# Rethinking the concept of Firewall/Router/Lanserver

## Master One

It is about a small SOHO network. ATM there is a Vigor firewall-router between the ISP's xDSL modem & the local network. On the lan there are three servers, running various services, a couple of Windows workstations/laptops (which I'd like to convert to Gentoo, once I find the time), some Linux workstations/laptops, and a wireless AP. All servers and Linux workstations run Gentoo Linux, and are protected using Shorewall. Necessary access from the internet is handled having the needed ports open + NAT by the Vigor unit.

The problem is now, that there are too many machines running 24/7, which comes down to a pretty high electricity bill for last year. So I'd like to cut down on the number of machines always on, by integrating more services into a single server, and by replacing the separate Vigor firewall-router with  the mentioned server as well (not exactly because of its power consumption, but the limited functionality).

So this is what I have in mind:

No more separate Vigor firewall-router and running only two servers instead of three. This would mean, I would take the most powerful machine of the present three servers (an IBM eServer x226 with two redundant power-supplies connected to an UPS + one Xeon EM64T 3.0 GHz + 1 GB RAM + 3 hotswap SCSI discs running in a hardware-raid 5, which I would like to upgrade with a second Xeon processor + another GB of RAM+ one more SCSI-drive as a hot-spare), install 2 additional NICs (so to have 1x WAN + 1x DMZ + 1x LAN), let it act as the firewall-router, and have it run all necessary services (dnsmasq, local rsync-server, http-replicator, samba, squid, privoxy, tor, apache2, MySQL, mailserver, NFS server, OpenVPN, Snort, and whatever services are else needed on that LAN). The second server, which is a less powerful machine running mldonkey, samba, NFS server, zoneminder, fakeidentd, hylafax and some other things, would then run in the DMZ on the second NIC. The LAN on the third NIC of course.

The question is now, if this makes it any more insecure, to run such a lot of services on the firewall-router machine. I would install hardened Gentoo on that server using hardened-sources, hardened toolchain, PaX/Gresecurity, making full use of PIE/SSP, although I am not quite sure how stable that is on a 64bit installation (-march=nocona), and I am thinking about giving each service its own chroot jail (is this usefull for such a lot of services?).

I am not an iptables guru, that's why I am still unsure, if I just use one of the available iptables firewall scripts, and modify it to my needs, of if I should stick to Shorewall as high-level iptables tool on that server. Concerning routing policy I am also not quite sure, how to implement this solution, because we have 13 useable public IP addresses. I thought I assign all public IP addresses to the external interface, and do all the rest with NAT (instead of using Proxy ARP, as explained in the three-interfaces Shorewall tutorial).

My project seems a little complicated, but in the long run I hope it will cause less administration, compared to having to take care of a third server and the Vigor firewall-router as well.

Is my planned solution a bad idea, in concern of security?

I was always unsure about how much services should run on a single machine, that's why I actually have apache2 + MySQL on the second of the three servers, because I thought it would be saver, if that machine (which is accessible from the net on ports 80 & 443) should get hacked, the hacker at least would not be able to access any data on the other two servers. But now it seems more logical to me, that it would even be saver, to have apache2 & MySQL (used as a production environment for a webshop) simply run in two different chroot jails on the firewall-router machine.

Any ideas concerning this scenario are highly appreciated.

----------

## radulucian

sorry i am not able to allocate more time to this answer but here is what i can say atm:

Why not place the main firewall on the less powerfull server and add only non-critical non-intensive processes here and route all request for public services to the second server, which can then hold most of the critical intensive processes and also get more security from its logical position in your network. of course, i would run a decent firewall on that system as well, with really strict rules and (eventually) no access on ports used for remote access from the internet connected firewall.

One could say that this is an overall worse solution for your network as a whole but it is obvious that the security on the critical processes is a lot more tight.

hope this helps.

and please do let me know on the final network chart and application/service landscape, as i am curious what is your final take on this and it could also give good ideas to others.

----------

## magic919

 *Master One wrote:*   

> 
> 
> Is my planned solution a bad idea, in concern of security?
> 
> Any ideas concerning this scenario are highly appreciated.

 

Yes.

It's a bad idea.

----------

## radulucian

magic919, people are used to watch the topic they write on, to learn stuff.

now, i understand you are waaay above these small-talk topics, but at least for that reason you could refrain from posting empty messages.

when he asks if it's a bad ideea, he expects a positive answer, but he also expects reasons.

could you provide some details, or after you post 930 messages on the gentoo topic you are so blazed that you no longer need to be decent??

magic!

----------

## magic919

Maybe you could stick to the topic, rather than make misguided and mis-informed personal commentry.

Thanks.

----------

## think4urs11

 *Master One wrote:*   

> ...a lot of ideas...

 

Better idea from a security point of view:

Use one of your low-powered servers to be the firewall. (Even a 486 should be able to handle 2-3Mbit ADSL with ease).

Three interfaces should be fine. Best would be if this machine *only* runs iptables, not even ssh - use a console connection for adminstering this machine. It is always best to seperate services physically. A machine only running iptables (properly setup) is a tough enemy - A blown up 'i'll do everything except cooking coffee' box is ... well ... .

If an attacker compromises your firewall (in your scenario) he'd have everything at once; userdatabase, web content, mail database etc.

Use a second machine in a DMZ hosting every service which needs to be accessible from internet (web server, mail server etc). On a third machine host all services like authentication (ldap), vpn (openvpn) database (myql), nfs, samba, http-replicator etc. This machine will be connected to your internal lan.

Or speaking in colors... internet is *red*, dmz is *yellow*, lan is *green*

Never ever allow *any* direct connection from an internally (green) connected machine to *any* machine in the internet (red). *All* connection *must* use e.g. a proxy in your DMZ (yellow). If possible use autenticated connections (at least) from *green* to *yellow* and (as far as possible) from *yellow* to *red*.

Hardening/chrooting should be done at least for the firewall itself and the dmz machine. It doesn't hurt to do it on the internal server too...

Maybe (just maybe, depending on how paranoid you are!) you can collapse yellow and green into one machine by using some kind of virtualization (xen, openvz, vmware. I'd absolutely run the firewall (as beeing the paket filter) as standalone. It is your first line of defense against the bad guys.

----------

## geyser

Tom Eastep, the author of Shorewall, recently posted an article showing how he used Xen to consolidate many of his servers:

http://www.shorewall.net/Xen.html

----------

