Protecting Your Machine

After you have disabled all the unnecessary services on your system, what remains is a core set of connections and programs that you want to keep. Don't think you're done, though. It's time to consider what to do about your wireless network and the physical security of your servers.

Securing a Wireless Network

Wireless networking under the 802.11 standards is not built with security in mind. The practice of wardriving, where folks drive around with wireless-equipped laptops looking for a hotspot, tells you most of what you need to know about the security of the average wireless network. It's one thing to use random wireless hotspots to surf the web on the road, it's quite another to intercept packets of data transferring across someone's wireless network. This is potentially a serious problem that you need to be concerned about. Great progress has been made in the last few years, but this problem has not been solved yet. If an attacker is in your neighborhood and knows the frequency that your network uses, you have a nightmare on your hands. It should also be noted that the encryption standard of most wireless NICs is weaker than you need and should not be considered part of your security plan.

Tip

Whenever you are running on a wireless LAN, always run Open-SSH tools to protect yourself and your data. SSH passwords are not transmitted as plain text, and your sessions are encrypted.

This is especially true if you are accessing public WiFi access points. Many hosting providers don't (or haven't until recently) provided secure email, and your username/password combination is sent in plain text across the network every time you check your mail.

If you have your own network, it should be secured with the Wired Equivalent Privacy (WEP)algorithm. You not only want to protect your personal workstation/desktop/whatever information, but you also want to protect your credentials on any servers you connect to.

Whether or not your network is wired, the better the physical security of your computers, the more secure your network will be. Keep wireless transmitters (routers, switches, and the like) as close to the center of your building as possible. Do your own wardriving around the building to see if anyone just walking around can access your network, and shut things down tighter if you can.

It does not take much to hook up a wireless access point to a legitimate network hub, and then whoever sets up that point can compromise your entire network. Be wary and scan for them regularly.

Another Word on Passwords and Physical Security

This is one of those messages that it's difficult to emphasize too much: Secure passwords and secure machines are the first line of defense against electronic break-ins. Follow the password rules outlined in Chapter 19, especially if you're the Root user. Having access to the Root account is the holy grail for an attacker. Protect that account and that password with everything you have. Enforce the password standards mercilessly on your users as well.

If you are the sysadmin on a company SUSE Linux server, be aware that changes in people's employment status can create problems for you. Former employees are often the source of attacks on servers. Have a policy in place for what happens to user accounts when someone leaves your company. That policy need not be draconian, but it should be fair to all concerned. Make sure everyone knows what it is, and enforce it consistently.