Re: HackFest Series: Firewall Building 101 April Lab 2nd Sat…

Top Page
Attachments:
Message as email
+ (text/plain)
+ PGP.sig (application/pgp-signature)
+ (text/plain)
Delete this message
Reply to this message
Author: Alex Dean
Date:  
To: Main PLUG discussion list
Subject: Re: HackFest Series: Firewall Building 101 April Lab 2nd Saturday Noon At UAT
I've run IPCop on several home networks and been pleased with the
results.  Lately I've been thinking about giving pfSense a try as  
well.    Mainly, it looks like the web GUI in pfSense is a bit nicer  
to use, but learning a bit more BSD would be a plus.  I was thinking  
of installing that on a little soekris box to get rid of the noise of  
an old workstation running the firewall.


http://ipcop.org/
http://www.pfsense.com/
http://www.soekris.com/net4501.htm

Anyone who's used both IPCop and pfSense care to offer a comparison?
Anyone run it on a small embedded device like the Soekris I linked to?

Regarding Snort : I ran that on an IPCop instance for a while, but
ended up shutting it down because of a lack of analysis tools. It
generated this massive log file, and IPCop provided no way to look at
it except by manually trolling the log. I looked into adding mysql to
IPCop (since snort can also log to a database), and then you can use
Base to examine the logs. Adding mysql, recompiling snort, etc, etc,
inside the IPCop distro proved to be a bit more than I was willing to
invest the time in.

http://base.secureideas.net/about.php

Lisa, I'd be interested to know how you use snort in these conditions?

alex

On Mar 28, 2009, at 10:05 PM, Lisa Kachold wrote:

> Join us at UAT.edu as we build and play with Firewall ISO's in old
> boxen with network cards.
>
> Just imagine the script kiddies surprise when your new Firewall
> retaliates with a storm of SYN packets automagically rather than
> roll over like your Linksys or Netgear did?
>
> Imagine being able to check snort logs and dump a big list of IPs
> directly to a deny file without having to type them all into teensy
> little forms like on the http://192.168.1.1/filters.htm screen!
>
> Addicted to the LinkSys/Netgear Wireless, or like the fast ethernet
> ports and pretty blue and white LinkSys interface for setting up
> VPN's?
>
> You can set that device in place on the INSIDE of your Firewall of
> China!
>
> See you there!
>
> Obnosis | (503)754-4452
> PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM
>
>
> From: 
> To: 
> Subject: RE: OT? Linux-based trojans now targeting WRT and other  
> linux-based    routers
> Date: Sun, 29 Mar 2009 04:09:13 +0000

>
> Yes, I was thinking about getting an ASA, but I like my gigabit
> 1000BaseT connections, L2 vlan, VPN's, and I think you are correct
> that optimally, a fast machine with 4 ethernet cards is going to be
> the direct solution in line before that silly "LinkSys" arm
> processor IPS.
>
> I used to build custom linux firewalls in 1995 and drop them in for
> businesses with a 2400 cisco, and I have built a few since
> (azwsx.com) so I think I will take your advice - I have a fresh
> install FreeBSD box right here, and a couple extra cards.
>
> Thanks for the great suggestion!
>
> Obnosis | (503)754-4452
> PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM
>
> > Date: Sat, 28 Mar 2009 03:13:32 -0700
> > From: 
> > To: 
> > Subject: Re: OT? Linux-based trojans now targeting WRT and other  
> linux-based    routers

> >
> > Lisa Kachold wrote:
> > > Well, the sad fact is that _any_ machine will kick over and barf
> it's guts under distributed attacks; it just depends on what it does
> after the green slime clears..
> > > Also, it really helps if you run one that won't take WRT, or
> only runs on an arm, with small memory therefore they aren't too hot
> to pwn you. Linksys put out the source, whereupon I built my own,
> and played with the features; you know kiddies are doing this also.
> > >
> > > Course, if you have a WRT-able router, it's a good idea to set
> it up as a small linux system, but you have to know how to work it;
> starting by iptable deny all of china is a good start.
> > > I have had mine owned regularly; I just flash it again. Mine is
> easy to determine, since it suddenly starts showing AIM ports open.
> Once they target you successfully, they will insidiously continue to
> keep track of you; rather like trophy hunting.
> > > I could have done a complete defcon presentation on various
> routers by this time.
> > > That's why I always suggest to everyone, if you see something
> strange, you see something strange, report it, complain, study it,
> rather than continuing to agree with everyone in denial about the
> sad state of security.
> > > Obnosis | (503)754-4452
> > >
> > >
> > >
> > >
> > > PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM
> > >
> > Lisa (and others),
> > I don't tend to generally trust the "commercial grade" devices
> > available. they can't handle what I do with my home connection on a
> > daily basis
> > (and the last thing I want is some script kiddie pwning my
> router). I
> > use OpenBSD here as my firewall machine (I have both a hardware
> version
> > and vmware). I tend to keep close track on these and so far, neither
> > have been "pwned" after nearly 5 years of continuous use. I used
> to use a
> > linux firewall before that, but had problems with rootkits.
> >
> > Even with this, it still doesn't hurt to have a whole bevy of
> security
> > tools at hand for "just in case" (like windows, linux, OS X, etc).
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list -
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> Quick access to Windows Live and your favorite MSN content with
> Internet Explorer 8.
> Windows Live™ SkyDrive: Get 25 GB of free online storage. Check it
> out. ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss