I am a student and total N00b working on a project to create a Linux Firewall/Router box to protect our school Lab Network.
I just started looking into colinux, and am wondering if this would be a good idea....to create a firewall/router linux box using Debian, colinux, and WindowsXP. Would this be secure?
Can I lock down windows using the SP2 firewall, and have all traffic controlled by Debian in my Firewall box use? Or would I be better off having a separate Linux box.
The reason having both OSs is the fact that WindowsXP and Linux have to both be available. I am installing Camera's which will work off of the Windows portion, and the Firewall/Router will run on the linux portion of the colinux install.
Is this possible? Is it a good idea? Would it work?
Please help the N00b.
Cheers,
Cavemancanada
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Possible, yes. A good idea probably not. The whole idea of a firewall is to have a physical separation between the internet and the intranet. Traditionally, firewall's were done with proxies on physically separate servers with two network cards. One card would be connected to the internet and the other to the intranet. The idea being that in order for packets to get from one to the other they would have to pass through the firewall software. The only machine a hacker could attempt to gain access to would be the firewall server, so that was the only one that needed to be heavily monitored. Typically the firewall servers would be locked down by only running essential firewall services and only allowing access by an administrator using a direct console login or a hardwired serial line.
While this traditional approach was very secure, it was inadequate for protecting against attacks that originate from within the intranet. For example, if someone received a virus on their machine, the virus could spread easily within the intranet.
Now days often just a software component running on a non-dedicated server is used as a firewall. The fundamental idea is the same, all network traffic must pass through firewall software. However, this is inherently less secure from external attack, because the hacker can attempt to exploit holes in the kernel which directly effect the intranet user. It is also less secure, because other people have access to the machine.
If you route your traffic through windows to coLinux and then back to windows you are even less secure. Hackers may attempt to hack either the coLinux or windows to break the firewall.
I do not know what to suggest for your school project, since I do not know what guidelines you are working under or resources you have available. However, for small business and home use, I normally recommend a double buffered firewall approach. Use a router with a good NAT firewall built-in to block a majority of the internet traffic. Then for maximum security on each machine connected to the router install firewall software that will filter both outgoing and incoming traffic. You want to filter incoming traffic in case someone breaks your router firewall, or one your internal machines is hacked. You want to monitor outgoing traffic to detect if the machine you are using has been hacked. For example, if your computer becomes infected with a virus that attempts to login to connect to another machine, your firewall software should be able to block the outgoing traffic.
Bill
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
No. You can not force windows to use your coLinux network as outgoing (firewalled) and as incoming to forward to colinux in same time. This is a paradoxon.
Some tricky configurations with coLinux network input on a bridget ethernet adapter and a output to a TAP adapter, you can use colinux as router. But windows can all times bypass it. For sample the coLinux is one task in your windows, that would bypas your rules and need to outgoing on your lan adapter directly.
But you can insert two lan cards in a windows box, run colinux on it and create two bridged lan adapters to create such firewall. In this idea I woud ask: Why you not run linux directly?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am a student and total N00b working on a project to create a Linux Firewall/Router box to protect our school Lab Network.
I just started looking into colinux, and am wondering if this would be a good idea....to create a firewall/router linux box using Debian, colinux, and WindowsXP. Would this be secure?
Can I lock down windows using the SP2 firewall, and have all traffic controlled by Debian in my Firewall box use? Or would I be better off having a separate Linux box.
The reason having both OSs is the fact that WindowsXP and Linux have to both be available. I am installing Camera's which will work off of the Windows portion, and the Firewall/Router will run on the linux portion of the colinux install.
Is this possible? Is it a good idea? Would it work?
Please help the N00b.
Cheers,
Cavemancanada
Possible, yes. A good idea probably not. The whole idea of a firewall is to have a physical separation between the internet and the intranet. Traditionally, firewall's were done with proxies on physically separate servers with two network cards. One card would be connected to the internet and the other to the intranet. The idea being that in order for packets to get from one to the other they would have to pass through the firewall software. The only machine a hacker could attempt to gain access to would be the firewall server, so that was the only one that needed to be heavily monitored. Typically the firewall servers would be locked down by only running essential firewall services and only allowing access by an administrator using a direct console login or a hardwired serial line.
While this traditional approach was very secure, it was inadequate for protecting against attacks that originate from within the intranet. For example, if someone received a virus on their machine, the virus could spread easily within the intranet.
Now days often just a software component running on a non-dedicated server is used as a firewall. The fundamental idea is the same, all network traffic must pass through firewall software. However, this is inherently less secure from external attack, because the hacker can attempt to exploit holes in the kernel which directly effect the intranet user. It is also less secure, because other people have access to the machine.
If you route your traffic through windows to coLinux and then back to windows you are even less secure. Hackers may attempt to hack either the coLinux or windows to break the firewall.
I do not know what to suggest for your school project, since I do not know what guidelines you are working under or resources you have available. However, for small business and home use, I normally recommend a double buffered firewall approach. Use a router with a good NAT firewall built-in to block a majority of the internet traffic. Then for maximum security on each machine connected to the router install firewall software that will filter both outgoing and incoming traffic. You want to filter incoming traffic in case someone breaks your router firewall, or one your internal machines is hacked. You want to monitor outgoing traffic to detect if the machine you are using has been hacked. For example, if your computer becomes infected with a virus that attempts to login to connect to another machine, your firewall software should be able to block the outgoing traffic.
Bill
No. You can not force windows to use your coLinux network as outgoing (firewalled) and as incoming to forward to colinux in same time. This is a paradoxon.
Some tricky configurations with coLinux network input on a bridget ethernet adapter and a output to a TAP adapter, you can use colinux as router. But windows can all times bypass it. For sample the coLinux is one task in your windows, that would bypas your rules and need to outgoing on your lan adapter directly.
But you can insert two lan cards in a windows box, run colinux on it and create two bridged lan adapters to create such firewall. In this idea I woud ask: Why you not run linux directly?