Protect private network

Protect private network

Post by Raymond A. Biond » Thu, 03 Aug 2000 04:00:00



Since I can now obtain DSL, I need to protect a private data
network.

The main question is the strategy.  Create gateway machine,
email box, web box, dns box, room full of boxes, closet full
of boxes, etc.

Know of any good books?  Areas to search?

I have compiled a designed based on years of SysAdmin mags
but that could be overkill, not enuff kill, or just plain roadkill!

Thanks in advance,
Ray.

--
Raymond A. Biondi
RSL - www.powerbill.com

 
 
 

Protect private network

Post by Ken Wolf » Thu, 03 Aug 2000 04:00:00



Quote:>Since I can now obtain DSL, I need to protect a private data
>network.

>The main question is the strategy.  Create gateway machine,
>email box, web box, dns box, room full of boxes, closet full
>of boxes, etc.

>Know of any good books?  Areas to search?

>I have compiled a designed based on years of SysAdmin mags
>but that could be overkill, not enuff kill, or just plain roadkill!

>Thanks in advance,
>Ray.

>--
>Raymond A. Biondi
>RSL - www.powerbill.com

All could be in one box, but yes, I would keep a seperate box to handle
firewalling/email/web and NAT.  I know this sounds pretty vauge, but I
remember reading about some type of "firewall in a box" based on Redhat
Linux that costs about $39.99.  I believe it was in Infoworld that I saw
this and it got real good reviews.  Easy to setup and maintain.  I just saw
this package at the local CompUSA but cannot remember the name of it or the
company.  But I also think they make other "...in a box" packages for WEB
Server and maybe email.

We keep our SCO box inside the firewall.  Even using plain Linux is pretty
easy to configure.  But you should be able to run one machine as your
gateway, firewall, web server, email server and dns server.  Also consider
some type of proxy such as SQUID.

Ken

 
 
 

Protect private network

Post by Jim Bonne » Thu, 03 Aug 2000 04:00:00


Try getting tls709 from the sco ftp site. It is in ftp.sco.com/TLS. This
will install ipfilter and ipnat. I use this and it is very easy to
configure. It is the same stuff as on linux, and there are quite a few
resources on the web about this.

Check the readme, if you are running 504 you need oss449f.


> Since I can now obtain DSL, I need to protect a private data
> network.

> The main question is the strategy.  Create gateway machine,
> email box, web box, dns box, room full of boxes, closet full
> of boxes, etc.

> Know of any good books?  Areas to search?

> I have compiled a designed based on years of SysAdmin mags
> but that could be overkill, not enuff kill, or just plain roadkill!

> Thanks in advance,
> Ray.

> --
> Raymond A. Biondi
> RSL - www.powerbill.com

 
 
 

Protect private network

Post by Scott Taylo » Thu, 03 Aug 2000 04:00:00



> Since I can now obtain DSL, I need to protect a private data
> network.

> The main question is the strategy.  Create gateway machine,
> email box, web box, dns box, room full of boxes, closet full
> of boxes, etc.

Don't forget the garage full of boxes. :)

Quote:

> Know of any good books?  Areas to search?

Check out http://www.freesco.org/
Stands for Free Cisco not SCO ;o)

Quote:> I have compiled a designed based on years of SysAdmin mags
> but that could be overkill, not enuff kill, or just plain roadkill!

yup
 
 
 

Protect private network

Post by Jeff Lieberman » Thu, 03 Aug 2000 04:00:00




Quote:>The main question is the strategy.  Create gateway machine,
>email box, web box, dns box, room full of boxes, closet full
>of boxes, etc.

Lots of choices...

1.  Let the OSR5 server act as a router/firewall/NAT.
This requires that you install a 2nd ethernet card in your OSR5 box.
Download TLS709 for IPFilters and NAT (network address translation).  For
clues and config details, see:
  http://coombs.anu.edu.au/~avalon/ip-filter.html
  http://www.aplawrence.com/Security/ipfilter.shtml
This will NOT work if you happen to be cursed with PPPoE as SCO does NOT
have a PPPoE dialer.

2.  Cheap stand alone hardware ethernet router/firewall/NAT.  My
favorites of the cheap variet are:
        Linksys BEFR41/BEFR44  ($120/$180)
        Netgear RT311  ($120)

3.  Much better hardware ethernet router/firewall/NAT with stateful
inspection, content filtering, etc.
        Sonicwall/10  ($420)

4.  Do it thyself router/firewall/NAT on a floppy (no hard disk).  Linux
based.  I use:
        http://www.freesco.org
because I've hacked it for handling 5ea ethernet cards.  Web or menu
configurable.  486DX2/66 with 16MB for 10baseT.  P133 with 16MB for
100baseT.  See:
        http://www.freesco.org/links
for other single floppy routers.  I've also used:
        http://www.linuxrouter.org
but found it complicated to configure.

Quote:>Know of any good books?  Areas to search?

        http://www.dslreports.com
        http://Cable-DSL.home.att.net/#HardwareFirewalls

Quote:>I have compiled a designed based on years of SysAdmin mags
>but that could be overkill, not enuff kill, or just plain roadkill!

Even the minimum level of firewall is effective if you don't punch any
holes in it.  It's when you want to do VPN, RAS, PCAnywhere, ftp, telnet,
etc from the internet where the security problems begin.  Just do it.

Also, if you have a 10baseT ethernet card in your OSR5 machine, you will
need to increase the default receive window from 4KB to 32KB using
"inconfig".  I posted details on this about 2 weeks ago.  Search Deja
News for "inconfig" for instructions.  If you have a 100baseT card,
you're probably OK at 24KB.

--

150 Felker St #D  Santa Cruz CA  95060
831-421-6491 pager   831-429-1240 fax
http://www.cruzio.com/~jeffl/sco/   SCO stuff

 
 
 

Protect private network

Post by - bill » Fri, 04 Aug 2000 04:00:00





> >The main question is the strategy.  Create gateway machine,
> >email box, web box, dns box, room full of boxes, closet full
> >of boxes, etc.

> Lots of choices...

> 1.  Let the OSR5 server act as a router/firewall/NAT.
> This requires that you install a 2nd ethernet card in your OSR5 box.
> Download TLS709 for IPFilters and NAT (network address translation).  For
> clues and config details, see:
>   http://coombs.anu.edu.au/~avalon/ip-filter.html
>   http://www.aplawrence.com/Security/ipfilter.shtml
> This will NOT work if you happen to be cursed with PPPoE as SCO does NOT
> have a PPPoE dialer.

> 2.  Cheap stand alone hardware ethernet router/firewall/NAT.  My
> favorites of the cheap variet are:
>         Linksys BEFR41/BEFR44  ($120/$180)
>         Netgear RT311  ($120)

> 3.  Much better hardware ethernet router/firewall/NAT with stateful
> inspection, content filtering, etc.
>         Sonicwall/10  ($420)

> 4.  Do it thyself router/firewall/NAT on a floppy (no hard disk).  Linux
> based.  I use:
>         http://www.freesco.org
> because I've hacked it for handling 5ea ethernet cards.  Web or menu
> configurable.  486DX2/66 with 16MB for 10baseT.  P133 with 16MB for
> 100baseT.  See:
>         http://www.freesco.org/links
> for other single floppy routers.  I've also used:
>         http://www.linuxrouter.org
> but found it complicated to configure.

> >Know of any good books?  Areas to search?
>         http://www.dslreports.com
>         http://Cable-DSL.home.att.net/#HardwareFirewalls

> >I have compiled a designed based on years of SysAdmin mags
> >but that could be overkill, not enuff kill, or just plain roadkill!

> Even the minimum level of firewall is effective if you don't punch any
> holes in it.  It's when you want to do VPN, RAS, PCAnywhere, ftp, telnet,
> etc from the internet where the security problems begin.  Just do it.

> Also, if you have a 10baseT ethernet card in your OSR5 machine, you will
> need to increase the default receive window from 4KB to 32KB using
> "inconfig".  I posted details on this about 2 weeks ago.  Search Deja
> News for "inconfig" for instructions.  If you have a 100baseT card,
> you're probably OK at 24KB.

> --

> 150 Felker St #D  Santa Cruz CA  95060
> 831-421-6491 pager   831-429-1240 fax
> http://www.cruzio.com/~jeffl/sco/   SCO stuff

Jeff,

great reply !
Thanks
--

-bill-


 
 
 

1. private network -VPN-private network routing

I have set up a VPN with an SSH tunnel with the following topology
192.168.0.7
    |
------------------------
|192.168.0.1(PRIVATE)   |
|a.a.a.a(PUBLIC CLASS c)|____
------------------------    |
                            |
                        -----------------
                        | 192.168.253.2 |
                        |  ssh-ppp-vpn  |
                        |               |
                        | 192.168.253.3 |
                        -----------------
                            |
------------------------    |
B.B.B.B(public CLASS C)|____|
10.240.2.11(CLASS C)   |
------------------------
    |
    |
------------------------
10.240.2.2             |
------------------------

I have set the routing up such that I can ping every ip address on the
A  and B internet(public) machines and the ppp tunnel. But if I am on
either machine 10.240.2.2 or 192.168.0.7, I cannot ping from public to
oposite private or from private to private.  I have enabled IP
forwarding on both boxes.  Machine A is redhat 6.2 machine b is redhat
7 if that matters.  Any body have any idea what I should check to
enable private network to private network communication.

Todd
--
--------------------------------------------------
Todd Gruben
Daring Technologies
Austin Tx

Sent via Deja.com http://www.deja.com/
Before you buy.

2. What happened to my USB devices?

3. How to use fwtk on linux with dual-network (Private Network + Network class C)

4. mod_auth_mysql groups not working

5. Private & Protected CGI w/Apache 1.2

6. RedHat v7 and Alpha164SX

7. private network vs public network

8. javascript not running on 1.3.22 or 1.3.24 ..ok on 1.3.19

9. Seeing school network from private network

10. Cluster Setup - private network with NFS homeareas on another Network ?

11. Q: Connection private Net with private Net to Internet

12. How to guarantee private DNS stays private?

13. Masquerading private LAN to private ip