Specifications
4
SuSE Live CD for Firewall
only valid for a short period. If necessary, a rekey process can be started while
the connection still exists to replace the old session key.
VPN does not protect against attacks from the Internet. It can prevent unau-
thorized access to data, but “Denial of Service” attacks and Trojan Horses are
still possible. The risk increases if a host communicates with the VPN and
the local network. Therefore, the following two recommendations should be
taken seriously:
If the firewall host is also the VPN gateway, it needs to be monitored
intensively. No normal users should be able to log in to the firewall
host.
Hosts of remote users, so-called “Road Warriors”, with direct access to
the VPN should not be able to connect to the regular LAN. Access to a
server in the DMZ (demilitarized zone) should be sufficient.
DNS
The name server BIND Version 8 is used to enable name resolution over the
firewall. To learn more about DNS, read the Chapter DNS — Domain Name
Service on page 157 in the appendix of this manual. BIND is configured as a
forwarding and caching-only server. All requests will be passed to the for-
warders.
Mail
Postfix is a secure, quick, and flexible modular mail transport agent used on
the Live CD as a mail relay. A built-in hard disk is absolutely essential for
using the mail relay function, because Postfix first has to route the incoming
e-mails to a buffer.
HTTP Proxy
To enable highly precise access control to HTTP and HTTPS services, SuSE
Live CD for Firewall uses a cascade of different proxies. For access from the
inside to the outside and from the outside to the inside, two separate proxy
instances are used.
123SuSE Linux – Firewall on CD2