Thursday, July 22, 2010

Linux Server and Network Security

The most dangerous threat to internal networks are Internet gateways. Gateways are systems (or other hardware devices) with a minimum of two network interfaces where one interface is connected to the Internet (via an ISP connection) and at least one interface is connected to an internal LAN segment. Just as a gateway allows traffic to go out from your LAN onto the Internet, it also allows traffic from the Internet onto your LAN. The trick is to only let the traffic you want onto your LAN, and it’s no easy feat.
You could be legally liable if someone hacks their way into your LAN and steals confidential data (social security numbers, credit card numbers, etc) that you maintain on your clients or customers. Worms or trojans could be planted that send passwords or other sensitive information out onto the Internet to a waiting sniffer. The risks are many and the consequences could threaten the very existance of your company. It’s not uncommon for large institutions like banks and insurance firms to decline pressing charges against a hacker simply because they don’t want the negative press and loss of confidence they would suffer as the result of a public prosecution by a district attorney.
“Multi-homed” (multi-connection) systems such as gateways are not the only security risk. A server that is only connected to the Internet, such as a Web server, is also at risk of being hacked. You may not care if some hacker cracks his way in and defaces your Web pages. You just reload the pages. But there are other, more hideous, attacks that are not uncommon:
  • Your server can be used as a base from which attacks on other systems can be launched.
  • Your e-mail server could be used as a relay for spammers.
  • Your system can be surreptitiously used as an IRC (chat) server or for some other band-width intensive application that steals performance from both your server and your Internet connection.
  • Your could be the target of DoS (Denial of Service) attacks which renders your servers (e-mail or Web), and your Internet connection, useless.
  • Internet servers that use SSL to collect sensitive information such as credit card numbers or account numbers and passwords can be targets of hackers in order to try and gain access to the devices where this data is stored. (SSL only protects in-transit HTTP traffic. It does nothing for operating system or server security.)
Addressing security issues is one of those cases where “an ounce of prevention is worth a pound of cure”. A hacker could do untold damage if they get into your system or network. And because hackers learn their trade in underground electronic communities, if one finds a way into your system you can bet that they’ll let everyone else know about it.
If your company has public address space with an available IP you may want to try a little test just for grins. Do a full-boat install of Debian (including all Internet-related apps you can think of) and put the system on the Internet. It doesn’t need a domain name with a DNS record, just a static public IP address. Set it up with the Apache, Sendmail, wu_ftpd, telnet, and any other services running and just leave it sit there. Check the /var/log/messages file every week or so and see how long it takes for the hackers to find it and start playing around with it. When I tried this they took all of two weeks. Since there’s no way of telling what they did during their visits, you’d be wise to totally wack the partitions on the hard-drive and do an install from scratch when you do want to re-use the system as a production server.
Setting up a system like this is actually a new security tool that’s emerging. It’s called setting up a “honey-pot”. The hackers are drawn to the the honey-pot because it’s the most responsive, and are drawn away from your production servers. Before you deploy your honey-pot you may want to hang a tape drive on the system and do a full backup so you can go back to square one once it gets compromised. Again, thre’s no way to really know everything that a hacker may have done to your system once they get in so the only safe thing to do is start over. Monitoring your honey-pot on a regular basis will let you know when things are happening so you can keep an even closer eye on your production servers.
Don’t always assume that the “untrusted” network you’re trying to protect yourself from is the Internet. If you have VPNs or other types of network connectivity established with business partners or even other divisions within the same company, you must be watchful for unauthorized access attempts from these networks as well. “Trust no one” is a good rule to follow when it comes to system and network security.
Along with the benefits of having your own Internet servers comes the responsibility of being knowledgable on how to secure those servers. Covering this subject beyond anything other than a superficial manner is beyond the scope of any single Web page. Here we only present an overview of some of the common tools used to help secure an Internet-connected server. It is by no means comprehensive and should only serve as an introduction to the topic.
Security measures can be categorized into the following four broad classifications:
  • OS configuration – “hardening” the operating system
  • Application configuration – making sure the server applications you do make available do only what they’re supposed to do
  • Perimeter security – configuring your network infrastructure with firewalls and DMZs
  • Physical security – only authorized users and systems should have access to the network infrastructure
Different publications may categorize things differently but that’s of little consequence. The important thing is that doing so allows you to take a “divide and conquer” approach to addressing all of the various aspects involved in securing a network, its servers, and the information contained on them.