OFB Community Mailing Lists

[Alvin Smith]

On Monday 27 December 2004 09:07 pm, Ed Hurst wrote:
> This is on my blog, so you can respond there, too.
> ---------------------------------------------------
>
> Your Mission
>
> Let's pretend that someone is offering you a suitable sum of money for a
> project. They have 9 computers on an internal network. Due to the nature
> of their business, there are no Open Source applications for their
> software requirements -- some obscure engineering stuff. Indeed, the
> latest release of their software means all their machines will have to
> run XP. However, they wish to run a gateway/firewall on Linux/Unix. This
> server will also provide mail, with spam-blocking, and PHP/SQL webpage
> service. When the technicians are on the road, they need to login and
> gain access to the file server (XP) behind the firewall. You may assume
> they will login to the gateway first, then login again to the
> fileserver. No one else in the whole world needs to even know about
> what's behind that gateway server. There will be a static IP and T1
> service.
>
> Outline how you would set this up, and respond in the comments. It would
> be good if you explain why you favor this or that OS for the gateway.

First of all, I would not do it that way.  I would put everything BEHIND a VPN 
router/firewall, with the mail and web server in the DMZ, and tunnel into the 
XP server.

Sort of like this:
http://www.smoothwall.net/products/smoothtunnel/

"SmoothWall Corporate Server is a modular firewall system, converting a 
standard Pentium™ class PC into a dedicated hardware firewall appliance. 
Mid-range in terms of features and performance, Corporate Server can support 
networks of many hundreds of computers. Designed for ease of installation and 
configuration, it is especially suitable for small to medium size 
organisations that do not have specialist security staff.

Corporate Server incorporates stateful inspection technology and an Intrusion 
Detection System (IDS). The modular design allows customers to extend the 
firewall to provide features including Virtual Private Networking (VPN), Web 
Content Filtering and Bandwidth Management. 

Corporate Server includes a specialised security hardened version of the Linux 
operating system, which is inherently more secure than a general purpose 
operating system. Unlike many Linux products, users are not expected to have 
any knowledge of Linux; once installed all configuration is performed via a 
user friendly Graphical User Interface from any web browser. Corporate Server 
can be installed, configured and working in less than 10 minutes.

The default Corporate Server installation is intrinsically secure; all 
external traffic is blocked unless it is in response to outgoing traffic, 
such as a reply from a web site to a browser request for a page. If Internet 
facing computers, such as web or email servers, are to be supported then 
paths have to be specifically opened through the firewall to these servers. 
Corporate Server will act as an Internet gateway for all the user computers 
on the local network - PCs running Microsoft Windows® 95/98/ME, Windows 
NT/2000/XP, Mac OS, Linux or Unix; all are easily configured to connect to 
the Internet via SmoothWall. Corporate Server supports a wide range of 
Internet connections including leased lines via Ethernet routers, ADSL, ISDN, 
analogue and cable modems."

http://www.smoothwall.net/products/corporateserver/

So, do I get the job?

-- 
peace,
Alvin Smith
http://www.alvinsmith.com