There are a number of steps you can take to secure your network. Some basic practices require more common sense than computer savvy. The way you configure your computers can promote security. Encryption protects data traveling over the network. Good passwords in the right locations protect user accounts and computers. Firewalls also help you provide various degrees of network protection.
The way you protect your computers and network hardware depends on their value, and on the risks in your environment.
In a home network, it is best to keep hubs and routers out of the reach of toddlers, and in locations where you won t spill coffee. Generally, you aren t worried about people who are trying to physically break into a home network.
In a corporate network, you ll want to secure your computers from sabotage , whether accidental or intentional. Depending on need, you may want to keep your servers, as well as your routers, switches, and hubs, in locked rooms. Secure rooms are also good locations for backup media. Just be sure that these locations have proper environmental controls such as air conditioning to maximize the life of your systems.
It s important to keep notes on your configuration, just in case you need to reinstall Linux from scratch.
In a military or other very secure setting, you ll probably be required to take stronger measures, such as removing or locking floppy drives and ports to which you can attach recording hardware. Depending on need, you can configure different levels of physical security for servers, network hardware, and workstations. In addition, you can keep internal networks more secure by isolating them from the Internet.
In any secure setting, consider the use of other basic security systems such as alarms, guards , cameras , ID systems, and similar devices.
Encrypting sensitive data that you send over a network is a must. In most cases, this means that you use a private key to scramble the data that you send. On the other end of the connection, you then supply your users with a public key that they use to unscramble your data.
It is possible to activate different levels of security for your passwords, for various services, and other systems when you installed Red Hat Linux. The types of encryption that you can add to your system include the following:
MD5 passwords Linux supports long passwords of up to 256 characters .
Shadow Password Suite This type involves encrypting passwords in /etc/shadow , which is normally accessible only to the root user. The suite is active by default (see Chapter 09 for a detailed description).
Kerberos This encryption system eliminates the need to send passwords over a network. With this system, both the client and the server are authorized by a ticket-granting service (TGS). Kerberos is a fully functional encryption system that does not work with the Shadow Password Suite, and is only partially compatible with the PAM system discussed later in this chapter. Kerberos was developed by the Massachusetts Institute of Technology.
GNU Privacy Guard This is commonly used to encrypt e-mail, using the Linux version of the Pretty Good Privacy (PGP) system. GNU Privacy Guard is also used to verify the authenticity of downloads, such as RPMs. See Chapter 10 for more information.
RSA and DSA Digital signature algorithms (DSA) are associated with Secure Shell (SSH) network access. For more information on using SSH with these algorithms, see Chapter 23 .
At least three levels of password security exist: on the computer, on the bootloader, and when logging into Linux. At each of these levels, you must decide whether you need a password, what type of password you want, and how often you should change that password. Chapter 09 covers the issues and options associated with user passwords.
Modern PC BIOSes include an option for adding a password for access to the BIOS menu. A BIOS can include a wide variety of options, including a network boot to a computer that might just record passwords that are typed in. Other changes to a BIOS could sabotage the data on your system.
However, modifying a BIOS, at least on standard PCs, requires physical access to the computer. In other words, if your system is physically secure, you might not need a password on your BIOS.
As we ve mentioned before, two basic bootloaders are available: GRUB and LILO. Many users prefer GRUB, because they can protect it with a password. Otherwise, users can change the bootloader configuration file, change the root password by booting Linux in single-user mode, or even access other operating systems, such as Microsoft Windows, that may be accessible in a dual-boot configuration. For more basic information on GRUB, the default Red Hat Linux bootloader, see Chapter 11 . Using the techniques discussed in Chapter 11 , you can password-protect access to other operating systems. For example, if your computer includes a dual-boot configuration with Microsoft Windows, you can add a password to the appropriate stanza in the GRUB configuration file, /boot/grub/grub.conf , as shown here:
title DOS lock password -- md5 sf934^(^$asjl rootnoverify (hd0,0) chainloader +1
The lock command keeps anyone from booting the associated operating system; attempts result in a must be authenticated error message. With this additional code, you first need to enter the password to edit GRUB, select the DOS option, and then enter the MD5 password you created to boot this operating system.
Three basic types of firewalls are available. One can look at every packet of data that comes into your network and make decisions based on the type of data. Another is based on services such as Samba, NFS, and Apache; as we discuss in their respective chapters, various services have their own form of access control that can also serve as a firewall. The third basic type of firewall is based on the services associated with the xinetd daemon, as discussed in Chapter 23 .
The main Red Hat Linux firewall tool is iptables . As you ll see later in this chapter, it lets you block just the traffic you identify. Alternatively, you can configure it to block all traffic, with exceptions for just the services that you need. When you configure a firewall on a gateway computer, it acts as a bastion host .
You can set different levels of firewall protection for different computers. For example, if you have a web server, you might configure two different firewalls, as shown in Figure 22.1. For Firewall I, you might configure a minimal level of protection, including commands that help you avoid typical problems associated with web servers, such as the so-called ping of death. For Firewall II, you might include full protection, to help secure your network from the Internet. More information on securing your network from the ping of death and other issues is available later in this chapter.
The ping of death is a denial-of-service attack; so much data is sent by a ping command that no other network messages can get through to the target server.