Linux Networking and Security Chapter 11 Network Security Fundamentals

Linux Networking and Security

Chapter 11

Network Security Fundamentals

Network Security Fundamentals

Summarize the types of network security breaches that crackers attempt

Describe how to use special routing techniques to protect local network traffic

Configure a basic Linux firewall Use networking utilities and techniques that protect

network traffic through encryption

Reviewing Threats to Your Network

Trojan Horses are programs concealed within other programs that you intentionally install Once installed, the host program of the Trojan Horse appears to

do one thing, but does another One means of protection is to install programs from only

trustworthy sources

Viruses and Worms are designed to replicate themselves once they have been installed Linux is rarely the subject of virus attacks Worms pose a greater threat to Linux


Denial-of-Service (DoS) attacks occur when a cracker overwhelms a system and causes it to shut down, or become unusable Two common methods are to overwhelm with network traffic and

to execute network requests

Buffer overflow attacks refer to any cracker attack that exploits a programming flaw The result can cause a network service to shut down, corrupt

data, or provide unexpected access to a system


Spoofing is the forging of addresses crackers use IP and DNS spoofing

Man-in-the-middle attacks are those in which a cracker intercepts a communication, reads or alters it, and leads the originator of the packet to believe the intended recipient has received it Another type of this attack is Web spoofing, where a user is

linked to a cracker’s site when they believe they are linked to another


Using Advanced Routing and Firewalls

A firewall typically refers to a packet filter - access control operating at the lowest level of the networking protocol stack

Firewalls rely on rules, the configuration settings that define certain characteristics of an IP package and the action to take for packages meeting the specified criteria

Networking stacks in Linux are contained in the kernel and advanced routing and firewalls are implemented using the same Linux tools

Using Advanced Routing and Firewalls

Introducing IP Chains

The IP Chains feature of Linux allows for the setup of a chain: a list of rules for how packets are handled Input chains: packets coming from outside the system on which

the rule is executed pass through Forward chains: packets coming from outside the system on

which the rule is executed and that need to be routed to another system pass through

Output chains: Packets coming from within the system on which the rule is executed and that are destined for other systems pass through



Network Address Translation

The IP Chains feature also provides special routing functionality, such as Network Address Translation (NAT)

NAT is a routing technique that alters address or other header information in a packet

One popular type of NAT is IP masquerading, a type of network address translation in which packets from many computers on a LAN appear as if they came from one computer

Network Address Translation

Transparent Proxying

Using a proxy server is very similar to IP masquerading, but the proxy works at the application level, not the IP level

An alternative to using a proxy server is to is to use the transparent proxy feature of IP Chains and IP Tables

Transparent proxy allows for the redirection of a packet based on the port to which the packet is addressed



Graphical Firewall Configuration Utilities

Linux supports several graphical tools that can be used to set up a firewall

Red Hat Linux includes the lokkit program that walks you through questions and establishes rules based on your security choices

Red Hat Linux also includes the firewall-config program, which allows the set up of complex firewall rules







Using NetFilter and IP Tables

NetFilter is the new and improved Linux packet filtering system and uses a different architecture than IP Chains

NetFilter is improved in that it provides hooks at five different points in packet processing

A hook refers to the ability to connect another program at that point

The list of rules associated with the hooks are similar to IP Chains and are called IP Tables

Using NetFilter and IP Tables

IP Table and NetFilter provide: The ability to act on packets based on their state Examination and alteration of just about any header field in a

packet - this is packet mangling Selection of packets to be logged based on the value of any

header field Passing of packets to regular Linux programs for further

processing outside of the Linux kernel Implementation of intelligent routing based on Quality of Service

(QoS) features

Commercial Firewall Products

Many companies have created commercial security products for Linux, some are software, but many are separate hardware

A hardware device that is sold specifically to accomplish a purpose is called an appliance

Astaro Security Linux is a firewall product that does many of the things NetFilter can do and more, plus it includes web-based tools

NetMAX VPN Server Suite is another hardware solution built on Linux

Encrypting Network Traffic

The Secure Shell (SSH) package is a client server protocol similar to Telnet

The OpenSSH implementation of the SSH is used on most Linux distributions

SSH and OpenSSH support two versions: SSH protocol version 1 (SSH1) uses a public key encryption

system to authenticate connections SSH2 uses a more robust authentication process and also

supports strong encryption of all network traffic


OpenSSH supports a number of very useful features besides replacing Telnet and rlogin: The ssh utility can be used to encrypt other network traffic,

especially for protocols not inherently secure Its ability to do port forwarding, which is a routing technique that

allows encryption of many other protocols over SSH connections With more complex configurations, SSH can be used to tunnel

from a remote system through a firewall to an internal server



Other Tunneling Protocols


The concept behind using SSH port forwarding is that you can tunnel and insecure protocol inside a secure protocol

The Point-to-Point Tunneling Protocol (PPTP) is a standard for creating a virtual private network (VPN) PPTP uses two communication channels between a client and a

server; the first is a control channel, the second carries data and can be encrypted


The stunnel package allows for the use of SSL as a transport protocol for other network traffic instead of just HTTP (Web) traffic

The following protocols are examples of what can be encrypted using stunnel: POP3, IMAP, NNTP, SMTP, PPP

stunnel can be used from a superserver or directly on the command line

Creating a Virtual Private Network

VPNs allow multiple computers to function as part of a single, secure network when parts of the private network are actually separated by a public network such as the Internet

A VPN is a like a special application of tunneling, because it lets a group of computers that can be remote to each other act as a single secure LAN by tunneling traffic through specially configured network connections

Creating a VPN

Creating a VPN

Creating a VPN

Creating a VPN

Configuring Security Services

Chapter Summary

Trojan Horse programs appear to be normal but perform actions that compromise system security

Viruses and worms are self-propagating security problems. Viruses typically attach themselves to data files; worms work independently of other programs

Denial-of-Service (DoS) attacks try to block access by legitimate users

Buffer overflow attacks rely on a programming oversight to corrupt data or gain unauthorized access by sending unexpected data to a network service

Chapter Summary

Spoofing attacks pretend that a data packet is coming from a service or location that is not accurate; the man-in-the-middle attack is is a concern when someone might be able to intercept network traffic

Firewalls filter data packets based on their source, destination, protocol, or other aspects of a packet’s makeup; a Linux firewall is controlled through the Linux kernel

Linux firewalls are created using IP Chains, or IP Tables; both let a system administrator add rules to control which packets are accepted or discarded

Chapter Summary

Rules used by firewalls define characteristics of IP packets and how to handle matching packets

IP masquerading is a type of network address translation that lets multiple users access to an external network such as the Internet through a single system acting as though it were generating all of the traffic; transparent proxy lets you redirect packets to different ports

Programs for setting up and managing firewall rules are included in Red Hat Linux; these include lokkit and firewall-config

Chapter Summary

IP Tables provide several routing and security features that IP Chains did not include, such as packet mangling and support for Quality of Service/Type of Service flags

Many commercial firewall products are available for Linux; some are software and some are dedicated security appliances

The Secure Shell protocol (SSH), implemented in the OpenSSH package, provides an encrypted replacement for Telnet, as well as encrypted communications for many other protocols using the port forwarding feature of SSH

Chapter Summary

SSH uses either RSA or DSA public-key cryptography plus a symmetric cipher such as AES

The PPTP protocol was developed by Microsoft to implement a Windows VPN; PPTP uses an encrypted PPP session plus a separate control channel

The stunnel package uses the SSL protocol to encrypt other protocols such as POP3 and IMAP; stunnel can be used from a superserver or directly on the command line

Tunneling one TCP-based protocol inside another can cause delays and dropped connections

Chapter Summary

Linux security features can be used to create an effective virtual private network (VPN); Many companies sell dedicated VPN appliances based on Linux

Many Webmin modules are available to help configure security services on Linux

Documents

Linux Networking and Security Chapter 11 Network Security Fundamentals