Everything starts from a proper design.
If you’re smart, you know the solution is 100 percent pure Linux. All the internal network from the routers down to the Web servers is 100 mbit/sec (Fast Ethernet). From the Web servers to the Network Appliance file servers the wires run a cool 1000mbit/sec (Gigabit). The first time the gamblers hit a Linux machine is when the TCP/IP packets arrive at the firewall.
This computer is a Compaq Alpha workstation with 256 MBs of RAM and it runs SuSE’s 7.0 distribution. This being the only non-Intel machine in the solution, one might wonder why. The reason is security. Most buffer-overflow exploits on Linux are pre-compiled for the Intel x86 architecture. Running a platform not able to execute them will statistically diminish the attacks by script kiddies. One more reason is that this is the only non-redundant point in the whole network, and Compaq’s Alpha machines are just more reliable than other x86-based PCs.
The firewalling itself is IPCHAINS-based. Basically, the only thing allowed to come into the network is an http’d packet addressed to port 80, everything is discarded. In the outgoing direction, only packets back from the Web servers are allowed. The rule set for…