General discussion

Locked

Call for advice

By _Christian_ ·
I am an old hand at IT, but rather new to Linux as more than a user.
I have tried installing and playing with a couple of distros, and I now need advice on a few question I hve not found the answer to (or contradictory answers)

I need to set up a configuration where all servers would be Linux based, while workstations could be any Windows based or Linux based.

I know that Linux cannot be an Active Directory server. That is not a problem, I do not need it.
But I need everything else.

I also need a very secure linux based firewall box between the internet and the network proper.

1) Which distro would be considered the most hardened as a firewall (I have seen contradictory answers), and why?

2) Is there the equivalent of a RIS server under Linux (RIS = Remote Installation Service).
If yes, how do I find it? Any feedback on it?

3) Which distro would you advise to run the other main services (DHCP, DNS, DC,...)

4) Is there anything I should know that you think is not commonly found on the Internet.

I will wait for a consensus on each question, separately.

Thanks to all in advance.

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by jmgarvin In reply to Call for advice

Samba will fit your needs with most of what you want and can even somewhat fit into your AD structure (I'm guessing it will...unless you did some wonky stuff with AD you should be ok).

1) Many Distros can be hardened in many ways. I suggest Red Hat Enterprise 3 with Bastille Linux. To include with that Snort with ACID, Snare, a root kit hunter, etc. For security, I also like Slackware, but that isn't for the Linux noob. :-)
Webmin will also make installing and managing your firewall much easier, along with a ton of other cool functionality.

2) Yes. http://oss.netfarm.it/guides/pxe.php is a good start, but there are other tools out there.

3) I like Red Hat and Slackware, but your milage may vary. RH has awesome support, so being new to Linux I'd go with them. Slackware is pretty beefy, but the support is limited and setup is terror incognito (ok...it isn't that bad, but it is far harder for someone who hasn't done it)

4) There are TONS of things found on the net. Before you get into Linux, you might want to get Linux Certified either through COMPTIA (Linux+) or LPI. I highly suggest LPI Exam 101 and 102 to get you on the move.

If you have any more questions drop me an email and I'll see if I can help.

Collapse -

by _Christian_ In reply to

4 - Did not address my question, but you gave me acceptable additional info by email.

Collapse -

by K12Linux In reply to Call for advice

1) I'm not sure any distro is much ahead of another as far as security goes, if you want the best security I'd probably recommend using SElinux (see http://www.redhat.com/magazine/001nov04/features/selinux/ for more details) with whatever you go with.

This allows you to lock off access to any part of the operating system or file system that you don't want changed. There are SElinux systems out there which advertise thier root password yet still have not been compromised!

2) I'm not familiar with RIS really. I'll assume it allows you to fully install and configure Windows systems automatically or semi-automatically. If that is the case then yes, there are ways to do the same thing with Linux. Each distro seems to have it's own instructions for setting up such a thing, but it is doable. I have a "standard" web proxy and FTP server kickstart which lets me boot from a floppy and automatically install and configure everything except the hostname on the server. (If I wasn't lazy I could have it do that too.)

3) It probably doesn't matter a lot. Stick to what you are most comfortable with and can get the most support for. This probably means RH or SuSE but others are fine too. If the server is going to be visible on the Internet, you might consider SElinux to secure it.

4) Nearly everything about Linux use is available out there if you look hard and long enough. My own personal experience is that tools to manage and monitor Linux systems are probably the most important thing. Some distros come with good ones. With others you'll have to roll your own. Definately check out Webmin

Collapse -

by _Christian_ In reply to

1 - Well taken, I am looking into it.
2 - There are specifics with Windows installation parameters settings which make me think that the answer is not suitable, but I check it all the same.
3 - You are clearly a fan of SElinux ;-)
4 - Did not tell me anything new.

Collapse -

by Nico Baggus In reply to Call for advice

ad 1) Also you can look into ClarkConnect or
IPCop that are built for firewalling.
ClarkConnect is real easy to manage (it is RH
based) IPCop is a firewall only distro.

ad 2) Do you need RIS or then I agree with the
previous poster. For plain linux maybe:
http://www.tldp.org/HOWTO/Remote-Boot.html

ad 3) Redhat is good, If you want to use RedHat
without the support you could look into white
box or just browse around http://distrowatch.com
or ClarkConnect for it's ease of use.
my personal favorite is Gentoo because of the
ease to add a new package if it is needed.

ad 4) I agree again with the previous poster.

Collapse -

by _Christian_ In reply to

1 - I was already looking into IPCop, but I had not found the other - checking it out.
3 - And you ssem a fan of ClarkConnect ;-)
Never checked Gentoo, checking it out next.

Collapse -

by Marcel Lecker In reply to Call for advice

1) Most hardened and firewall seem to be somewhat different questions:

If you specifically want a firewall, look at Astaro, esmith, Smoothwall, IPcop, etc. They are prefab, function-specific distros that do a great job with nice features and set-up without a lot of fuss.

As for most hardened distro.
White Glove, Devil Linux, and Engarde Linux come to mind (I only have experience with later and it is pretty good). SE-Linux is very good I hear, though apparently a bit tricky to set-up right. The Bastille script is also pretty good. There are other tools to consider as well like ACID, etc. OpenBSD is another option, though it is only secure by default, once you start enabling and adding things to the default, you need to know what you are doing.

2) I know SUSE's Enterprise offering (SLES 9) has something like it, that but nothing else I'm aware of. No idea of how well it works.

3) Friendly or secure?

If you want friendly there are some nice tools that come along with SUSE, Redhat/Fedora, Madrake/Mandriva, etc.

If you want something a little more lean and tight (sans GUI), you might want to look at Gentoo, Debian, Slackware, LFS, etc. Webmin on top of this is another option, but if security is something you are considering strongly, it would represent a number of possible weaknesses to mitigate.

Again there may be some function specific distros worth a look. Have a look at:
http://www.linux.org/dist/list.html
and use a search function to ferret out some of the features you are after.

4) If security is important to you, don't try to do it all with one box (complexity and Security/stability are mutually opposed). Start with a targetted distribution when you can, make sure it is actively maintained (pay attention to the release cycle - and responsiveness re. patching), it's tougher to harden something big and complex than something small and simple.

Collapse -

by _Christian_ In reply to

1 - Longest answer, but still divergent answers rather than convergent advice singling out a 'best of'. But you also list SELinux, so I will consider it as such for now.
2 - Checking it out.
3 - A list again rather than an advice, but you also mention Gentoo, so I take this as a vote.
4 - Nothing new here for a seasonned IT pro... true to any O/S and software.

Collapse -

by _Christian_ In reply to Call for advice

I did not get all the answers I wanted.

Some was new, but most was infos I had already found.

I am disappointed.

Since no more answer come, I will therefore close the question, and give an even share to those few who answered, to thank them for their time.

Collapse -

by _Christian_ In reply to Call for advice

This question was closed by the author

Back to Linux Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums