HackFest Series: Firewall Building 101 April Lab 2nd Saturday Noon At UAT

Alex Dean alex at crackpot.org
Sun Mar 29 09:07:38 MST 2009 

I've run IPCop on several home networks and been pleased with the  
results.  Lately I've been thinking about giving pfSense a try as  
well.    Mainly, it looks like the web GUI in pfSense is a bit nicer  
to use, but learning a bit more BSD would be a plus.  I was thinking  
of installing that on a little soekris box to get rid of the noise of  
an old workstation running the firewall.

http://ipcop.org/
http://www.pfsense.com/
http://www.soekris.com/net4501.htm

Anyone who's used both IPCop and pfSense care to offer a comparison?   
Anyone run it on a small embedded device like the Soekris I linked to?

Regarding Snort : I ran that on an IPCop instance for a while, but  
ended up shutting it down because of a lack of analysis tools.  It  
generated this massive log file, and IPCop provided no way to look at  
it except by manually trolling the log.  I looked into adding mysql to  
IPCop (since snort can also log to a database), and then you can use  
Base to examine the logs.  Adding mysql, recompiling snort, etc, etc,  
inside the IPCop distro proved to be a bit more than I was willing to  
invest the time in.

http://base.secureideas.net/about.php

Lisa, I'd be interested to know how you use snort in these conditions?

alex

On Mar 28, 2009, at 10:05 PM, Lisa Kachold wrote:

> Join us at UAT.edu as we build and play with Firewall ISO's in old  
> boxen with network cards.
>
> Just imagine the script kiddies surprise when your new Firewall  
> retaliates with a storm of SYN packets automagically rather than  
> roll over like your Linksys or Netgear did?
>
> Imagine being able to check snort logs and dump a big list of IPs  
> directly to a deny file without having to type them all into teensy  
> little forms like on the http://192.168.1.1/filters.htm screen!
>
> Addicted to the LinkSys/Netgear Wireless, or like the fast ethernet  
> ports and pretty blue and white LinkSys interface for setting up  
> VPN's?
>
> You can set that device in place on the INSIDE of your Firewall of  
> China!
>
> See you there!
>
> Obnosis | (503)754-4452
> PLUG Linux Security Labs 2nd Saturday Each Month at Noon - 3PM
>
>
> From: lisakachold at obnosis.com
> To: plug-discuss at lists.plug.phoenix.az.us
> Subject: RE: OT? Linux-based trojans now targeting WRT and other  
> linux-based	routers
> Date: Sun, 29 Mar 2009 04:09:13 +0000
>
> Yes, I was thinking about getting an ASA, but I like my gigabit  
> 1000BaseT connections, L2 vlan, VPN's, and I think you are correct  
> that optimally, a fast machine with 4 ethernet cards is going to be  
> the direct solution in line before that silly "LinkSys" arm  
> processor IPS.
>
> I used to build custom linux firewalls in 1995 and drop them in for  
> businesses with a 2400 cisco, and I have built a few since  
> (azwsx.com) so I think I will take your advice - I have a fresh  
> install FreeBSD box right here, and a couple extra cards.
>
> Thanks for the great suggestion!
>
> Obnosis | (503)754-4452
> PLUG Linux Security Labs 2nd Saturday Each Month at Noon - 3PM
>
> > Date: Sat, 28 Mar 2009 03:13:32 -0700
> > From: technomage.hawke at gmail.com
> > To: plug-discuss at lists.plug.phoenix.az.us
> > Subject: Re: OT? Linux-based trojans now targeting WRT and other  
> linux-based	routers
> >
> > Lisa Kachold wrote:
> > > Well, the sad fact is that _any_ machine will kick over and barf  
> it's guts under distributed attacks; it just depends on what it does  
> after the green slime clears..
> > > Also, it really helps if you run one that won't take WRT, or  
> only runs on an arm, with small memory therefore they aren't too hot  
> to pwn you. Linksys put out the source, whereupon I built my own,  
> and played with the features; you know kiddies are doing this also.
> > >
> > > Course, if you have a WRT-able router, it's a good idea to set  
> it up as a small linux system, but you have to know how to work it;  
> starting by iptable deny all of china is a good start.
> > > I have had mine owned regularly; I just flash it again. Mine is  
> easy to determine, since it suddenly starts showing AIM ports open.  
> Once they target you successfully, they will insidiously continue to  
> keep track of you; rather like trophy hunting.
> > > I could have done a complete defcon presentation on various  
> routers by this time.
> > > That's why I always suggest to everyone, if you see something  
> strange, you see something strange, report it, complain, study it,  
> rather than continuing to agree with everyone in denial about the  
> sad state of security.
> > > Obnosis | (503)754-4452
> > >
> > >
> > >
> > >
> > > PLUG Linux Security Labs 2nd Saturday Each Month at Noon - 3PM
> > >
> > Lisa (and others),
> > I don't tend to generally trust the "commercial grade" devices
> > available. they can't handle what I do with my home connection on a
> > daily basis
> > (and the last thing I want is some script kiddie pwning my  
> router). I
> > use OpenBSD here as my firewall machine (I have both a hardware  
> version
> > and vmware). I tend to keep close track on these and so far, neither
> > have been "pwned" after nearly 5 years of continuous use. I used  
> to use a
> > linux firewall before that, but had problems with rootkits.
> >
> > Even with this, it still doesn't hurt to have a whole bevy of  
> security
> > tools at hand for "just in case" (like windows, linux, OS X, etc).
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> Quick access to Windows Live and your favorite MSN content with  
> Internet Explorer 8.
> Windows Live™ SkyDrive: Get 25 GB of free online storage. Check it  
> out. ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090329/e2bec185/attachment.pgp

More information about the PLUG-discuss mailing list