Beginning Ideas for Nehemiah Project

November 30th, 2008

Primary Goal: Provide a safe and secure environment for an organization or home, protecting the integrity and privacy of the people.

Objectives:

  • Block harmful data/information from your computers
    • Kernel level firewall, not a dangerous addon (iptables)
    • Filtering of sites and content based on type (Dansguardian)
  • Protect you and your family while you work and play
    • Anti-Phishing (OpenDNS)
    • block and log dangerous predatory sites like MySpace (Dansguardian)
    • privacy protection
    • spam filtering
  • Filter unwanted content out of your organization entirely
    • Content filter that uses adjustable categories, whitelists, blacklists, and greylists (Dansguardian)
  • Virus Scanning
    • web content (Dansguardian + ClamAV)
    • email (Dansguardian + ???)
  • Block certain types of programs from accessing the internet
    • P2P (iptables)
    • IM (iptables)
    • Spam and Virus bots (iptables, snort, rp_filter)
  • Keep unwanted users out of your network and log suspicious activity
    • Industry Standard Intrusion Protection and Prevention (IPP)
    • log all malicious traffic (iptables, snort, Dansguardian)
  • Smartly scan your network pro-actively for problems (Snort, Nessus)
  • Provide enterprise wireless security and authentication
    • WPA/WPA2 Enterprise (802.1x and PEAP) (FreeRadius)
  • Industry Standard VPN access (cross platform) (OpenVPN, among others)
  • Automatic rules, definitions, and signature updates
    • configurable (LuCi)
    • reliable (trusted source, tested)
    • secure (trusted source, tested)
  • Industry Standard Secure User Interface
    • SSH and HTTPS
  • Proxy and Cache, used to speed up access to frequently visited sites and content (tinyproxy or squid, unknown web crawling ghetto bot)
  • Local Certificate Authority (CA) (OpenSSL)

Those in blue are still undecided.  I am unsure whether these smaller devices can handle all functionality on one box.  However, these devices are getting quite powerful, so tests are the answer.

The smarts for the pre-proxying are still being researched, but I may just slap something together myself and replace it with a real engine later.

A real big gap still existing is testing.  I may as usual use virtualization and that should be simple since intially this targets x86 AMD Geodes.  However, these tests will not reflect actual hardware so will just be unit, functional, and GUI automation (for Luci).  How to test the hardware and drivers…. hmmmm.  Oh for a pluggable emulator.

Thanks to thePacketProtectorproject, this is a LOT easier than I originally thought it would be.  Thanks Charlie!

At this point, with the HW I have spec’d out, it is costing between $285 and $415.  The major differences are the wifi cards in use.  The higher end has a/b/g/n so works with “everything” and very nice and powerful radios ->  3×3 (3T3R)

A friend is searching for a link he lost with cheaper hardware but with the same functionality and chipset.

For a basic overview, I am currently only looking at AMD Geode x86 based ALIX boards (PCEngines).

See http://trac.brucetek.net/wiki/NehemiahProject for the starts of a project page with the ideas above and hardware specs and prices.

Tags: , , , , ,
Posted in Nehemiah, Projects | No Comments »