Design a Secure Linux Network

Article Title: design a Secure Linux network. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

As a system, its security should be carefully considered when planning the network topology to formulate security policies. After that, the security policy should be strictly enforced in every action of network implementation and maintenance. In an enterprise's network, Linux now plays an important role in firewalls, routers, or servers. The security of the Linux system determines the security of the entire network. Therefore, it is essential to understand related technologies and perform security settings for Linux systems.

Use reserved IP Address

The simplest way to maintain network security is to ensure that hosts in the network are exposed to different external sources. The most basic method is to isolate it from the public network. However, this isolation-based security policy is unacceptable in many cases. At this time, using reserved IP addresses is a simple and feasible method, which allows users to access the Internet while ensuring a certain degree of security.

RFC 1918 specifies the IP address range that can be used for local TCP/IP networks. These IP addresses are not routed over the Internet and therefore do not need to be registered. By assigning IP addresses in this range, you can effectively limit network traffic to the local network. This is a fast and effective way to allow computers to communicate with each other by rejecting access from external computers.

The reserved IP address range is as follows.

10.0.0.0-10.20.255.255

172.16.0.0-172.31.255.255

192.168.0.0-192.168.255.555

The network traffic from the reserved IP address does not pass through the Internet router, so any computer assigned with the reserved IP address cannot access from the external network. However, this method also does not allow users to access external networks. IP spoofing can solve this problem.

IP address disguise

The reserved IP address cannot be routed over the Internet, so the system that uses the reserved IP address cannot reach the Internet. However, this problem can be solved by creating an IP disguised server (a Linux Server. When a data packet leaves the user's computer, it contains its own IP address as the "Source Address". When the data packet is sent to the external world through the Linux server, it is converted. The source address of the data packet is changed to the IP address of the server, and the converted data packet can be completely routed on the Internet. The server simultaneously records the IP address to which the data packet from the source address is sent to the Internet. When a data packet is sent to the Internet, it can reach its target address and obtain its response.

This setting has a problem. Because the source address of the data packet is set to the server IP address, the classic text message is not the IP address of the user's computer after the server, the response from the external computer is sent to the server. Therefore, to complete data packet transmission, the server must search for a table to determine which computer the data packet belongs. Set the source address of the data packet to the address of the user's computer on the Intranet and send it to the address. In this way, the system data packets that use the reserved IP Address can now be transmitted over the Internet. IP spoofing is also called Network Address Translation (NAT ).

From the user's perspective, he has an Internet connection that can be completely routed. Security is guaranteed by the conversion table. The server stores records of the communication between the user computer and the External Internet host. It is almost impossible for a hacker to access a user's computer. The only IP address seen in the external world is the server address, and all the subsequent addresses are hidden. Even if a hacker sends a data packet to the server, the server cannot know which user computer to send the data packet.

By default, the Linux kernel has a built-in IP camouflage function. However, to use a kernel without the built-in IP camouflage function, you need to re-compile the kernel, load some modules, and set the packet filtering rules to allow conversion. To enable IP spoofing, You need to enable the IP forwarding function of the server. In the RedHat 6. x system, you can enable IP forwarding by setting FORWARD_IPV4 in the/etc/sysconfig/network file to yes. The discussion here assumes that the kernel you are using has built-in IP camouflage and forwarding support, and IPchains are installed.

To connect the internal network to the external world, two network interfaces must be provided on the IP disguised server. One interface is used to connect to the internal network, and the other interface is used to connect the server (and disguise the internal network through IP addresses) to the external world. Because such a server has multiple interfaces, it is often called a "multi-host" server. You can assign a reserved IP address to the NIC connected to the internal network. For example:

#/Sbin/ifconfig eth1 inet 192.168.1.1 netmask 255.255.255.0

Here, it is assumed that the network interface connecting to the internal network is eth1, and the number of user computers in the internal network is less than 253. If you need more than 253 user computers, you can increase the number of netmask digits, create a second IP disguised computer, and divide the internal network into two subnets.

Set the IP address of your computer to 192.168.1.2 to 192.168.1.254, set the gateway of all your computers to 192.168.1.1, and set the network mask to 255.255.255.0, you can ping the Internal Gateway (192.168.1.1) from each user's computer ).

At this time, all user computers can communicate with each other and can communicate with the IP address translation server, but they cannot reach the external world yet, this requires defining a filter rule on the IP address translation server. Enter the following command.

/Sbin/ipchains-A forward-j MASQ-s 192.168.1.0/24-d 0.0.0.0/0

/Sbin/ipchains-P forward DENY

The first command opens the IP disguised service for IP packets whose destination address is not 192.168.1.0. It forwards disguised IP data packets originally from the 192.168.1.0 network and forwards them to the default vro of the network connected to another network interface. The second command sets the default forwarding policy to reject all non-internal network packets. In this case, the user can browse and communicate with the Internet on the Intranet computer, just like directly connecting to the Internet, the above command can be placed in/etc/rc. d/rc. in the local file, the IP camouflage function can be automatically started when the server is started.

What is firewall?

Sometimes, you do not want to use the "all or none" method implemented by the reserved IP address. Users may want to be able to open their Web Services, but other types of access are not allowed. Alternatively, the company's servers may have an administrative restriction. Employees can only use the Internet to send E-mail. In both cases, you can use a firewall to solve the problem.

A firewall is a computer that enforces a policy to restrict the network traffic types transmitted between a public network and a private network. In most cases, the firewall is located between the Intranet and the Internet and allows network traffic that meets specific conditions to pass through, while rejecting other network traffic. The firewall can be very open, allow almost all traffic through, or very closed, only allow limited users to use limited services. The firewall administrator can control all this through the configuration of the rule set.

It is wise to purchase a firewall computer. If you rely on the firewall to control access to the internal network, you need to ensure that the firewall is safe enough. As a firewall, computers are not only security checkpoints, but also gateways for internal networks to reach the outside world. Hackers know that they can access the internal network if they can control the firewall. Because of this, you need to close the portal. Some basic principles of firewall security are as follows (For details, refer to the section on checking your system ):

Disable all unnecessary services. Disable sendmail, finger, netsat, pull at, bootp, and FTP.

Restrict the number of users with shell access to the firewall. If you only have one or two user accounts, hackers may find that these user accounts are very unlikely.

Do not use the same password as in other places on the firewall. Sometimes, people often use the same password on many different computers. However, this may lead to a domino effect.

Consider the physical security of the firewall. Although desktop computers can be placed in an open office or a small bedroom, you must consider implementing rigorous physical protection for firewall computers, such as in a locked cabinet.