Chapter 3. Local Firewall Security | Troubleshooting Linux Firewalls

As part of our goal of covering the larger security issues before moving on to the information about how to troubleshoot your firewall problems, we feel it's important to cover issues that affect the security of the firewall itself. Just because a system is a firewall will not imbue it with some inherent lack of susceptibility to being broken into.

A firewall is just like any other system; in fact, your firewall might be nothing more than a typical server with two or more Network Interface Cards (NICs) in it, running firewall rules, while doing double duty as your fileserver, firewall, and e-mail server. We've seen it done. The point here is that adding firewall rules alone will not protect your system completely. There are other actions you will need to take to ensure that your system is properly secured against the risks you have identified.

The local firewall security approach is broken into the following macro steps:

1.	Patch your system and keep it patched.
2.	Turn off services you can't prove you need.
3.	Run services with the least amount of privileges needed.
4.	Use chroot services. (This is the process of essentially putting the service into its own isolated file system that, if done properly, will be difficult for an attacker to escape from.)
5.	Remove all unnecessary software.
6.	Install security tools to help manage security posture and to help detect intrusions.
7.	Log events remotely to a trusted system as well as to the local syslog subsystem.
8.	Configure your software securely.
9.	If you can, use a hardened kernel such as grsecurity, openwall, SELinux, LIDS, and other patches.
10.	Test your system's security and improve it.

Keep in mind that these are general concepts, so if you have a better means of accomplishing these goals, stick with what works for you. Security is a complicated process, and people seem to have their own specific methods that work for them.