This article is the first in a three-part series that provides a blueprint for setting up a multifunctional firewall and server. You'll want to do this if you don't want to spend the resources to have one computer act as a Web server, another as a print server, yet another as a firewall, and so on. Whether you're concerned about increasing the security level at your small business or setting up a firewall and IP Masquerading server at home, these articles will show you the steps we took to replace an old server with a multifunction server and firewall. After reading the series, you should be able to configure a functional firewall and server that provides basic Internet services while maintaining a moderate level of security.

We will use the systems we set up for one of our clients as our example configuration. The client shop had a Linux-based GNU system as its main server and firewall. The box was an old 486 running Red Hat 5.2, upgraded from 5.1. Over time, its duties had grown from simply mail service to Web, anonymous FTP, login, and CVS (source code revision control) serving. Two years ago, it was compromised twice -- with minimal damage, but several work days lost in cleanup. Further, the old machine (we'll call it plains.example.com) was too slow for all the services it offered -- and our client wanted to add more.

Security analysis

Before deciding what to do, we performed a simple security needs analysis. Our client is a small software engineering firm with virtually no valuable hardware. Its primary asset is its source code and hence the primary risk is the loss or damage of that source code. The client's second main risk is the amount of time that would be wasted in cleaning up after a break-in: finding backdoors and eliminating them, reinstalling operating systems, analyzing logs, and so on.

To manage those risks, we decided to take several steps. First, we would separate the CVS server function from the firewall function, thus rendering the client's source code less vulnerable. We would institute nightly backups of the source code in order to minimize potential losses. Finally, we would improve overall site security by installing a new firewall with fewer services to compromise.

This series of articles will tell the story of that firewall, which we'll call wolf.example.com.

Choosing an OS and distribution

There are clearly many candidate operating systems to choose from, both free and nonfree, as well as some commercial firewall appliances. We decided to go open source (cheap) and multifunctional (real operating system). We considered several flavors of Linux and one of BSD.

OpenBSD has the best security reputation of any operating system. However, we were unfamiliar

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine