# What is needed to make a Gentoo PC become a security server?

## SAngeli

Hi,

I have a small hotel business (6 pc and 15 Internet access points) with ADSL as Internet.

I just purchased a CISCO 877 ADSL router so that I can take care of the Internet.

I now wish to take care of the following:

- create virtual LANs so that customers cannot see my office pc or servers and vice versa

- implement a firewall for my entire system

I see on the Internet several Firewall appliances that offers features like:

- firewall statefull-Inspection;

- Port-forwarding and pin-holes;

- Proxy service;

- Internet access filter;

- URL filter;

- VoIP;

- VPN;

- IPSec Nat

- Anti-virus;

- Anti-spam;

- Intrusion Detection;

- Content filtering;

- QoS

Rather than purchasing one of those appliances is it possible to acchieve all of the above and even more with Gentoo Linux? If so, please can you list what applications do I need to install?

As for hardware, is it correct that at least I would need two NICs (one for WAN and one for LAN)?

Thank you so much for your explanations,

Spiro

----------

## xces

 *SAngeli wrote:*   

> - firewall statefull-Inspection;
> 
> - Port-forwarding and pin-holes;

 

netfilter / iptables. Maybe shorewall as a configuration helper.

 *SAngeli wrote:*   

> - Proxy service;

 

squid

 *SAngeli wrote:*   

> - Internet access filter;

 

squidguard

 *SAngeli wrote:*   

> - URL filter;

 

Uhm, squidguard maybe.

 *SAngeli wrote:*   

> - VoIP;

 

Asterisk

 *SAngeli wrote:*   

> - VPN;

 

OpenVPN or IPSec

 *SAngeli wrote:*   

> - IPSec Nat

 

Yes.

 *SAngeli wrote:*   

> - Anti-virus;

 

ClamAV

 *SAngeli wrote:*   

> - Anti-spam;

 

dspam

 *SAngeli wrote:*   

> - Intrusion Detection;

 

snort

 *SAngeli wrote:*   

> - Content filtering;

 

?

 *SAngeli wrote:*   

> - QoS

 

tc / iproute2

 *SAngeli wrote:*   

> As for hardware, is it correct that at least I would need two NICs (one for WAN and one for LAN)?

 

Basically, if your ADSL router takes care of it you don't need a second NIC. If all of the network traffic should be filtered on this computer, a second NIC is quite practical for seperating the different networks (LAN and the Internet).

----------

## think4urs11

 *SAngeli wrote:*   

> - firewall statefull-Inspection;
> 
> - Port-forwarding and pin-holes;

 

iptables

 *SAngeli wrote:*   

> - Proxy service;
> 
> - Internet access filter;
> 
> - URL filter;
> ...

 

squid+dansguardian

----------

## SAngeli

So,

it is possible to achieve all that appliances provide without having to spend a lot of money to purchase them.

How does my CISCO 877 integrates with what I wish to achieve? 

Can someone please help me identify what is best to let CISCO 877 do and what else (firewall portion and more) can be done through a dedicated Gentoo PC?

Keep in mind that the most important part that I need the most is:

- DHCP (I was thinking to let CISCO manage it so that I can avoid hypotetical server downtime for failures);

- Virtual Lan so that I can decide how network traffic is manages inside my business;

Below you can find some specs from the above link that describes this router:

Routing Protocols and General Router Features· Routing Information Protocol (RIPv1 and RIPv2)

· Layer 2 Tunneling Protocol (L2TP)

· Cisco Express Forwarding (CEF) Port Address Translation (PAT)

· RFC 1483/2684

· Point-to-Point Protocol over ATM (PPoA) (DSL models only)

· PPP over Ethernet (PPPoE)

· 802.1d Spanning Tree Protocol (STP)

· Dynamic Host Control Protocol (DHCP) server/relay/client

· Access control lists (ACLs)

· Generic routing encapsulation (GRE)

· Dynamic DNS Support for Cisco IOS

IPv6 Features (Supported with Advanced IP services feature set)· IPv6 addressing architecture

· IPv6 name resolution

· IPv6 statistics

· IPv6 translation-transport packets between IPv6-only and IPv4-only endpoints

· ICMPv6

· IPv6 DHCP

Security Features· Stateful Inspection Firewall

· Bridging firewall (Cisco 871 only)

· NAT transparency

· Firewall support for skinny clients

· Hardware-accelerated 3DES for IPSec

· Hardware-accelerated AES for IPSec

· Cisco Easy VPN Client and Server

· IPSec 3DES termination/initiation

· IPSec passthrough

· Point-to-Point Tunneling Protocol (PPTP) passthrough

· L2TP passthrough

· 802.1X

· Secure HTTP (HTTPS), FTP, and Telnet authentication proxies

· 10 VPN Tunnels

· Advanced Application Inspection and Control

· E-mail Inspection Engine

· No Service Password Recovery

· HTTP Inspection Engine

· System Logging-EAL4 Certification Enhancements

· Easy VPN Remote Web Based Activation

QoS Features· Weighted Fair Queuing (WFQ)

· Class-Based WFQ (CBWFQ)

· Low-Latency Queuing (LLQ)

· Class-Based Traffic Shaping (CBTS) (Cisco 871 only)

· Class-Based Traffic Policing (CBTP) (Cisco 876, 877, and 878 only)

· Class-Based QoS MIB

· Prefragment before encryption

· TX ring adjustment

· VC bundling

· Policy-based routing (PBR)

· Per-VC queuing

· Per-VC traffic shaping

Thank you,

Spiro

----------

