[VPN] Network Design for security.

cipherbk cipherbk at yahoo.com
Sun Apr 27 00:30:11 EDT 2003 

I've had great success setting up a box running OpenBSD or FreeBSD,
configuring it as a firewall running IPF(ilter) and disabling all
non-essential services (much easier than with linux, btw).  This
firewall box also handles NAT functionality for an internal network. 
Recently, OpenBSD's PF (packet filter) has been made available for
FreeBSD 5.0, and is a step above IPF.

If the Cisco is your gateway to the Internet, I'd configure the network
in this manner:

[2507] -- [BSD firewall] -- [Linksys] -- [Internal LAN nodes]

You'll need two NICs for the firewall, and a third if you want to run a
DMZ, i.e. if you want to run a server outside of your LAN; although
this significantly increases the complexity of the firewall
configuration.  

An alternative is to use the NAT capability to redirect ports to a
server in your LAN, which provides better security overall and is
easier to implement.  This would allow you to put the VPN gateway of
your choice behind the firewall.  You can also configure the firewall
to be a VPN gateway as well.

You can use that old box of moderate capability just fine, no need to
upgrade it.  That is, unless you plan on running the VPN on it; in that
case, you should beef it up a bit.  All the more reason to run the VPN
on a linux (or BSD or even Windows) box behind the firewall and just
redirect a port to it.

After you get your firewall configured (yes, you'll have to read
documentation and learn how to make and tweak rulesets), you should
install Nmap to scan it for open ports.  You can go to
http://crypto.yashy.com and scroll to the bottom and there's a
self-scan option that uses Nmap to scan your firewall.

If you were strictly a Windows user, ZoneAlarm would be the most
convenient solution.  But, since you mentioned that you run linux,
dedicating an old box for firewall duty running OpenBSD or FreeBSD
would be the most secure solution without spending any cash on
expensive hardware firewalls, much more flexible and just as (if not
more) secure.

If you want to read up on BSD beforehand, check out http://bsdvault.net
which has lots of links and tutorials...

You should also look at the NSA guide for securing Cisco routers and
harden it up...  It's long, but has good info.  Google for it.

Good luck.


--- Garrett Sinfield <garrettsinfield at hotmail.com> wrote:
> Hello. Recently my network was hacked, and I'm planning on rebuilding
> my
> network (they hacked an outdated ftp server that I was unaware was
> running). I'm not sure if this should really be going on this mailing
> list, but I was wondering if anyone would know a decent network
> design
> that would implement great security.
> 
> My home LAN currently consists of a cisco 2507 router (11.2 IOS, soon
> to
> upgrade IOS) linksys router (four port). A laptop running slackware,
> a box 
> running win98, and two other boxes running linux (one box is in a
> serious 
> need for an upgrade, but I don't have the funds to do it yet). My one
> box 
> has three NIC cards in it as well, so it could be used as a router.
> 
> I was just curious if anyone has a good idea for a network design
> that I
> could implement for maximum security. I'm currently somewhat clueless
> when 
> it comes to networks. I'd also like to know where I should be placing
> the 
> VPN, and wether or not I should be using PoPToP or FreeS/WAN.
> 
> Any ideas or comments would be appreciated!
> 
> Thanks
> 
> Garrett Sinfield.
> 
> 
> 
> 
> 
> 
> 
> _________________________________________________________________
> Add photos to your messages with MSN 8. Get 2 months FREE*.  
> http://join.msn.com/?page=features/featuredemail
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn


__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

More information about the VPN mailing list