Network Security


Network security is a vital component for ensuring the security of a computing site. However, without the right infrastructure, providing network security is difficult, if not impossible. For example, if you run a shared network topology,[4] such as Ethernet, and have in public locations jacks that allow anyone to plug in to the network at will, how can you prevent someone from plugging in a machine and capturing all the packets (page 1047) that traverse the network?[5] You cannot, so you have a potential security hole. Another common security hole relates to the use of telnet for logins. Because telnet sends and receives cleartext, anyone "listening in" on the line can easily capture usernames and passwords, compromising security.

[4] Shared network topology: A network in which each packet may be seen by machines other than its destination. "Shared" means that the 100 megabits per second bandwidth is shared by all users.

[5] Do not make the mistake of assuming that you have security just because you have a switch. Switches are designed to allocate bandwidth, not to guarantee security.

Do not allow any unauthenticated PC (any PC that does not require users to supply a local name and password) on your network. With a Windows 9x PC, any user on the network is effectively Superuser for the following reasons:

  • A PC does not recognize the concept of root. All users, by default, have access to and can watch the network, capture packets, and send packets.

  • On UNIX/Linux, only Superuser can put the network interface in promiscuous mode and collect packets. On UNIX and Linux, ports numbered less than 1024[6] are privilegedthat is, normal user protocols cannot bind to these ports. This is an important but regrettable means of security for some protocols, such as NIS, NFS, RSH, and LPD. Normally a data switch on your LAN automatically protects your machines from people snooping on your network for data. In high-load situations, switches have been known to behave unpredictably, directing packets to the wrong ports. Certain programs can overload the switch tables that hold information about which machine is on which port. When these tables are overloaded, the switch becomes a repeater and broadcasts all packets to all ports. The attacker on the same switch as you can potentially see all the traffic your system sends and receives.

    [6] The term port has many meanings. Here it is a number assigned to a program. The number links incoming data with a specific service. For example, port 21 is used by ftp traffic, and port 23 is used by telnet.

Network Security Solutions

One solution to shared-network problems is to encrypt messages that travel between machines. IPSec (Internet Protocol Security Protocol) provides just such a technology. IPSec is commonly used to establish a secure point-to-point virtual network (VPN, page 1062) that allows two hosts to communicate securely over an insecure channel, such as the Internet. This protocol provides integrity, confidentiality, authenticity, and flexibility of implementation that supports multiple vendors.

IPSec is an amalgamation of protocols (IPSec = AH + ESP + IPComp + IKE):

  • Authentication Header (AH) A cryptographically secure, irreversible checksum (page 1024) for an entire packet. AH guarantees that the packet is authentic.

  • Encapsulating Security Payload (ESP) Encrypts a packet to make the data unreadable.

  • IP Payload Compression (IPComp) Compresses a packet. Encryption can increase the size of a packet, and IPComp counteracts this increase in size.

  • Internet Key Exchange (IKE) Provides a way for the endpoints to negotiate a common key securely. For AH to work, both ends of the exchange must use the same key to prevent a "man-in-the-middle" (see footnote 3 on page 992) from spoofing the connection.

While IPSec is an optional part of IPv4, IPv6 (page 359) mandates its use. However, it may be quite some time before IPv6 is widely implemented. See page 1012 for information about the implementation of IPSec in the Linux 2.6 kernel.

Network Security Guidelines

Some general guidelines for establishing and maintaining a secure system follow. This list is not complete but meant rather only as a guide.

  • Fiberoptic cable is more secure than copper cable. Copper is subject to both active and passive eavesdropping. With access to copper cable, all a data thief needs to monitor your network traffic is a passive device for measuring magnetic fields. In contrast, it is much more difficult to tap a fiberoptic cable without interrupting the signal. Sites requiring top security keep fiberoptic cable in pressurized conduits, where a change in pressure signals that the physical security of the cable has been breached.

  • Avoid leaving unused ports available in public areas. If a malicious user can plug a laptop into the network without being detected, you are at risk of a serious security problem. Network drops that will remain unused for extended periods should be disabled at the switch, preventing them from accepting or passing network traffic.

  • Many network switches have provisions for binding a hardware address to a port for enhanced security. If someone unplugs one machine and plugs in another machine to capture traffic, chances are that the second machine will have a different hardware address. When it detects a device with a different hardware address, the switch can disable the port. Even this solution is no guarantee, however, as there are programs that enable you to change or mask the hardware address of a network interface.

    Security: Install a small kernel and run only the programs you need

    Linux systems contain a huge number of programs that, although useful, significantly reduce the security of the host. Install the smallest operating system kernel that meets your needs. For Web and FTP servers, install only the needed components. Users usually require additional packages.


  • Do not allow NFS or NIS access outside of your network. Otherwise, it is a simple matter for a malicious user to steal your entire password map. Default NFS security is marginal to nonexistent (a common joke is that NFS stands for No File Security) so such access should not be allowed outside your network to machines that you do not trust. Experimental versions of NFS for Linux that support much better authentication algorithms are now becoming available. Use IPSec, an experimental NFSv4 with improved authentication, or firewalls to provide access outside of your domain.

  • Support for VPN configuration is often built into new firewalls or provided as a separate product, enabling your system to join securely with those of your customers or partners. If you must allow business partners, contractors, or other outside parties to access your files, consider using a secure filesystem, such as NFS with Kerberos (page 1039), secure NFS (encrypts authentication, not traffic), NFS over a VPN such as IPSec, or cfs (cryptographic filesystem).

  • Specify /usr as readonly (ro) in /etc/fstab. Following is an example of such a configuration.

    /dev/hda6      /usr      ext2     ro    0   0

    This approach may make your machine difficult to update, so use this tactic with care.

  • Mount filesystems other than / and /usr nosuid to prevent setuid programs from executing on this filesystem. For example,

    /dev/hda4      /var        ext3    nosuid   0    0 /dev/hda5      /usr/local  ext3    nosuid   0    0

  • Use a barrier or firewall product between your network and the Internet. Several valuable mailing lists cover firewalls, including the comp.security.firewalls newsgroup and the free firewalls Web site, www.freefire.org. Red Hat Linux includes iptables (page 763), which allows you to implement a firewall.




A Practical Guide to Red Hat Linux
A Practical Guide to Red HatВ® LinuxВ®: Fedoraв„ў Core and Red Hat Enterprise Linux (3rd Edition)
ISBN: 0132280272
EAN: 2147483647
Year: 2006
Pages: 383

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net