Section 9.2. Staying Up to Date

9.2. Staying Up to Date

One important aspect of server security that outranks the choice of programs you use to secure your network is the absolute necessity of keeping those programs up to date. While security softwarea firewall, for examplecan help you avoid situations in which unanticipated security holes are discovered in network software, such as Apache, a security hole within the security software itself opens your network to serious compromise.

It's very important to stay up to date with the latest software patches; most Linux distributions maintain an archive of security-patched software, and roll updated versions of software with security patches into that archive as each new patch is released. In Fedora Core, you can check for updates to the packages you've installed by running yum update . This displays a report of the available updates, then asks if you want yum to download and install the updates.

Checking for, and applying patches on an ongoing basis is part of the layered approach to security described above: it allows you to achieve "defense in depth." If, for example, you were simply to rely on your firewall to prevent unauthorized access to your network, and decided not to bother with security behind the firewall, then that firewall would become a single point of failure; a compromise in the firewall would automatically mean the compromise of your entire network. If you take a layered approach to security, compromising the firewall merely gives crackers the opportunity to further attempt to compromise the machine or network; however, they should not be able to achieve their ends, because you'll have put more layers of security in place to prevent that. In the worst case, where a compromise is achieved, audit tools such as Snort should at least alert you to the compromise, enabling you to put a stop to it.