Print PDF
Favorite
Email
Step 7Conclusion and where to find help
You are not limitted to these utilities. FreeBSD has a vast collection of battle-proven security packages. Have a look at www.freebsd.org/ports/security.html for the list.
UPS's
If you experience frequent power surges, power outages, or even if you don't a UPS (Uninteruptable Power Supply) can save you many headaches. FreeBSD doesn't like being shutdown instantaneously. Often times, this leads to corrupted data. While most of the time (in my experience atleast) this can be fixed by running `fsck` in single-user mode with your disks unmounted, a UPS will eliminate this problem alltogether. Unless your power goes out for a prolonged amount of time, a UPS will provide reliable power to your firewall to keep it running smoothly. There are two different types of UPS's: offline (or standby) and online. Offline UPS's provide power from the outlet until they sense a power outtage, in which case they switch over to battery power. Online powersupplies have a zero switchover time (the amount of time it takes between loss of mains power and when stable power is supplied by the UPS) because they use inverters. Online UPS's are a little more expensive than offline UPS's, but more reliable. Offline UPS's will work fine though, so long as they have a low switchover time.
Bastion hosts and bastard systems
Keep in mind that the less software that you install, the more inherent security your firewall will enjoy. More software means more places for hackers to find vulnerabilities. By installing JUST a firewall, we would have a bastion host. Because it is more cost-effective to combine the firewall with the IDS, IPS, and auditing software, we are not creating a true bastion host -- more like a bastardized version of one.
Who's knocking down the door?
Don't be suprised to see attacks within minutes of placing the firewall on the internet. This does not mean that someone is intentionally trying to hack into your network. There are literally THOUSANDS of zombie computers out there that mindlessly probe the internet looking for a system to call their own, or worse, destroy. Aren't you glad you have a firewall?
My record for intrusion attempts after placing a firewall online is 3 minutes. In my experience, the most disturbing attempts are SSH bruteforces. A zombie computer portscanned you and found that you're running the SSH service (should you decide to allow WAN access). If someone were to gain access through SSH, the effects could be devastating. This is why your most important security measures should be placed here. If you're not using RSA/DSA pre-shared keys (why aren't you?), then at the very least, make sure your login password is extra-long, and contains an overzealouz combination of letters, numbers, AND symbols. Perhaps the dumbest thing you can do is allow root access to SSH. This would be like spamming the planet with your social security number. If need be, you can login as a normal user, then `su` your way to root.
Do I have a false sense of security?
If you don't trust your firewall, you can perform a quick and easy portscan on yourself by pointing a browser protected by your firewall to www.grc.com There you should find ShieldsUp!, a popular (and basic) security assessment tool. If you listen to the Security Now podcast with Leo Laport, you may have heard ShieldsUp! mentioned.
The best form of security auditing is by using a tool like Nessus. Nessus can be used to perform a MASSIVE assortment of security probes. You'll find Nessus in your ports collection, and at www.nessus.org
RTFM
The FreeBSD Handbook is the single-most important resource when working with FreeBSD. Just point your browser to www.freebsd.org/docs.html and click on "Handbook". Google is also another valuable resource. The best (and most enjoyable IMO) way to learn how to use FreeBSD, or any flavor of Linux or Unix, is by doing the research yourself and diving right in. You'll screw your system up, curse everyone and their mother, and possibly become an alcoholic because of it, but you'll be that much more elite once you figure it out. As a last resort, try some the IRC channels on Dalnet or Freenode. When resorting to chatrooms, be expecting insulting comments and a few "RTFM"s.
Other uses
I also build a NAS (Network Accessible/attached Storage) device using a more modern AMD K8, 512MB of PC3200 DDR-RAM, and a few gigabit ethernet NICs. This system is more than enough to provide reliable streaming media, file serving capabilities, and SVN repositories to anyone with wired, wireless, or VPN access to our LAN. We've even setup dynamic DNS services to provide internet access to our media through a custom web interface. Eventually, we will release the MyNAS project to provide a user-friendly interface to the NAS and an out-of-the-box file-sharing community.
UPS's
If you experience frequent power surges, power outages, or even if you don't a UPS (Uninteruptable Power Supply) can save you many headaches. FreeBSD doesn't like being shutdown instantaneously. Often times, this leads to corrupted data. While most of the time (in my experience atleast) this can be fixed by running `fsck` in single-user mode with your disks unmounted, a UPS will eliminate this problem alltogether. Unless your power goes out for a prolonged amount of time, a UPS will provide reliable power to your firewall to keep it running smoothly. There are two different types of UPS's: offline (or standby) and online. Offline UPS's provide power from the outlet until they sense a power outtage, in which case they switch over to battery power. Online powersupplies have a zero switchover time (the amount of time it takes between loss of mains power and when stable power is supplied by the UPS) because they use inverters. Online UPS's are a little more expensive than offline UPS's, but more reliable. Offline UPS's will work fine though, so long as they have a low switchover time.
Bastion hosts and bastard systems
Keep in mind that the less software that you install, the more inherent security your firewall will enjoy. More software means more places for hackers to find vulnerabilities. By installing JUST a firewall, we would have a bastion host. Because it is more cost-effective to combine the firewall with the IDS, IPS, and auditing software, we are not creating a true bastion host -- more like a bastardized version of one.
Who's knocking down the door?
Don't be suprised to see attacks within minutes of placing the firewall on the internet. This does not mean that someone is intentionally trying to hack into your network. There are literally THOUSANDS of zombie computers out there that mindlessly probe the internet looking for a system to call their own, or worse, destroy. Aren't you glad you have a firewall?
My record for intrusion attempts after placing a firewall online is 3 minutes. In my experience, the most disturbing attempts are SSH bruteforces. A zombie computer portscanned you and found that you're running the SSH service (should you decide to allow WAN access). If someone were to gain access through SSH, the effects could be devastating. This is why your most important security measures should be placed here. If you're not using RSA/DSA pre-shared keys (why aren't you?), then at the very least, make sure your login password is extra-long, and contains an overzealouz combination of letters, numbers, AND symbols. Perhaps the dumbest thing you can do is allow root access to SSH. This would be like spamming the planet with your social security number. If need be, you can login as a normal user, then `su` your way to root.
Do I have a false sense of security?
If you don't trust your firewall, you can perform a quick and easy portscan on yourself by pointing a browser protected by your firewall to www.grc.com There you should find ShieldsUp!, a popular (and basic) security assessment tool. If you listen to the Security Now podcast with Leo Laport, you may have heard ShieldsUp! mentioned.
The best form of security auditing is by using a tool like Nessus. Nessus can be used to perform a MASSIVE assortment of security probes. You'll find Nessus in your ports collection, and at www.nessus.org
RTFM
The FreeBSD Handbook is the single-most important resource when working with FreeBSD. Just point your browser to www.freebsd.org/docs.html and click on "Handbook". Google is also another valuable resource. The best (and most enjoyable IMO) way to learn how to use FreeBSD, or any flavor of Linux or Unix, is by doing the research yourself and diving right in. You'll screw your system up, curse everyone and their mother, and possibly become an alcoholic because of it, but you'll be that much more elite once you figure it out. As a last resort, try some the IRC channels on Dalnet or Freenode. When resorting to chatrooms, be expecting insulting comments and a few "RTFM"s.
Other uses
I also build a NAS (Network Accessible/attached Storage) device using a more modern AMD K8, 512MB of PC3200 DDR-RAM, and a few gigabit ethernet NICs. This system is more than enough to provide reliable streaming media, file serving capabilities, and SVN repositories to anyone with wired, wireless, or VPN access to our LAN. We've even setup dynamic DNS services to provide internet access to our media through a custom web interface. Eventually, we will release the MyNAS project to provide a user-friendly interface to the NAS and an out-of-the-box file-sharing community.
| « Previous Step | Download PDFView All Steps | Next Step » |
 |
Add Comment
|
