Network Security Using LINUX Michael Sweeney Network Security Using Linux by Michael Sweeney Copyright 2005 Michael Sweeney. All rights reserved Printed in the United States of America Published by PacketPress, 4917 Leeds Ave, Orange, CA 92867. PacketPress books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (www.packetpress.net). For more information contact our sales department at: 1-714-637-4235 or [email protected] Editor: Jeanne Teehan Technical Editor: Cover Designer: Amanda Sweeney Printing History: January 2005 First Edition. While every precaution has been taken in the preparation of this book, the publisher and the author assume no responsibility for errors, or omissions, or for damages resulting from the use of the information contained herein. "The idea is to try to give all the information to help others to judge the value of your contribution; not just the information that leads to judgment in one particular direction or another" Richard Feynman Table of Contents Network Security using Linux......................................................... Credits.............................................................................................X Preface............................................................................................xii Who is this book for?......................................................................................xiii How the book was written..............................................................................xiii Chapter 1..........................................................................................1 TCP/IP Fundamentals.........................................................................................1 Layers.................................................................................................................2 TCP/IP Addressing.............................................................................................3 Subnetting with CIDR...................................................................................6 Subnetting with VLSM..................................................................................7 TCP/IP Version 6...............................................................................................8 IPv6 and the Kernel.....................................................................................11 Constructing Packets........................................................................................14 TCP Communication........................................................................................16 Any port will do...........................................................................................18 What does a router really do?...........................................................................18 Open Source Linux Routers........................................................................20 Is a Linux router secure?..................................................................................22 Shutting off the unwanted services.............................................................22 Chapter 2........................................................................................24 Firewalling the Network...................................................................................24 Isn’t a router a firewall?...................................................................................26 IP v6 and IPTables...........................................................................................28 Patch-O-Matic.............................................................................................29 Firewalling 101................................................................................................31 Papers Please....................................................................................................34 The Penguin Builds a Wall...............................................................................34 TOC pv Bastille Linux...................................................................................................36 Free is good......................................................................................................37 IPCOP..........................................................................................................38 Firestarter.....................................................................................................40 Shorewall.....................................................................................................41 Web Based Tools.........................................................................................43 Commercial Firewalls......................................................................................44 Astaro..........................................................................................................44 Smoothwall..................................................................................................46 Gibraltar.......................................................................................................47 Resources.....................................................................................................50 Chapter 3........................................................................................52 IP Tables, Rules and Filters..............................................................................52 Chain Syntax...........................................................................................53 Rules.......................................................................................................53 Building of a Basic Rule..............................................................................54 Demonstrating rules................................................................................55 Advanced Rules...........................................................................................56 Matching Connection States...................................................................56 Configuring NAT...................................................................................57 Defending Against Basic Attacks ..........................................................59 Examing The Rules ................................................................................60 Strengthen Your Rules with ROPE .......................................................60 Your Basic Firewall.....................................................................................62 Firewall Testing...........................................................................................63 Firewall Script........................................................................................65 Resources.....................................................................................................72 Chapter 4........................................................................................73 Updating Linux................................................................................................73 RPMs................................................................................................................73 Red Hat Up2date..............................................................................................81 TOC pvi YUM.................................................................................................................84 APT..................................................................................................................86 What is a kernel update?..................................................................................87 How do I tell which kernel I have installed?...................................................88 How do I update the kernel?............................................................................88 Alternative Security Kernels............................................................................90 Keeping the LID on.....................................................................................91 Resources.....................................................................................................92 Chapter 5........................................................................................93 Encryption or protecting your Data..................................................................93 What is encryption?..........................................................................................93 What is this alphabet soup?..............................................................................94 How does encryption work?............................................................................95 What are keys all about?..................................................................................96 Why do I need encryption?..............................................................................98 How do I use GPG?..........................................................................................98 Managing keys...........................................................................................106 Revoking a Key....................................................................................106 Key Signing Parties..............................................................................107 Additional Notes About GnuPG................................................................108 Securing Data with SSH.................................................................................109