|Carla Schroder, author|
Former mechanic Carla Schroder now uses her technical expertise to build open source systems and networks. In this interview, she offers a peek into her most recent book, Linux Networking Cookbook. You may also find a download of Chapter 7 of the book, Secure Remote Administration with SSH, here. How does a well-running network strengthen the Linux operating system?
Carla Schroder: Linux inherits the Unix architecture of making networking a core and fundamental part of the kernel and operating system. Linux is a true multitasking multi-user operating system; there is no artificial distinction between desktop and server versions. Any Linux distribution can serve either role, so the network administrator has a lot of flexibility and power. Additionally, like Unix, Linux is completely standards-compliant, so you aren't hampered by useless proprietary roadblocks.
People sometimes take a well-running network for granted. Especially with Linux and Unix, it is true that "the network is the computer." A functional network is central to maintaining an efficient environment. The more the industry advances, the more the network will become relevant to system administration.What are your favorite tools for Linux networking? How did you decide which to include in LNC?
Schroder: OpenSSH is always at the top of my list. It has low overhead and works. My favorite thing about the tool is that it can secure such a wide variety of applications. Another good tool is Nmap. There are a bunch of network penetration testing and scanning programs available out there, but in my opinion the best approach is to choose one like Nmap and learn it thoroughly. Run tests from every angle to find out what works. It shouldn't be a bigger deal than it has to be; the goal is to get a clear picture of your network. I also like Kismet, which detects and monitors wireless networks. It allows you to watch what's happening on the inside of the network as closely as you do the outside. Tools are always changing addresses as the network grows, so it is important to monitor where they are and who has access to them. It's also important to continually monitor for rogue wireless access points because they present a significant security risk. If your users are continually setting up unauthorized WAPs, it may be they have legitimate needs that are not being met. Did you write this book in a different way from how you wrote Linux Cookbook?
Schroder: I actually had a plan when I was writing my first book, Linux Cookbook , to write another one about networking. System and network administration go hand in hand. Configuring a server is not something you can separate from networking configuration, because both are equally important and interrelated. Server configuration affects network performance; a well-tuned server is also well-supplied in network resources. Conversely, a poorly-configured server can flood the network with useless traffic and slow it down. If you have a low-demand server you can do some traffic-shaping to allocate less network bandwidth to it, and allocate more to a higher-demand server. System administration doesn't happen in a vacuum- you can't set up a PC or server without also calculating its effect on the network. What are your network security priorities?
Schroder: The most important part of network security is mastering the fundamentals. Access controls and encryption are two basic and powerful tools. Restrict access into your network as much as you can without impairing functionality, and use the access controls in individual applications as well. For example, the iptables chapter in the book shows how to block all unnecessary traffic to a Web server, so that the server itself only has to deal with HTTP packets and not floods of bogus guff and crack attacks.
Encryption is simple and very powerful. Encrypt your email, FTP, VPN, Websites- anything and everything that is the least bit sensitive should be encrypted.
SSH is a great general-purpose tool for encrypting everything, even applications without their own native encryption. For example you can run VNC through secure SSH tunnels for secure graphical remote helpdesk and system administration, even over the Internet. (Chapter 7 of Linux Networking Cookbook, Secure Remote Administration with SSH, is available as a download on searchEnterpriseLinux.com)Some admins think that setting up SSH is too much work, because you have to set up encryption keys at both ends of the connection. I think this is a pretty tiny bit of effort that pays great dividends. Some are worried about a man-in-the-middle attack if they transfer the encryption keys over the network. You can always sneakernet them, but this isn't always practical. There is a simple way to verify that the new key is authentic and has not been compromised: verify its fingerprint with a phone call. What is the most efficient way to manage workloads on Linux networks?
Schroder: This is a pretty complex question. In general you want some kind of continual monitoring so you have at least a big picture view of how everything is working. The two most common problems I see are misconfigured routing and bad iptables rules.
The troubleshooting chapter goes into detail on a number of good troubleshooting and diagnostic utilities. My favorite reliable old standby is tcpdump. This reads packet headers, and also the data payload on unencrypted packets. All network admins should have a deep knowledge of TCP/IP- everything flows from that. If you don't, computer networking will always be mysterious to you.How has network management changed in the last five years?
Schroder: In the days of dial-up, administrators had to do more tweaking to get their network running and connected. It's not that way anymore; the complexities behind a functional network are hidden from end users. Connecting is so easy that you can just "plug it in and let it go" in most cases.
I have nothing against technology being convenient. It's amazing that we can do so much with a click or two now - send a video letter cross-country, use GPS to get where you need to be from anywhere. Networking and these technologies will probably become more streamlined as time goes forward.
Bad habits stay the same, however. It used to be that performing complicated tasks required a team of gurus to figure out. It still does, and I hope that my book helps you be the guru!