Hardening my LAN ... what route should I take?

svarreby · #1 8th March 2004, 03:05 PM

I am going to buy a cheap Duron/Celeron box next week who's only function would be to keep everything out of my LAN. I want to be able to set permissions for every digital packet that is destinated to my cables

What's the easiest way of accomplish this (ClarkConnect/IPCop/SmoothWall)?

Is it better to go the long way and start building it by hand (i.e install a stripped down distro and build it up from there)?

And if it's easy to set up, do I have to "thumb" on the security level?

What do I want to do? Well, pretty much everything I'm afraid

Firewall (IPTables), NAT, Routing, antivirus, anti-spam, squid ... you name it.

PS I'm no TCP/IP magician but I've got both time and motivation (and I'll hope that this will do it

Bana · #2 9th March 2004, 03:09 AM

Hmm, I would recommend smoothwall although it may not do ALL of the stuff you intend. If you have the time and ambition then I would Heartily suggest just slapping a minimal fedoraC1 install and building it together piece by piece, you will become the networking master and will be able to use it like a third arm to obey your wishes. If you don't have quite that much time you could install smoothwall and then poke around and see what is happening and try editing and configing it to your specs.

But by all means, if you are short on time and you want a slick, http interface, go with Smoothwall

(Now that I see the bottom line of your post

I would recommend the bottom up install, there's nothing like jumping headfirst into the river to find out whats in it)

Ug · #3 9th March 2004, 01:58 PM

(In English: you have more control that way)

Thoreau · #4 9th March 2004, 09:48 PM

smoothwall is rock solid, but it takes over the whole drive if you like it or not. Heard that Clark Connect is pretty to get going, is this true?

If you can going to go with the mini-FC1 install, and want to do Iptables, may i suggest doing it on paper 1st? No don't write out all the commands...just get everything in order. trust me it'll be easier.

Ug · #5 9th March 2004, 11:20 PM

Planning being the key, i think is what Thoreau is suggesting.

Jman · #6 10th March 2004, 01:59 AM

If you are using an existing distro, strip it down as much as possible. Only allow those services you need. In Fedora, System Settings > Server Settings > Services will help you switch these off. Use multiple firewalls if possible. Have a firewall on both the router machine and the clients. Run ethereal to determine what's on your network, and nmap to find out what ports are open.

In general, be as paranoid as possible. They're out to get you. Gotta go, have to check the defenses.

Ug · #7 10th March 2004, 02:21 PM

I suppose its one advantage of dial-up, that you get a different IP for every connection.

So it makes it hard for someone to specifically target you.

Prometheus · #8 18th March 2004, 08:52 PM

id personally go with smoothwall, because its setup right out of the box (so to speak). There arent as many options, but if you have the knowhow or the will, go for a stripped down distro. Then if you get bored, you can turn it into an FTP or a fileserver that people outside the network can see if you do it right