:Linux: Identify Gateway Machines

Special attention should be paid to gateway or firewall systems, as they usually control access to the services running on the entire network.
Such gateways should be identified, its function within the network should be assessed and owners or administrators should be identified. These hosts, often referred to as bastion hosts are a prime target for an intruder. They should be some of the most fortified machines on the network.

Be sure to regularly review the current access policies and security of the system itself.

These systems should absolutely only be running the services necessary to perform it’s operation. Your firewall should not be your mail server, web server, contain user accounts, etc. Some of the things you should check for, and absolutely fortify on these hosts include:

  1. Turn off access to all but necessary services.
  2. Depending on the type of firewall, disable IP Forwarding, preventing the system from routing packets unless absolutely instructed to do so.
  3. Update machine by installing vendor patches immediately.
  4. Restrict network management utilities, such as SNMP, public communities, and write access.
  5. Be sure firewall policy includes mechanisms for preventing common attacks such as IP Spoofing, Fragmentation attacks, Denial of Service, etc.
  6. Monitor status very closely. You should develop a reference point in which the machine normally operates to be able to detect variations which may indicate an intrusion.
  7. Develop a comprehensive firewall model. Firewalls should be treated as
    a security system, not just a program that runs on a machine and has an access control list. Firewall administration should be centrally controlled and evaluation of firewall policies should be done prior to actual firewall deployment.

Excerpt from the LinuxSecurity Administrator’s Guide:
Written by: Dave Wreski (dave[at]guardiandigital.com)

[tags]linux, firewall, gateway[/tags]