Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire.

Please join in and help us improving it!

Differences in Revisions: Reducing Attack Surface

Older Revision
June 16 at 10:43 am
»
Newer Revision
August 12 at 5:01 pm
fix tables & colors & WP links
# Reducing Attack Surface
# Reducing Attack Surface*Part of the [IPFire Security Hardening Guide](optimization/start/security_hardening)*
*Part of the [IPFire Security Hardening Guide](/optimization/start/security_hardening)*
 
----
### Implementation Scale
As a*guide* for new readers, this guide uses two scales:
|Security benefit (impact)|**<color lime>A. MAJOR</color>**|**<color mediumseagreen>B. SIGNIFICANT</color>**|**<color darkseagreen>C. MINOR</color>**|
| --- | --- | --- | --- |
|Effort to implement|**<color orangered>1. LOW</color>**|**<color coral>2. MEDIUM</color>**|**<color crimson>3. HIGH</color>**|
| --- | --- | --- | --- |
 
## Implementation Scale
This guide uses two scales:
 
| | | | |
|---|---|---|---|
| **Impact** (security benefit) |**<span style="color:lime">A. MAJOR</span>**|**<span style="color:mediumseagreen">B. SIGNIFICANT</span>**|**<span style="color:darkseagreen">C. MINOR</span>**|
| **Effort** (to implement) |**<span style="color:orangered">1. LOW</span>**|**<span style="color:coral">2. MEDIUM</span>**|**<span style="color:crimson">3. HIGH</span>**|
 
See [the Security Guide introduction](optimization/start/security_hardening) for a more detailed explanation of the scale.
See [the Security Guide introduction](/optimization/start/security_hardening) for a more detailed explanation of the scale.
 
----
 
### Remove unused IPFire Addons
|Impact|Effort|
| Impact | Effort |
|---|---|
|**<color mediumseagreen>B. SIGNIFICANT</color>**|**<color orangered>1. LOW</color>** |
 
If you have installed any [Addons](/addons) in IPFire which you no longer use, remove them. This will reduce the [](wp>attack surface) of your IPFire system.
If you have installed any [Addons](/addons) in IPFire which you no longer use, remove them. This will reduce the [attack surface](https://en.wikipedia.org/wiki/attack surface) of your IPFire system.
 
* Uninstall Addons which you are not using with [PakFire](/configuration/ipfire/pakfire) in the WUI
 
### Do not enable IPv6
|Impact|Effort|
| Impact | Effort |
|---|---|
|**<color mediumseagreen>B. SIGNIFICANT</color>**|**<color orangered>1. LOW</color>**|
 
IPv6 is disabled by default in IPFire. For security reasons it is recommended that you do not enable it.
 
Although [](wp>IPv6) may be the future of addressing on the internet, today most fixed-internet [](wp>ISP)s still provide an IPv4 address. IPv6 allows all devices on your network to be visible from the internet. It was long thought that searching for devices in your network wasn't viable, due to the high number of possible addresses. However it has recently been shown that there are [smart ways around this](http://arstechnica.com/security/2016/02/using-ipv6-with-linux-youve-likely-been-visited-by-shodan-and-other-scanners/).
Although [IPv6](https://en.wikipedia.org/wiki/IPv6) may be the future of addressing on the internet, today most fixed-internet [ISP](https://en.wikipedia.org/wiki/ISP)s still provide an IPv4 address. IPv6 allows all devices on your network to be visible from the internet. It was long thought that searching for devices in your network wasn't viable, due to the high number of possible addresses. However it has recently been shown that there are [smart ways around this](http://arstechnica.com/security/2016/02/using-ipv6-with-linux-youve-likely-been-visited-by-shodan-and-other-scanners/).
 
* Do not enable IPv6, unless you understand the full implications of using it
* Avoid using "dual-stack" IPv4 and IPv6 at the same time. This exposes your system to the potential of more security bugs than if you just used one of the two IP versions.
 
 
### Don't host services from your network
|Impact|Effort|
| Impact | Effort |
|---|---|
|**<color mediumseagreen>B. SIGNIFICANT</color>**|**<color coral>2. MEDIUM</color>**|
 
Host services like email and web servers in a cloud environment and not on your internet connection. This will avoid making your network a target (as there won't be any interesting services visible) and significantly reduces the opportunities for an attack to be successful.
 
* Make your network a smaller, less interesting, target by not hosting any services on it.
* If you really need to host services from your network, ensure you follow best-practice by using a [](wp>DMZ) and setting up [DMZ pinholes](/configuration/firewall/rules/dmz-holes).
* If you really need to host services from your network, ensure you follow best-practice by using a [DMZ](https://en.wikipedia.org/wiki/DMZ) and setting up [DMZ pinholes](/configuration/firewall/rules/dmz-holes).
 
### Do not run IPFire in a virtual machine
|Impact|Effort|
| Impact | Effort |
|---|---|
|**<color mediumseagreen>B. SIGNIFICANT</color>**|N/A|
Although IPFire will run effectively in a virtual machine, it is ideal to run any security software (such as a firewall router) on a separate physical machine. Running IPFire on a physical machine removes the possibility that another VM or the virtualization environment could [become](wp>virtual machine escape) [compromised](http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-shattered-hypervisor-security/) [and](http://security.stackexchange.com/questions/3056/how-secure-are-virtual-machines-really-false-sense-of-security) [in turn](http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf) [compromise](http://arstechnica.com/security/2012/08/crisis-espionage-malware-targets-virtual-machines/) [your](http://support.citrix.com/article/CTX201078) [IPFire](http://www.security-database.com/detail.php?alert=CVE-2015-3456) [firewall](https://access.redhat.com/security/cve/CVE-2015-3456) or cause a [](wp>denial of service) by consuming resources (network, disk, CPU or memory).
 
Although IPFire will run effectively in a virtual machine, it is ideal to run any security software (such as a firewall router) on a separate physical machine. Running IPFire on a physical machine removes the possibility that another VM or the virtualization environment could [become](https://en.wikipedia.org/wiki/virtual machine escape) [compromised](http://arstechnica.com/security/2015/10/xen-patches-7-year-old-bug-that-shattered-hypervisor-security/) [and](http://security.stackexchange.com/questions/3056/how-secure-are-virtual-machines-really-false-sense-of-security) [in turn](http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf) [compromise](http://arstechnica.com/security/2012/08/crisis-espionage-malware-targets-virtual-machines/) [your](http://support.citrix.com/article/CTX201078) [IPFire](http://www.security-database.com/detail.php?alert=CVE-2015-3456) [firewall](https://access.redhat.com/security/cve/CVE-2015-3456) or cause a [denial of service](https://en.wikipedia.org/wiki/denial of service) by consuming resources (network, disk, CPU or memory).
 
* Where possible, for security purposes run IPFire on a physical computer
 
*IPFire is usually used in a position of trust as your internet gateway and if it is compromised it will be difficult to defend the rest of your network.*
 
### Block Tor
If you don't use it, block tor traffic as malware can use it for command and control purposes.
 
### Block P2P
As with Tor, block all P2P protocols which are not used on your network.