Archive for the tag 'Network'

Firewalls the core components of a network security implementation

Firewalls can be standalone hardware solutions, such as firewall appliances by Cisco, Nokia, and Sonicwall.
There are also proprietary software firewall solutions developed for home and business markets by vendors such as Checkpoint, McAfee, and Symantec.

Firewalls function:

NAT

Network Address Translation (NAT) places private IP subnetworks behind one or a small pool of public IP addresses, masquerading all requests to one source rather than several.

Packet Filter [iptables]

A packet filtering firewall reads each data packet that passes within and outside of a LAN. It can read and process packets by header information and filters the packet based on sets of programmable rules implemented by the firewall administrator.

The Linux kernel has built-in packet filtering functionality through the Netfilter kernel subsystem.

Proxy

A proxy machine acts as a buffer between malicious remote users and the internal network client machines.

Netfilter and iptables

The Linux kernel features a powerful networking subsystem called Netfilter. The Netfilter subsystem provides stateful or stateless packet filtering as well as NAT and IP masquerading services. Netfilter also has the ability to mangle IP header information for advanced routing and connection state management. Netfilter is controlled through the iptables utility.

Examples:

iptables - administration tools for packet filtering and NAT
shorewall - Shoreline Firewall, netfilter configurator - transitional package

SBDavid

Securing Network Information Service

Securing Network Information Service

An NIS server has several applications. They include the following:

/usr/sbin/rpc.yppasswdd
Also called the yppasswdd service, this daemon allows users to change their NIS passwords.

/usr/sbin/rpc.ypxfrd
Also called the ypxfrd service, this daemon is responsible for NIS map transfers over the network.

/usr/sbin/yppush
This application propagates changed NIS databases to multiple NIS servers.

/usr/sbin/ypserv
This is the NIS server daemon.

To make access to NIS maps harder for an attacker, create a random string for the DNS hostname, such as fdfdfdfdfdfg.domain.com. Similarly, create a different randomized NIS domain name. This makes it much more difficult for an attacker to access the NIS server.

NIS listens to all networks, if the /var/yp/securenets file is blank or does not exist (as is the case after a default installation). One of the first things to do is to put netmask/network pairs in the file so that ypserv only responds to requests from the proper network.

Below is a sample entry from a /var/yp/securenets file:

255.255.255.0 192.168.0.0

This technique does not provide protection from an IP spoofing attack, but it does at least place limits on what networks the NIS server services

SBDavid

Network tuning for Linux kernels

Network tuning for Linux kernels

TCP/IP tuning is enabled by default for kernels after 2.6.17.

Check if auto-tuning is enabled in /proc/sys/net/ipv4/tcp_moderate_rcvbuf , it should be set to 1.

Also increase memory reserved for TCP send/receive buffers.

Initially “echo” the below values to the corresponding /proc file. If you see any considerable difference in the upload/download port speed, you can set it as a sysctl parameter.

net.ipv4.tcp_sack = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_window_scaling = 1
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 256960 16777216
net.ipv4.tcp_wmem = 4096 256960 16777216
net.ipv4.tcp_no_metrics_save = 1
net.core.rmem_default = 16777216
net.core.wmem_default = 16777216
SBDavid

Network Information System

Network Information System

On of the important use for NIS is to keep vital data such as user account information (e.g. /etc/hosts, /etc/passwd and /etc/group files) synchronized between all hosts.Let us see how we can configure NIS. NIS is a server-client based architecture. There will be a NIS server and then a NIS client. Let us see how we can configure this both

NIS SERVER:

You must first check whether we have a package called ypserv installed in the server. Once the package is installed then start the service called ypserv. Then you must give a NIS domain name for the server which can be provided

nisdomainname test

Also you can verify your domain name by just typing “nisdomainname:. Also there should be entry in the file /etc/sysconfig/network like this

NISDOMAINNAME=test

The next thing you have to do is you have to share the directory where you user accounts are residing. For example lets suppose that you creat a directory called home1 and you want to the NIS users home directory to be home1 then you can do this like,

mkdir /home1
useradd -d /home1/test test

where test is the NIS user. Once created you have to export this file through nfs.This can be done like this

by putting entries in the /etc/exports file

/home1 *(rw,sync)

Once you have put these entries make sure that the services portmap and nfs are started. Once you have done this we have to make the yp file which can be done like this,

/usr/lib/yp/ypinit -m

Then restart the ypserv services. Also make sure that the service called yppasswdd is also turned on These are the things that has to be done on the server side.

NIS CLIENT: To make a NIS client check whether the package ypbind is installed in the system. Also check that the service called autofs is also turned on.Then there are two important files that we need to consider that is /etc/auto.master and /etc/auto.misc . The service autofs is used so that the directory that we use or shared through nfs is automatically mounted and also see that when a nisuser login then a directory is also automatically created.In /etc/auto.master file give the entries like this

/home1 /etc/auto.misc –timeout=60

Then an entry about our nis server should be given auto.misc like this

* -rw,soft,intr :/home1/&

Also you have to tell the client which is the NIS server which can be told like this. In the command prompt

authconfig

Select NIS then select next then give the nisdomain name and the ip of the NIS server and then exit. If it listenx to the NIS server then there wil be no errors shown. now if everything goes well you should be able to login as test in all the NIS clients.

« Prev