Use free software to maintain the security of Heterogeneous Networks

Article Title: use free software to maintain the security of heterogeneous networks. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Introduction
Computer network security is likely to be one of the major technical challenges of the 21st century.
In short, everyone is talking about it in a lot of worrying areas, but even those who should feel the deepest are not aware of the magnitude of a potential disaster ." The deepest feeling refers to supporting software or system software designers. The best example has been mentioned again and again, from Redmond, where security is not as secure as it is in the market.
Fortunately, in the last two 10 years of the 20th century, free software and the philosophy that came with it were born. If you want to improve the security of your machine, your system, and your network, you should spend more time here. Free Software groups work more securely than all big companies.
In this case, the tool cannot solve all the problems. Maintaining the security of a network is a permanent task, because there will always be new situations.
This means that you cannot say that a network is 100% secure. What you can do is eliminate potential risks. We will only discuss a small part of what you can do to reduce potential risks. After reading this special article (Note: You should remember that this article is a special article about security in the French Linux magazine), you will learn more about security, however, in any case, you cannot say that your network is secure. I have warned you in advance here.
Of course, such an article cannot exhaust all questions. Security issues have already formed many of their own cultures, but they are still far from being completely solved. Correspondingly, do not speculate on operating systems, tools, configurations, and other things from this article.
As the end of the introduction, in this article we reference the sections of the LinuxFocus article. Don't worry. With the consent of the author, we have confirmed that he and I are the same person!
　　
Introduction
First, we will discuss the structure of heterogeneous networks with many different systems, and the number of systems has been widely spread. The more operating systems, the more complicated the system is, because not all systems are performing? Are consistent. Furthermore, machines as servers have different functions in the Network: we will have a diverse network.
Next, we will look at a series of tools that will help improve security. There are many options: we cannot list them one by one. Obviously, we will explain how to use these tools to improve the security of machines and networks. The next section reviews the security features of different systems.
The conclusion will explain the "relativity" of the security process, and explain why there is still a long way to go, rather than "dividing" it into future studies.
　　
An example of a heterogeneous network
The first advantage is that all operating systems on the earth "speak" TCP/IP language. Different systems can communicate with each other. As an example of network discussion, TCP/IP is always mentioned. In other words, other proprietary, uncommon and outdated protocols won't be mentioned. We do not discuss physical structures, such as the form and classification of connections.
In this way, we put everything in this network. Of course it will include UNIX, whether proprietary or free, such as Solaris2.6, or SunOs 5.6. If you want it, you can also use Irix 6.5, Linux (RH 6.2), or MacOs X. We can add some QNX, NeXTSTEP, NetBSD or OpenBSD. To follow the "tradition", we will include something called Not Terminated 4.0 (no, it doesn't mean anything, but it's worse than you think ). Here, we also include the better OS2 system. Finally, we add some non-traditional operating systems, such as BeOS and AmigaOS (yes, it exists. Don't you believe it ?)
Of course some people have complained: What is no AIX, no HP-UX? No. If you mention every UNIX, you can write a 10-volume Article. In any case, basic security rules are effective for all systems.
　　
Now, what can we ask them to do?
For example, Solaris can be used as an application server. Irix is responsible for backup. NT serves as another application server. Linux serves as the gateway. Another Linux machine is used as an http server or database server. All other machines are clients. About 30 machines in the network use ciphertext authentication. We will select a complicated authentication method: NIS (Yellow Pages), LDAP or Kerberos .... To make things easier. We do not use NFS. It may be useful and improve security performance, but you 'd better forget it from the perspective of security. In France, there is an old saying, "we 'd better not put all the eggs in one basket ". Not "must", but it is best to use only one service or protocol for a system. For example, an ftp server and an http server are suitable for their respective UNIX machines. Some other UNIX machines can be used as SSH servers and others as SSH clients. SSH will be mentioned later. We will use static IP: Do not use DHCP. In other words, we can use basic functions. In this way, a network with 50 machines can be formed. If there are more machines, it will become a nightmare.
　　
Security tools and how to use them
In general, there is always more than one way to do one thing (TIMTOWDI ). Ideally, everything starts from scratch and the machine is installed to build the network. But the reality is not a movie! Correspondingly, our network may have been in use for a while, where the machines are moved from here, and the old ones are new. Because the CPU is in the "Competition" on Mhz, for example, today's Intel machines will not last for a long time. About three years later, it was hard to buy machine parts. Do you want your machine waste to take advantage of some lightweight work or simply throw it away: helpless but realistic. Fortunately, other systems are longer and can continue to improve. Don't say that the problem is solved: An administrator always tries to use the existing conditions as much as possible.
　　
Basic things
The first step of the work is generally called "General. That is to remove what is not used in each machine: This is not an easy task. Every operating system, including Unix, has countless services and protocols that you cannot use. The Lord said: discard it. In a Unix environment, it is simple .. The crude method is to comment out every service in the/etc/inetd. conf file. In this way, some of them are killed. This seems a bit overbearing, but it is worth recommending on many machines. It also depends on what your needs are. In Linux and other rare systems, you can use the chkconfig command to delete some services.
Check the SUID/SGID File and remove the "error" bit without hesitation. Or do not activate the program. Run the following command: find/-user root-a (-perm-4000-o-perm-2000)-print to list all such files. Remove the S bit and type chmod a-s programname (NOTE: Some functions may be lost after you remove the s bit. ).
Remove all "dangerous" or known "risky" programs: remote commands such as rsh, rlogin, and rcp. You can use SSH instead.
Check the directory permissions such as/etc and/var. the stricter the permission, the better. For example, it is a good idea to use chmod-R 700 for directories that contain startup files (in many Unix systems it is/etc/rc. d/init. d. The same rule can be applied to all network parts of the system, removing unused, or at least not activating it. For NT, you can easily set it in the configuration panel. There are a lot of basic things here and many cultural theme comes from this.
　　
Tools
Let's start with Unix, because it is the only operating system that really considers security issues. Second, Unix can run a lot of free tool software, and most of them can also run in derivative versions of Unix.
　　
From now on, we start to install various machines. In order to achieve network security, before doing all kinds of things, we should first consider whether each element of the things meets the security requirements. Installing these tools is easy, so we will not waste time here. Different parameters of security tools depend on the system, requirements, or even Customization Based on your own intentions. The first installation tool is shadow utils. It means password encryption. Fortunately, this has become part of many Unix releases. The/etc/shadow file is created by/etc/passwd.
　　
A better tool is PAM (Insert Authentication Module), which limits user access to a certain service. Every service that is followed uses the configuration file in the directory to manage all transactions. This configuration file is usually/etc/pam. d. Many services are "PAM" drivers ", such as ftp, login, and xdm. This allows administrators to assign different permissions to each user.
　　
The next tool is required: TCPWrapper. It can work in most Unix-like versions. Briefly, it limits the access of some hosts to some services. Whether these hosts are allowed or not depends on two files:/etc/hosts. allow and/etc/hosts. deny. TCPWrapper can be configured in two ways: Put it in the background, or change the/etc/inetd. conf configuration file. If you select the latter, you can see that TCPWrapper can get along with other tools. You can find it in the following link: ftp://ftp.porcupine.org/pub/security
　　
Another useful tool is xinetd. In brief, xinetd is the new generation of inetd, which has more features. We have commented on inetd just now, so we do not recommend it. If you are interested, you can find it at the following URL: http://www.xinetd.org.
　　
In a Linux environment, you must have this tool: its name is Bastille-Linux. Its link is: http://www.bastille-linux.org. This tool is written in Perl, not only dd but also very efficient. After running a script, you will answer a lot of questions. Bastille-Linux will configure one by one based on each of your answers. Each problem is explained and the default settings are provided. You can start a new configuration without changing the default settings, and then check what Bastille-Linux has done. You have seen it! It also provides a firewall configuration: we will discuss it later. At the time of writing this article, the Bastille-Linux version was 1.1.1, but 1.2.0 was released as a candidate version. It has improved a lot and provides a GUI based on Tk and Perl modules. (Note: This article was written a few months ago. In fact, the latest version of Bastille-Linux is 1.3.0 ).
　　
The intrusion monitoring system is also good. The two "heavyweight" tools are snort and portsentry. The first one can be downloaded from below: http://www.snort.org, the second one can be downloaded from the Abacus website, http://www.psionic.com. These two differences: NIDS (network intrusion Monitoring System) provides intrusion information, but 2nd are host-oriented and more powerful. Snort has many options to monitor network communication. You can listen to all the information you want to know: from the host, to the host information, within the firewall, outside the firewall. Of course, it will generate huge log files, but you should know what you want to monitor. There are also some windows 32 versions, which are very important because the number of free software in these "systems" is very limited.
　　
Portsentry has a very meaningful feature: It can block the port to be scanned based on your choice. You can also relocate the attacker to an unused address or to the firewall. Of course, you can choose which ones are blocking and those are not blocking. Now we can go back to TCPWrapper: portsentry can edit the/etc/hosts. deny file, if you want. In this way, portsentry is more efficient.