Securing-Optimizing-RH-Linux-1_2_103
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
103
Linux IPCHAINS
Overview
Someone can tell me why I might want something like a commercial firewall product rather then
just using IPchains and restricting certain packets and stuff? What am I losing by using IPchains?
Now, there is undoubtedly room for debate on this, IPchains is as good and, most of the time
betters, than commercial firewall packages from a functionality and support standpoint. You will
probably have more insight into what's going on in your network using IPchains than a
commercial solution. That being said, a lot of corporate types want to tell their shareholders,
CEO/CTO/etc. that they have the backing of reputable security Software Company. The firewall
could be doing nothing more than passing through all traffic and still the corporate type would be
more comfortable than having to rely on the geeky guy in the corner cube who gets grumpy if you
turn the light on before noon.
In the end, a lot of companies want to be able to turn around and demand some sort of restitution
from a vendor if the network is breached, whether or not they'd actually get anything or even try.
All they can typically do with an open source solution is fire the guy that implemented it. At least
some of the commercial firewalls are based on Linux or something similar. If quite probable that
IPchains is secure enough for you but not those engaging in serious amounts of high stakes bond
trading. Doing a cost/benefit analysis and asking a lot of pertinent questions is recommended
before spending serious money on a $$$$ firewall---otherwise you may end up with something
inferior to your Ipchains tool. Quite a few of the NT firewalls are likely to be no better than
IPchains and the general consensus on bugtraq and NT bugtraq are that NT is a *far too
insecure* a serious firewall.
What is a Network Firewall Security Policy?
Network firewall security policy defines those services that will be explicitly allowed or denied,
how these services will be used and the exceptions to these rules. An organization's overall
security policy must be determined according to security analysis and business needs analysis.
Since a firewall relates to network security only, a firewall has little value unless the overall
security policy is properly defined. Every rule in the network firewall security policy should be
implemented on a firewall. Generally, a firewall uses one of the following methods.
Everything not specifically permitted is denied
This approach blocks all traffic between two networks except for those services and applications
that are permitted. Therefore, each desired service and application should be implemented one
by one. No service or application that might be a potential hole on the firewall should be
permitted. This is the most secure method, denying services and applications unless explicitly
allowed by the administrator. On the other hand, from the point of users, it might be more
restrictive and less convenient. This is the method we will use in our Firewall configuration files on
this book.
Everything not specifically denied is permitted
This approach allows all traffic between two networks except for those services and applications
that are denied. Therefore, each untrusted or potentially harmful service or application should be
denied one by one. Although this is a flexible and convenient method for the users, it could
potentially cause some serious security problems.
What is Packet Filtering?
Packet Filtering is the type of firewall built into the Linux kernel. A filtering firewall works at the
network level. Data is only allowed to leave the system if the firewall rules allow it. As packets