Linux Networking, Part 6: Securing Your Network
Preparing for the Worst
The only sure way to lock down a PC is to disconnect it from any network and never load a program or a document file that supports macros. That is rather impractical especially when our goal is to connect the network to the Internet.
There are a number of avenues and methods through which security of a network can be breached. Attacks from the Internet through the firewall are the ones we look at here. Other threats include computer viruses and insider manipulation.
Attacks from the Internet can be divided into two types. The first are ones that try to gain access to the router/firewall or the network itself. These are the ones we will concentrate on. The second type attempts to prevent the connection to the Internet from being used. These types of attack are made from computers on the Internet and flood the firewall. There is not much typical users can do about this second type without the help of their Internet service providers and some rather technical assistance. Luckily, this type of attack will not result in the loss of information or compromise the security of the network.
Unfortunately, people trying to gain access to the network from the Internet are often determined and well equipped with attack software. It is therefore important to have multiple security measures in place. We will take a look at the security measures implemented on the Linux router/firewall discussed in the previous articles, but these measures should not be the only ones employed. Additional measures should be incorporated on network workstations as well, to limit problems should the router be compromised. In particular, user names and passwords should be used on workstations. Firewall configurations can also be employed on workstations. Linux workstations can use some of the techniques presented here, while Windows workstations can use third party products to provide similar firewall services.
Finally, there is just general preparations and vigilance. Check access logs periodically to see if they indicate improper or unusual access. Keep multiple backups just in case data may be corrupted. Make sure the root password is long and complicated. It can be something simple to remember like I12like34a56secure78server90. Use different root passwords for different servers. It makes logon more difficult but it means that compromising one server does not compromise the network. Also, do not create default or dummy users with minimal or blank passwords.