1) Does Bifrost support the use of https/SSL instead of plain-text http to perform the administration?
2) Is it in the future of the product to be able to not even have the web server running directly on the firewall at all? I would think that abetter model would be to create the rules on a separate management station and then move them over to the firewall (with scp or some other secure protocol) and source them. This would also allow for managing multiple firewalls from a single management station.
Discussion on:
View:
Show:
Running a Web server on your firewall is silly, IMHO -- you're just asking for trouble.
If you dislike the command line, you can create your rules on a separate machine -- iptables doesn't need an interface to actually exist in order to write rules for it; when the interface comes online, the rules will already be set. After you get the rules the way you want them, use the iptables-save script (or, on RH, you can also use "/sbin/service iptables save") to copy your configuration to the /etc/sysconfig/iptables file. (You need to do this anyway, in order for your settings to survive a reboot -- via the iptables-restore script.)
You can then copy the /etc/sysconfig/iptables file to your production macine, and apply it with "/sbin/iptables-restore" -- no SSL, Apache, perl, etc. required. Makes hardening your firewall much, much easier.
You may also want to take a look at IPMenu -- http://users.pandora.be/stes/ipmenu.html -- written in CURSEL, so you don't need X running; if you want to manage it remotely but dislike the command line, just use SSH & IPMenu.
(Personally, I just use the command line -- scares away people who might otherwise want to tinker with the ruleset...)
- VS
If you dislike the command line, you can create your rules on a separate machine -- iptables doesn't need an interface to actually exist in order to write rules for it; when the interface comes online, the rules will already be set. After you get the rules the way you want them, use the iptables-save script (or, on RH, you can also use "/sbin/service iptables save") to copy your configuration to the /etc/sysconfig/iptables file. (You need to do this anyway, in order for your settings to survive a reboot -- via the iptables-restore script.)
You can then copy the /etc/sysconfig/iptables file to your production macine, and apply it with "/sbin/iptables-restore" -- no SSL, Apache, perl, etc. required. Makes hardening your firewall much, much easier.
You may also want to take a look at IPMenu -- http://users.pandora.be/stes/ipmenu.html -- written in CURSEL, so you don't need X running; if you want to manage it remotely but dislike the command line, just use SSH & IPMenu.
(Personally, I just use the command line -- scares away people who might otherwise want to tinker with the ruleset...)
- VS
If you know how to write an easy to manage and easy to monitor iptables code, is possible the best way. How ever, very few people know how to do that. Bifrost provide you with an easy way to manage your firewall and an easy way to monitor connections and traffic on your firewall.
Apache can be locked down and made to only accept access from various IP addresses and can use authentication. The next version of Bifrost will include a small template that will help you locking down Apache to avoid unlawful access. It will also help you provide authentication for accessing Bifrost. On top of that, the next version of Bifrost has a new function, Management Clients. This function allow the administrator to restrict what IP addresses that are allowed to run the CGI.
I have seen endless of poorly configured iptables installations. All in all, it is probably better to run a very locked down Bifrost installation than a poorly configured iptables firewall. As you say, you can run Bifrost on aseparate firewall and then copy /etc/sysconfig/iptables from that computer to the firewall. You will how ever not have an interface to monitor interfaces, logfiles and traffic. Future versions will also include management of high availability and IPSEC.
Regardless of how you are managing your firewall, you should ALWAYS run a port scanner and or intrusion detection system on your firewall to see what's available on your firewall and behind your firewall. Nmap and nessus are two useful tools that I recommend. When you are running these tools, you should NOT be able to detect the web server on the firewall. If you can, you have to modify apaches configuration file and the firewall to not allow access to the firewall. I would also recommendrunning Apache on a different port than port 80.
Martin Forest
Senior Security Specialist
Heimdall's Limited
Apache can be locked down and made to only accept access from various IP addresses and can use authentication. The next version of Bifrost will include a small template that will help you locking down Apache to avoid unlawful access. It will also help you provide authentication for accessing Bifrost. On top of that, the next version of Bifrost has a new function, Management Clients. This function allow the administrator to restrict what IP addresses that are allowed to run the CGI.
I have seen endless of poorly configured iptables installations. All in all, it is probably better to run a very locked down Bifrost installation than a poorly configured iptables firewall. As you say, you can run Bifrost on aseparate firewall and then copy /etc/sysconfig/iptables from that computer to the firewall. You will how ever not have an interface to monitor interfaces, logfiles and traffic. Future versions will also include management of high availability and IPSEC.
Regardless of how you are managing your firewall, you should ALWAYS run a port scanner and or intrusion detection system on your firewall to see what's available on your firewall and behind your firewall. Nmap and nessus are two useful tools that I recommend. When you are running these tools, you should NOT be able to detect the web server on the firewall. If you can, you have to modify apaches configuration file and the firewall to not allow access to the firewall. I would also recommendrunning Apache on a different port than port 80.
Martin Forest
Senior Security Specialist
Heimdall's Limited
Hopefully if someone did decide to use BiFrost, they would have enough common sense to lock down the mgmt port to only certain address'.
And it should only be accessible from via the local lan and should be protected using tcpwrapper.
SSl would be desirable, but if it is coming from inside the local lan and from a trusted ip; not saying securtiy thru obsurity is good; but the likelihood of someone on a small netwk having someone else with the ability to use a sniffer is probably not true.
The ideal solution would be to create a pvt segment for the fwl mgmt console. Similiar to checkpoint. Where it can only accept updates from that system.
And it should only be accessible from via the local lan and should be protected using tcpwrapper.
SSl would be desirable, but if it is coming from inside the local lan and from a trusted ip; not saying securtiy thru obsurity is good; but the likelihood of someone on a small netwk having someone else with the ability to use a sniffer is probably not true.
The ideal solution would be to create a pvt segment for the fwl mgmt console. Similiar to checkpoint. Where it can only accept updates from that system.
Answers:
1) Yes, you can use https. I do recommend changing the port for http and https to something different. You should also make sure that Apache is locked down and to use authentication. Next version of Bifrost will include a small template who to do this. You should also scan your fiewall from an external connection to make sure that it not accessable from Internet.
2) You can use bifrost on another computer to generate /etc/sysconfig/iptables. But you will loose the possibility touse a GUI to monitor your firewall. Future versions will include management for high availability and ipsec. We are talking about a system similar to checkpoint where you can use a management server to do all the configurations and then push them tofirewalls. All these features will depend on feedback from users and the number of licensed installations. The more licensed installations we have, the more resources we can put in the development.
Feel free to send suggestions to bifrost@heimdalls.com.
Keep an eye on http://bifrost.heimdalls.com for new versions.
We are in the final stage of testing and updating documentations of version 0.9.1. We hope to be able to release it within a few days.
Martin Forest
Senior Security Specialist
Heimdall's Limited
1) Yes, you can use https. I do recommend changing the port for http and https to something different. You should also make sure that Apache is locked down and to use authentication. Next version of Bifrost will include a small template who to do this. You should also scan your fiewall from an external connection to make sure that it not accessable from Internet.
2) You can use bifrost on another computer to generate /etc/sysconfig/iptables. But you will loose the possibility touse a GUI to monitor your firewall. Future versions will include management for high availability and ipsec. We are talking about a system similar to checkpoint where you can use a management server to do all the configurations and then push them tofirewalls. All these features will depend on feedback from users and the number of licensed installations. The more licensed installations we have, the more resources we can put in the development.
Feel free to send suggestions to bifrost@heimdalls.com.
Keep an eye on http://bifrost.heimdalls.com for new versions.
We are in the final stage of testing and updating documentations of version 0.9.1. We hope to be able to release it within a few days.
Martin Forest
Senior Security Specialist
Heimdall's Limited
I'm happy to announce that we have released a new version of Bifrost.
http://bifrost.heimdalls.com/Bifrost.0.9.1.tgz
New Features:
Restriction of who can access the CGI (management clients)
Antispoofing
A template regarding securing Apatche andhow to use authentication.
/Martin Forest, Heimdall's Limited
http://bifrost.heimdalls.com/Bifrost.0.9.1.tgz
New Features:
Restriction of who can access the CGI (management clients)
Antispoofing
A template regarding securing Apatche andhow to use authentication.
/Martin Forest, Heimdall's Limited
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
