Benefits of dual-homed firewall for home network?

Benefits of dual-homed firewall for home network?

Post by Mike Do » Tue, 04 Jun 2002 09:34:01



I'm upgrading my home server from Redhat 6.1 to SuSE 8.0 mainly so I
can take advantage of the improved packet filtering.  The existing
server uses a fairly standard setup: Dialup ISP, IPCHAINS firewall
from Robert Ziegler's book, Internet sharing among Windows boxes, file
sharing with Samba, Setiathome, not much else.

My security books (Ziegler, Toxen) tell me that the firewall shouldn't
be on the same box as Samba and other important stuff.  Okay, I have
an old Pentium 133 box with 64MB RAM that I've installed SuSE 8.0 on,
and I could use that as a separate firewall box.

Is my understanding of the physical interface correct?
* Modem on serial port to the Internet.
* Ethernet card with "null hub" (reverse) cable to eth1 on the main
server.
* eth0 on the main server to the home network switch.
* Different networks for the firewall box and the main server (e.g.,
192.168.1.1 for the server and 192.168.2.1 for the firewall).

If this is correct, what does it buy me?  I assume the separate
networks improve security, but I'm lost beyond that.  All the diagrams
I've seen for a DMZ show Web servers and stuff off to the side between
the firewall and the rest of the LAN, but this doesn't really apply to
my setup.

Is there any benefit to installing a second machine as a standalone
firewall, or should I just continue with my current setup where the
firewall is on the main server?

TIA for any advice.

Mike

-----
Mike Dodd  (remove 'xspam.' when emailing)

-----------== Posted via Newsfeed.Com - Uncensored Usenet News ==----------
   http://www.newsfeed.com       The #1 Newsgroup Service in the World!
-----= Over 100,000 Newsgroups - Unlimited Fast Downloads - 19 Servers =-----

 
 
 

Benefits of dual-homed firewall for home network?

Post by spam.spam.ba.. » Tue, 04 Jun 2002 09:42:41



>Is there any benefit to installing a second machine as a standalone
>firewall, or should I just continue with my current setup where the
>firewall is on the main server?

>TIA for any advice.

 just make sure your rules on the external interface block all the services you run to the internal network.  also, if you have that other box anyway you could make it the firewall. check out www.openbsd.org. best firewall there its.

 
 
 

Benefits of dual-homed firewall for home network?

Post by James Knot » Tue, 04 Jun 2002 10:48:26



> Is there any benefit to installing a second machine as a standalone
> firewall, or should I just continue with my current setup where the
> firewall is on the main server?

The reason for a separate firewall, is that everything else that's run on
the firewall, increases the potential for a security hole.

--

All the facts above are true, except for the ones I made up.


james.knott.

 
 
 

Benefits of dual-homed firewall for home network?

Post by B. Joshua Rose » Tue, 04 Jun 2002 10:58:27



Quote:> I'm upgrading my home server from Redhat 6.1 to SuSE 8.0 mainly so I can
> take advantage of the improved packet filtering.  The existing server
> uses a fairly standard setup: Dialup ISP, IPCHAINS firewall from Robert
> Ziegler's book, Internet sharing among Windows boxes, file sharing with
> Samba, Setiathome, not much else.

> My security books (Ziegler, Toxen) tell me that the firewall shouldn't
> be on the same box as Samba and other important stuff.  Okay, I have an
> old Pentium 133 box with 64MB RAM that I've installed SuSE 8.0 on, and I
> could use that as a separate firewall box.

> Is my understanding of the physical interface correct? * Modem on serial
> port to the Internet. * Ethernet card with "null hub" (reverse) cable to
> eth1 on the main server.
> * eth0 on the main server to the home network switch. * Different
> networks for the firewall box and the main server (e.g., 192.168.1.1 for
> the server and 192.168.2.1 for the firewall).

> If this is correct, what does it buy me?  I assume the separate networks
> improve security, but I'm lost beyond that.  All the diagrams I've seen
> for a DMZ show Web servers and stuff off to the side between the
> firewall and the rest of the LAN, but this doesn't really apply to my
> setup.

> Is there any benefit to installing a second machine as a standalone
> firewall, or should I just continue with my current setup where the
> firewall is on the main server?

Hardware routers are dirt cheap and easier to administer than a Linux
firewall. I was using a Redhat 7.1 box as my firewall/router but I
switched to a Linksys router. The Linksys router combines a wireless
access point, an ethernet switch and a Cable/DSL port with a very easy to
administer router, all for $150.
 
 
 

Benefits of dual-homed firewall for home network?

Post by William Par » Wed, 05 Jun 2002 03:28:57



> I'm upgrading my home server from Redhat 6.1 to SuSE 8.0 mainly so I
> can take advantage of the improved packet filtering.  The existing
> server uses a fairly standard setup: Dialup ISP, IPCHAINS firewall
> from Robert Ziegler's book, Internet sharing among Windows boxes, file
> sharing with Samba, Setiathome, not much else.

> My security books (Ziegler, Toxen) tell me that the firewall shouldn't
> be on the same box as Samba and other important stuff.  Okay, I have
> an old Pentium 133 box with 64MB RAM that I've installed SuSE 8.0 on,
> and I could use that as a separate firewall box.

> Is my understanding of the physical interface correct?
> * Modem on serial port to the Internet.
> * Ethernet card with "null hub" (reverse) cable to eth1 on the main
> server.
> * eth0 on the main server to the home network switch.
> * Different networks for the firewall box and the main server (e.g.,
> 192.168.1.1 for the server and 192.168.2.1 for the firewall).

> If this is correct, what does it buy me?  I assume the separate
> networks improve security, but I'm lost beyond that.  All the diagrams
> I've seen for a DMZ show Web servers and stuff off to the side between
> the firewall and the rest of the LAN, but this doesn't really apply to
> my setup.

> Is there any benefit to installing a second machine as a standalone
> firewall, or should I just continue with my current setup where the
> firewall is on the main server?

Since you're beginner,
    - put everything on the main server -- it's cheaper, less space, less
      maintenance, and, most of all, easier to learn.
    - or, get dedicated firewall/router (ie. Linksys) -- just plug in and
      turn it on.

Separate boxes makes sense if there are more than one person at the site,
one person deals with admin, another deals with Web, etc.  But, this has
nothing to do with security.  For you, time is better spent in learning to
configure your machine correctly.  :-)

--

8-CPU Cluster, Hosting, NAS, Linux, LaTeX, python, vim, mutt, tin

 
 
 

Benefits of dual-homed firewall for home network?

Post by Mike Do » Wed, 05 Jun 2002 07:09:04




>> I'm upgrading my home server from Redhat 6.1 to SuSE 8.0 mainly so I
>> can take advantage of the improved packet filtering.  The existing
>> server uses a fairly standard setup: Dialup ISP, IPCHAINS firewall
>> from Robert Ziegler's book, Internet sharing among Windows boxes, file
>> sharing with Samba, Setiathome, not much else.
>> [...]
>> Is there any benefit to installing a second machine as a standalone
>> firewall, or should I just continue with my current setup where the
>> firewall is on the main server?

>Since you're beginner,
>- put everything on the main server -- it's cheaper, less space, less
>  maintenance, and, most of all, easier to learn.

Well, I didn't really say I was a beginner.  In fact, my existing
server is fairly well configured (unnecessary services turned off,
working firewall in place, Samba/NFS configured, etc., etc.).

The reason I asked about the benefits of a dual-homed firewall is that
I have the opportunity to learn more about _security_  and am
wondering if there's any real benefit to a home network such as I
described.

Quote:>Separate boxes makes sense if there are more than one person at the site,
>one person deals with admin, another deals with Web, etc.  But, this has
>nothing to do with security.  For you, time is better spent in learning to
>configure your machine correctly.  :-)

This seems to contradict what I've read and heard about a dual-homed
firewall.  My understanding is that it has _everything_ to do with
security.  If a cracker gets past the firewall on a single machine,
she has access to everything else on that machine.  Not so on a
dual-homed setup.

But what sort of attacks will a dual-home setup prevent?  Where's the
balance between additional security to my home network and the extra
work of maintaining the second box?  That's the kind of information
I'm looking for.

Mike

-----
Mike Dodd  (remove 'xspam.' when emailing)

-----------== Posted via Newsfeed.Com - Uncensored Usenet News ==----------
   http://www.newsfeed.com       The #1 Newsgroup Service in the World!
-----= Over 100,000 Newsgroups - Unlimited Fast Downloads - 19 Servers =-----

 
 
 

Benefits of dual-homed firewall for home network?

Post by josep » Wed, 05 Jun 2002 11:19:53



> I'm upgrading my home server from Redhat 6.1 to SuSE 8.0 mainly so I can
> take advantage of the improved packet filtering.  The existing server
> uses a fairly standard setup: Dialup ISP, IPCHAINS firewall from Robert
> Ziegler's book, Internet sharing among Windows boxes, file sharing with
> Samba, Setiathome, not much else.

Improved packet filtering in suse 8.0? what feature are you missing in
your 6.1 ?

Quote:> My security books (Ziegler, Toxen) tell me that the firewall shouldn't
> be on the same box as Samba and other important stuff.  Okay, I have an
> old Pentium 133 box with 64MB RAM that I've installed SuSE 8.0 on, and I
> could use that as a separate firewall box.

While that may be true for an enterprise level setup, for a
residential one, separate computers is..er.. overkill. Run it all on one
damn machine, and configure it so that people who have no business
accessing a service cannot. You can stop them with the firewall, tcp
wrappers, then the authentication etc.Just keep tabs on the developments
on your chosen daemons.

Quote:> Is my understanding of the physical interface correct? * Modem on serial
> port to the Internet. * Ethernet card with "null hub" (reverse) cable to
> eth1 on the main server.
> * eth0 on the main server to the home network switch. * Different
> networks for the firewall box and the main server (e.g., 192.168.1.1 for
> the server and 192.168.2.1 for the firewall).

yes, if you want a dedicated "firewall" box.

No otherwise. Modem to serial port . ethernet card thru straight cable to
hub port.
Other computers connected to hub. Or switch.

Quote:> If this is correct, what does it buy me?  I assume the separate networks
> improve security, but I'm lost beyond that.  All the diagrams I've seen
> for a DMZ show Web servers and stuff off to the side between the
> firewall and the rest of the LAN, but this doesn't really apply to my
> setup.

One more barrier the attacker has to get past, and possibly time. The
first machine would trigger alarms and let you know, I guess, before the
attack penetrates to your firewall..
Quote:> Is there any benefit to installing a second machine as a standalone
> firewall, or should I just continue with my current setup where the
> firewall is on the main server?
> TIA for any advice.

> Mike

> -----
> Mike Dodd  (remove 'xspam.' when emailing)

> -----------== Posted via Newsfeed.Com - Uncensored Usenet News
> ==----------
>    http://www.newsfeed.com       The #1 Newsgroup Service in the World!
> -----= Over 100,000 Newsgroups - Unlimited Fast Downloads - 19 Servers
> =-----

 
 
 

Benefits of dual-homed firewall for home network?

Post by Robert Pearc » Thu, 06 Jun 2002 07:07:51





>> I'm upgrading my home server from Redhat 6.1 to SuSE 8.0 mainly so I can
>> take advantage of the improved packet filtering.
<snip>

>Improved packet filtering in suse 8.0? what feature are you missing in
>your 6.1 ?

RedHat 6.1 is a 2.2 series kernel. It has ipchains. I assume SuSE 8.0
has a 2.4 series kernel with iptables?
--
Rob Pearce

The "from" must be wrong, nothing that helpful ever comes from the TAN team!

 
 
 

Benefits of dual-homed firewall for home network?

Post by andre » Thu, 06 Jun 2002 16:09:50



> I'm upgrading my home server from Redhat 6.1 to SuSE 8.0 mainly so I can
> take advantage of the improved packet filtering.  The existing server
> uses a fairly standard setup: Dialup ISP, IPCHAINS firewall from Robert
> Ziegler's book, Internet sharing among Windows boxes, file sharing with
> Samba, Setiathome, not much else.

(snip)

I've just set up a similar network, after having my main machine doing
the internet serving.  I felt unhappy about having the firewall on one
machine doing the only security.

I set up an old machine with mndk 8.2, the same disto as all the other
machine and one I am more famiiar with.  This machine will accept
connection from the rest of the network but does not know (i think!) the
ip numbers of the other machines on the network.

I used InteractiveBastille to configure iptables, tests at gmc and
sygatech show I am presently safe.

The only service I am deliberately running on the firewall is sshd so I can
configure the headless machine from anywhere on the lan.

I feel safer doing this and it did'nt cost me anything!
--
andrew joseph
using linux mandrake 8.2, hardened with Bastille ... which is nice!

 
 
 

Benefits of dual-homed firewall for home network?

Post by Mike Do » Fri, 07 Jun 2002 08:43:44



>>Improved packet filtering in suse 8.0? what feature are you missing in
>>your 6.1 ?

>RedHat 6.1 is a 2.2 series kernel. It has ipchains. I assume SuSE 8.0
>has a 2.4 series kernel with iptables?

Correct.

Yes, I could have (and did) try Red Hat 7.1 and 7.2 Professional, but
became discouraged with their non-standard gcc as well as never being
able to get Gnome to work correctly, after replacing nearly everything
in the box (mobo, power supply, RAM, video, hard drive).

Mike

-----
Mike Dodd  (remove 'xspam.' when emailing)

-----------== Posted via Newsfeed.Com - Uncensored Usenet News ==----------
   http://www.newsfeed.com       The #1 Newsgroup Service in the World!
-----= Over 100,000 Newsgroups - Unlimited Fast Downloads - 19 Servers =-----

 
 
 

Benefits of dual-homed firewall for home network?

Post by Mike Do » Fri, 07 Jun 2002 08:52:10



>> My security books (Ziegler, Toxen) tell me that the firewall shouldn't
>> be on the same box as Samba and other important stuff....

>While that may be true for an enterprise level setup, for a
>residential one, separate computers is..er.. overkill. Run it all on one
>damn machine, and configure it so that people who have no business
>accessing a service cannot. You can stop them with the firewall, tcp
>wrappers, then the authentication etc.Just keep tabs on the developments
>on your chosen daemons.

Thanks to everyone who offered information and advice on this topic.

I'm leaning toward the single-box setup (which is what I already
have).  Since I switched ISPs from one of the biggies with well-known
address blocks to a tiny one out here in the country, my existing
firewall hasn't logged any dropped packets, so I figure that's a major
improvement.

So I'll configure an iptables firewall and put it on the new SuSE 8.0
server along with everything else.

Again, thanks to all.

Mike

-----
Mike Dodd  (remove 'xspam.' when emailing)

-----------== Posted via Newsfeed.Com - Uncensored Usenet News ==----------
   http://www.newsfeed.com       The #1 Newsgroup Service in the World!
-----= Over 100,000 Newsgroups - Unlimited Fast Downloads - 19 Servers =-----

 
 
 

1. Routing Dual-Homed Network to Share Network Resources

I'm running a OBSD 3.3 gateway with a hardwired nic (dc0) and a wireless nic
(wi0).  The machine is acting as a wireless accesspoint using hostap.

Been reading through documentation for route (8) and routed, as well as the
FreeBSD Handbook on advanced networking.

I'm having trouble parsing the information to understand how to set the
routing tables so that clients connecting on the wi0 can see the printing
resources and other shared network items on dc0.

wi0 serves up dhcp leases on 192.168.1.0/32 and dc0 serves up dhcp leases on
192.168.0.0/16.

Any resources such as a FAQ or howto would be greatly appreciated.  Thanks a
lot in advance for any and all help.

2. HELP: Netscape 3.01 on Slackware 2.2

3. Dual-homed hosts and my firewall...ugh.

4. Need hardware diagnostic program for Linux

5. static routing problem on dual-homed firewall

6. 486 laptop, PCMCIA maybe killing RH 6.2 install?

7. Why won't the network forward packets in a dual-homed setup?

8. Which config file

9. jlg058@home.com, tlg62@home.com, egglectric@home.com

10. Dual Homed Firewall

11. Dual homed firewall help.

12. Linux Dual Homed Firewall

13. Linux dual homed host as firewall