The Quest For Security

8 01 2009

So, I have been pretty quiet of late, sorry about that. Well, the main reason was it was Xmas a while back, but also, I have been doing LOADS of research into security on the web.

For the past few months I have been toying with the idea of implementing a security device on my network that would take all the leg work of antivirus and intrusion detection and prevention off each PC on the network and get a dedicated machine to do it.

It turns out there are lots of options out there to do this, so I dabbled with a few.

The first I checked out was http://www.untangle.com/. Untanlge basically is a special Debian distro with lots of preconfigured security tools, like ClamAV for antivirus, snort_inline for intrusion prevention and iptables for a firewall. It comes with a very easy to use web interface making it idiot proof. However, I came across a few problems. First, it needs a PC with two NICS to be used as a dedicted server, something I didn’t have. Second, you can use it on a Windows XP machine, but it installing a Virutal Machine via VMPlayer, it then automagicaly reconfigures your network so that all traffic is routed through it first. However, this also wasn’t a great solution since it means you need to have a machine effectively running to OSs at once (Windows XP and the Virtual Machine) and also it did not work with my Vista lappie. Finally, it also prevented me from browsing gmail, so it was a no go for me – although some fix to do with Socks5 was the cure.

Second, I tried rolling my own system using snort_inline (http://snort-inline.sourceforge.net/), ClamAV, iptables and Ubuntu. This is what has taken me an age. I have never built any app from source before and it took me a long time to figure out what to do. Plus, I wanted to run this on a low power box and the only one I had available that had two NICS was an old thin client that runs of a USB 2.0 harddrive, so it aint that fast at all. However, I have finally managed got snort_inline running, with a ClamAV preprocessor and logging to mySQL. So far it is only scanning all the traffic coming into my network, I haven’t yet got it to actually prevent anything yet.

I finally tried out an interesting solution http://packetprotector.org/. This is kinda like the untangle solution, except that it all runs off your router. Sadly, all the routers it currently runs off are pretty hard to get hold of here in the UK, but from what I see, it might be the best solution. You get an advanced iptables firewall, snort_inline, dansguardian (content filtering) and ClamAV all running on top of OpenWRT. The only negative I can see is you need to be a bit of a linux guru to know what you are doing if you want to start to customise it (though it does come with the WebIF interface) and that it can bog down pretty quickly. However, to me it seems the best solution, until I get some super powerful server that I can run untangle, or monowall or IPcop or EasyIDS on. There are loads of solutions out there, you just need the right old PC to run it on, or a PC that you think is going to be quiet enough 😉

Advertisements

Actions

Information

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s