Date: Thu, 13 Apr 2000 11:19:25 -0400 From: "Cameron, Frank" <cameron@ctc.com> To: net admin <admin@pacex.net> Cc: FreeBSD-security@FreeBSD.ORG Subject: RE: VPN and Firewall security implementation Message-ID: <E8E9BCC1D0FCD311B066009027B0FD88011350@ctcjst-mail1.ctc.com>
next in thread | raw e-mail | index | archive | help
You might want to check out ports/net/nstreams; I've never used it,
so I don't know if it's any good or not:
Port description for net/nstreams
Nstreams is a program which analyzes the streams that occur on a network. It
displays which streams are generated by the users between several networks,
and between the networks and the outside. It can optionally generate the
ipchains or ipfw rules that will match these streams, thus only allowing
what
is required for the users, and nothing more.
Nstreams can parse the tcpdump output, or the files generated with the -w
option of tcpdump. It can also directly sniff the data that occurs on the
network (the use of tcpdump is however recommanded as long as nstreams is in
version 0.99.x).
This product was designed by HSC and coded by Renaud Deraison
(deraison@cvs.nessus.org), author of the Nessus software (www.nessus.org).
It
is available for free and under GNU license.
-frank
-----Original Message-----
From: Visigoth [mailto:visigoth@telemere.net]
Sent: Thursday, April 13, 2000 11:16 AM
To: net admin
Cc: FreeBSD-security@FreeBSD.ORG
Subject: Re: VPN and Firewall security implementation
On Wed, 12 Apr 2000, net admin wrote:
> Hi Folks;
> I am posting this question with the full understanding of the the posting
> gudelines for this list and according to the list charters I think my
> question qualifies as a security thechnical issue. If I am wrong I
> appologize.
> We have FreeBSD-3.3-STABLE mail/HTTP/DNS/RADIUS servers on a lan behind a
> Cisco IOS firewall/router setup, with some servers running ipfw
> for added security.
> Some of our corporate dialup clients are using various VPN implementation
> to dial to corporate networks through our network (some use MS VPN stuff
> and some use proprietory remote access S/W).
How many different pieces of software are you talking about? If
it isn't more than a few, and you would like to maintain the rampant
paranoia of default deny (my personal fav) Maybe try doing a little
tcpdump and other homework to see exactly what they need. I understand
that this is probably unreasonable if you are talking like 50 kinds of
software (unless they all comply to some standard).
> The problem we're having is that configuring our firewalls for
> mail/DNS/HTTP/RADIUS allows user full access to those services but not
> remote access to corporate LANs and we don't know what services to allow
> to accomodate the corp. customer because of the varied implementation of
> VPN stuff out there. We are now considering redesigning our fire wall to
> deny specific services (known security holes) and allow the rest, I know
> it is bad design policy but revenue is at stake here.
If your network is going to be very dynamic and have lots of
different software being used for VPN, this may end up being your only
solution. Many isp's have some of the same issues, and most of the ones
that I have seen deal with it this second way, but I would recomend doing
a system audit on each of your servers to find out what it has open, and
maybe even implementing software firewalls for each box... ;)
This also sort of depends if the firewall is intended to protect your
machines, or the machines of your clients (which you can't secure
yourself)...
> What will be a
> sensible security consious solution to this kind of problem.
>
> Thanks and sorry if am being trival.
I dont' think this issue is trivial at all..
Visigoth
Damieon Stark
Sr. Unix Systems Administrator
visigoth@telemere.net
____________________________________________________________________________
|
- M$ Win 2K was built for the internet. |
- Unix _BUILT_ the internet. | FreeBSD - The POWER to serve
| http://www.freebsd.org
your call... |
|
How do I set this laser printer to stun?|
----------------------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E8E9BCC1D0FCD311B066009027B0FD88011350>