Open source tools for security configuration, administration

Open source tools for security configuration, administration

In the first two tips of this series, author James Turnbull explained how firewalling with Linux may or may not be more secure than with Windows, and provided the basics of

    Requires Free Membership to View

    Login

    When you register, my team of editors will also send you resources covering Linux administration and management; integration and interoperability between Linux, Windows and Unix; securing Linux and mixed-platform environments; and migrating to Linux.

    Cathleen A. Gagne, Senior Editorial Director

    By submitting your registration information to SearchEnterpriseLinux.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchEnterpriseLinux.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

two important security building blocks within the kernel, netfilter and iptables. Here, he drills down further into Linux security administration and suggests some free, open source tools you can use to beef up your security. -- Editor

Do you recommend using iptables or a distro-specific tool for security configuration?

I firmly recommend that before you decide to use a tool, you gain an understanding of the way iptables rules are constructed and how iptables is configured.
James Turnbull
Security consultantCommonwealth Bank of Australia
James Turnbull: This is a tricky question to answer as there are a lot of variables involved. Firstly you need to consider how comfortable you are with using iptables and with networking generally. You also need to take into consideration that distro-specific tools for enabling and managing firewalls are often aimed at a broad audience with a varying level of skills. They are thus designed to be approachable by less skilled or beginning administrators. This results in a tool that provides some broad and often basic protection for your host, whilst trying not to overly limit the functioning of your applications.

These tools often make assumptions about the default settings of iptables. This can sometimes create the illusion that your host is securely firewalled. For example, the default policy of the Red Hat Lokkit firewall management tool is to accept traffic. Most good firewall policies would do the reverse -- deny all traffic and only accept traffic you explicitly specify.

This being said, some tools are excellent and designed to provide a complete and highly flexible interface to iptables.

What are some examples of distro-specific or GUI-based configuration tools?

More security tips from James Turnbull

Hardening Linux: Firewall implementation

How netfilter and iptables harden Linux

Eliminating spam with SpamAssassin, DSPAM and ClamAV

Ask James your security questions
Turnbull: We've seen that Red Hat comes with its own tool, Lokkit. The Lokkit tool comes in a command-line and Gnome GUI form and is very simple to use but is limited in what it can configure and do. Also, as I've highlighted above, its use of default accept policies can be problematic. A variety of other tools also exist ranging from simple to very complicated (all the tools I'll discuss here are open source and free). These include:
  • Fwbuilder, which is a sophisticated multi-firewall (it also supports Cisco PIX, BSD pf and ipfilter) rule builder. It has a GUI interface and is designed to output complete, functional firewall configurations. It can be quite complicated to use and is not recommended for beginners.

  • NARC (Netfilter Automatic Rule Configurator): a Bash script which runs from the command line and allows you to configure iptables. It has a strong focus on helping you configure rules that handle abnormal traffic (for example, blocking Smurf attacks, IP spoofing and SYN floods). The command-line interface can be intimidating for beginning users though.

  • Turtle Firewall is a Webmin-based firewall admin tool. It allows for the configuration of firewalls using an object-based system. If you are using Webmin for your administration, this is an excellent tool.

  • Firestarter is another GUI-based firewall configuration tool. I have found it personally easier to use than many of the other tools and its interface is clear and simple to navigate and operate. It also contains a real-time event and connection view of your firewall that allows you to monitor your firewall from the tool.
Overall I'd say tools can be very useful -- if you understand what you are doing with them. I firmly recommend that before you decide to use a tool, you gain an understanding of the way iptables rules are constructed and how iptables is configured. If you are comfortable with using the iptables command, then I believe it provides one of the best possible mechanisms to configure and control your firewall and to ensure you fully understand how your firewall is constructed. This knowledge will also allow you to determine whether a tool is doing the right thing and whether you are deploying a solid firewall.

In addition to securing outsourced services for the Commonwealth Bank of Australia, James Turnbull is the author of Hardening Linux and resident security expert on SearchEnterpriseLinux.com.

This was first published in August 2005

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top