke. The gate should be as impervious as possible to security threats, applying the techniques we've described elsewhere in this book, plus more extreme measures that you would not apply to a general machine. The list below summarizes techniques you may want to implement on the gate machine:
Enable auditing if your operating system supports it.
Do not allow regular user accounts, but only accounts for people requiring incoming connections, system accounts for needed services, and the root account.
Do not allow incoming connections to your X11 servers (ports 6000 through 6000+n, where n is the number of X11 displays on any given computer).
Do not mount directories using NFS (or any other network filesystem). Export only directories that contain data files (ftp/pub, news, etc), never programs. Export read-only.
Remove the binaries of all commands not necessary for gate operation, including tools like cc, awk, sed, ld, emacs, Perl, etc. Remove all libraries (except the shared portion of shared libraries) from /usr/lib and /lib. Program development for the gate should be done on another machine and copied to the gate machine; with program development tools and unnecessary commands removed, a cracker can't easily install Trojan horses or other nasty code. Remove /bin/csh, /bin/ksh, and all other shells except /bin/sh (which your system needs for startup). Change the permission on /bin/sh to be 500, so that it can only be run by the superuser.
If you really don't want to remove these programs, chmod them from 755 to 500. The root user will still be able to use these programs, but no one else will. This approach is not as secure as removing the programs, but it is more effective than leaving the tools in place.
chmod all system directories (e.g., /, /bin, /usr, /usr/bin, /etc, /usr/spool) to mode 711. Users of the system other than the superuser do not need to list directory contents to see what is and is not present. This change will really slow down someone who manages to establish a non-root shell on the machine through some other mechanism. Don't run NIS on the gate machine. Do not import or export NIS files, especially the alias and passwd files.
Turn on full logging on the gate machine. Read the logs regularly. Set the syslog.conf file so that the gate logs to an internal machine as well as a hardcopy device, if possible.
Mount as many disks as possible read-only. This prevents a cracker from modifying the files on those disks. Some directories, notably /usr/spool/uucp, /usr/adm, and ~ftp/pub, will need to be writable. You can place all of these directories on a single partition and use symbolic links so that they appear in the appropriate place.
Turn on process and file quotas, if available.
Use some form of smart card or key-based access for the root user. If you don't use such devices, don't allow anyone to log in as root on the machine.
Make the gate computer "equivalent" to no other machine. Remove the files /etc/hosts.equiv and /etc/hosts.lpd.
Enable process accounting on the gate machine.
Disable all unneeded network services.
Finally, look back at the guidelines listed under Chapter 17 they are also useful when setting up a gate. When you configure your gate machine, remember that every service and program that can be run presents a threat to the security of your entire protected network. Even if the programs appear safe today, bugs or security flaws may be found in them in the future. The purpose of the gate is to restrict access to your network, not to serve as a computing platform. Therefore, remove everything that's not essential to the network services.
Be sure to monitor your gate on a regular basis: if you simply set the gate up and forget about it, you may let weeks or more go by before discovering a break-in. If your network is connected to the Internet 24 hours a day, 7 days a week, it should be monitored at least daily.
Even if you follow all of these rules and closely monitor your gate, a group of very persistent and clever crackers might still break through to your machines. If they do, the cause will not likely be accidental. They will have to work hard at it, and you will most likely find evidence of the break-in soon after it occurs. The steps we've outlined will probably discourage the random or curious cracker, as well as many more serious intruders, and this is really your goal.
|  | |
| 21.4 Setting Up the Gate |  | 21.6 Final Comments |