Network architect: Hardening Linux networks with open source tools, part two

A network architect gets granular about using a few lesser known OS tools to build a secure infrastructure.

This Content Component encountered an error
Network architect Todd Sanders uses well-known open source tools, like Snort and Nessus, to build secure networks. But Sanders, who works for Centrepetal Solution Strategies LLP, a systems integration and systems security firm in Bowie, Md., is willing to take roads less traveled. In part one of this two-part interview, he explained how Linux, Snort, and Nessus help Centrepetal build secure networks for businesses. In this interview, he offers a granular look at his work with POP Mail, Simple Network Management Protocol (SNMP) and F-Prot.

You have used POP Mail -- the protocol that allows single user hosts to read mail from a server -- for giving certificates to e-mail users. In what circumstances is this appropriate?

Todd Sanders: It is appropriate in all circumstances, due to the security implications behind it. We feel that, in security, the most important aspect of IT is the end user and/or the client.

We feel that, in security, the most important aspect of IT is the end user and/or the client.
Todd Sanders
Network architectCentrepetal Solution Strategies LLP

We have done a number of scans on client networks' while uncovering user names and passwords using Ethereal. This was disturbing because, in certain circumstances, we found that confidential company information could have passed over the airwaves. In some such cases, we used POP Mail to connect remote users -- who felt that IMAPs was too slow for their needs.

At first, we found that connecting remote users to the network with POP Mail capability made the network wide open for attack, but once we turned to Red Hat Linux, using POP Mail securely became relatively easy.

Could you elaborate on how you used POP Mail?

Sanders: We enabled SSL certificates on the server, enabled the setting in sendmail.mc (which turns into sendmail.cf) allowing CSS to remove that possible threat (BellSouth, Verizon, SBC and Road Runner do not practice this) of extracting user names and passwords from an Ethereal scan (sniffing).

We often use sendmail as the gateway and utilize Exchange e-mail because of the functionality it provides. In these cases, we have reduced our spam traffic by 80% to 85% by adding lines like:

(FEATURE(dnsbl, `rbl-plus.mail-abuse.org', `"MAPS-listed host:http://mail-abuse.org/cgi-bin/lookup?"$&{client_addr}')dnl) and disabling dnl # FEATURE(`accept_unresolvable_domains')dnl and dnl # FEATURE(`relay_based_on_MX')dnl

Read more
Network Architect: Why Snort, Nessus, OSS build secure IT fortresses, part  1

This has helped improve efficiency throughout the organization.

What's your stance on using SNMP monitoring techniques?

Sanders: Network administrators should become familiar with SNMP monitoring techniques for the statistical benefits that it offers. Some people say that SNMP should not be on your network, but we have found alternative reasons to implement this protocol. Paul Mallard, an HP OpenView guru located in Washington (SNMP3.com), has made strides in the field of network management and has stated that networks can be secured using version 3 of SNMP. In addition, SNMP can further be controlled by implementing iptables. Here's an example:

iptables -I INPUT 1 -p tcp -m tcp --syn -s -d --dport 161 -j ACCEPT

We recommend configuring snmpd.conf to only allow for local subnet access to port 161. From this vantage, the user has two secured mechanisms for protecting their network.

What other open source security tools do you use?

Sanders: I have a server protecting itself from viruses using a tool from called F-Prot. It downloads any updates from the Web and scans for any problems it finds. The results are indicative of processor speed and resources, which can be skewed, based on the processor clock time. We have found it to be pretty fast during the scans and very user friendly from a reporting standpoint. We have decided to publish the results on the Web to help identify potential viral problems.

I think this server is state of the art. Check out the specs on the server -- 477 MHz processor; 640 MHz RAM -- and one will realize that it runs on minimal resources, but it does the job of two or three Microsoft Windows servers.

Could you tell us more about how you got those results?

Sanders: We were able to take an old machine and install Snort, MySQL, PHP, Apache, iptables, Nessusd -D, mrtg, OpenSSH, OpenSSL, Samba (file and print), ncFTPd (FTP server), encrypted hard disks (AES), swat (Web based file/print utility), ACID (Intrusion Detection System) and F-Prot (virus/worm/bot/trojan scanning tool).

If we had tried to do this on a Windows machine, the machine would have crashed and burned using only a fourth of the software mentioned. The system runs all of this while utilizing small amounts of computer resources. However, we have made modifications to bdflush, Ethernet speed using mii-tool, TCP settings, Samba, hard disk and memory settings (performance enhancements).

We feel we can refurbish the old systems by making them IDS or sendmail machines using SSL certificates extended to all the users. This will save businesses hundreds of thousands of dollars in software costs and upkeep.

The only thing we have to do is just look at our cell phones for SNMP trap messages if there is a problem while we are out.

Dig deeper on Linux management and configuration

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close