Go Home Intrusion Detection ADSL Configuration Network Traffic Statistices Send e-mail to Rebecca

Made w/ BlueFish
The Becsta.NET Security Page

This page will be dedicated to all things related to IT security - more specifically my little corner of IT security. My hope is that this page will be informative, interesting, and relevant, by providing examples and links. Firstly though, I wanna rant on about various IT topics, mostly relating or impacting on security.

The First Rant My Home Network
The Second Rant Privacy on the Internet
The Third Rant The Sad State of Security Patches
The Fourth Rant The Software Quality Saga
The Last Rant I think I've ranted on for long enough....

Right, now that I've had my say, lets continue...

Firewalling

If you've read my First Rant above, one of the risks that I identified was a general compromise of my home network. To mitigate this risk, I have installed firewall technology onto my gateway. At the moment, the firewall being used is simply a set of ipchains rules - basic packet filtering. The firewalling technology for Linux has changed, since the 2.3 development kernel release, to iptables, which introduces stateful inspection. I will eventually upgrade my firewall configuration to use iptables, but for now the ipchains firewall is working fine. Why does the Linux firewalling technology change? Up to the 2.2 series kernels we had IP masquerading, then we had IP chains, now we have IP tables - what next?

Because my home network is not a permanent fixture on the Internet, I only allow a basic set of inbound connections:

SSH Secure Shell, so I can connect to a shell on my gateway from places on the Internet, with SSH providing the end-to-end encryption. Don't ever use telnet for this.
DNS Allow inbound DNS replies from upstream DNS servers
NTP Allow NTP replies from a defined set of NTP servers on the Internet
ICMP Allow a defined set of ICMP protocols through

All other protocols are dropped. I don't allow HTTP connections to my home network, as I would violate the Telstra ADSL AUP. I don't have any disk space for an FTP server, so what's the point of running one?

It is possible for an attacker to perform DoS attacks at a network layer, with my only real defence being to drop my link and redial, resulting in a new external IP address being issued.

Intrusion Detection

There are several forms of IDS available. I employ three methods of IDS on my gateway:

Network IDS Network-level IDS involves capturing all of the packets on a network segment, and examining the packets to see if there are any attack "signatures" within the packets.
Host-based IDS Host-based IDS involves detection of changes to the host's operating system, data and log files.
Vigilance This form of IDS involves the human eye - looking at logs and alerts, regular maintenance, applying patches, looking at differences between expected and actual operating patterns etc.

I use Snort IDS for my network-level IDS protection, Tripwire for host-based IDS, and two very blue eyes for the vigilance-based IDS.

If you're interested in how to deploy an IDS at home, have a look at my IDS Howto page.

$Author: rebecca $ $Date: 2001/08/28 07:48:10 $ $Revision: 1.5 $