Building Linux and OpenBSD Firewalls
Author: Wes Sonnenreich and Tom Yates
Publisher: John Wiley & Sons
Price: $44.99 US
Reviewer: Ralph Krause
More and more people remain connected to the Internet 24 hours a day, and it is no longer a question of whether they will be attacked, but when. The first line of defense against a break-in is a firewall, and an open OS such as Linux can be used to create a very secure one. While newer distributions try to make it easier to create firewalls, you still need to know some information so you can create one that can do its job well.
Building Linux and OpenBSD Firewalls attempts to provide you with enough information to determine your security needs and create a firewall to meet them. According to the introduction, it “is a cookbook for building firewalls using Red Hat Linux 6.0 and OpenBSD 2.5” and “contains step-by-step instructions on exactly how to build a very useful and powerful firewall from scratch”.
Even though it provides step-by-step instructions for creating and tuning a firewall, the authors believe your firewall will be more secure if you know what is being secured. To this end, the first three chapters cover basic network security issues. The first chapter discusses topics such as what you are protecting (your data, your computers and your reputation) and the value of good passwords. Chapter 2 provides a brief explanation of how the Internet works, covers protocols such as IP, TCP and UDP, and describes the common exploits against them. The third chapter explains some basic network configurations for a firewall and helps you determine which services should be provided by your network. These chapters also talk briefly about web browsers and Microsoft-specific problems such as Back Orifice.
The next two chapters are on choosing an OS and the hardware to use for your firewall. The authors provide a brief history of UNIX and free software, explain the differences between the GPL and BSD licenses, and offer comparisons between Red Hat Linux 6.0 and OpenBSD for such factors as software availability, ease of installation and general security. They also talk about building your firewall computer from the ground up so you know for sure what is in it and what to do when you have to open it up to fix something. They point out that you won't need bleeding-edge or high-performance hardware for the majority of your firewall situations, and provide some information on troubleshooting any hardware problems you might encounter.
Chapters 6 and 7 cover the installation of Red Hat Linux 6.0 and the steps you need to take to configure it as a firewall. The installation instructions are basically notes and enhancements to the Red Hat manual. The book then introduces ipchains and firewall rules and explains how to enable IP masquerading. A basic firewall script for ipchains is provided, along with instructions for starting up the firewall every time the computer boots.
Installing OpenBSD and configuring IPFilter are the subjects of the next two chapters. The book goes into more detail on installing OpenBSD than it does for Red Hat, including the creation of a boot floppy and hard-drive partitioning. Instructions on configuring the system to use your modem, mounting your CD-ROM and optimizing the kernel for firewalling are also given. The directions for configuring IPFilter follow the same path as the instructions on configuring ipchains, including an explanation of the book's basic firewall script and how to start the firewall when the machine boots. OpenBSD tools such as IPNAT, IPFTEST, IPFSTAT and IPMON are also introduced in these chapters.
After explaining how to get your firewall up and running, the book moves on to the process of tuning it to be more effective. Specific firewall policies such as protecting against spoofed packets and blocking particular TCP services are given, with instructions on configuring both a Linux and an OpenBSD firewall to implement the policy. The book also explains how to determine what services your firewall is currently providing and how to shut down any you don't want to provide to the outside world.
Next, the authors cover intrusion detection and response. They discuss what to do during an attack, and how to evaluate the attack when it is over. They offer different scenarios for a home network, a network in a small business, and a large corporate network. This chapter also talks about monitoring your network, the importance of log files, and introduces tools such as SATAN and Tripwire to help you secure your network.
The final chapter is a hodge-podge of information. It includes notes on information from the earlier chapters, a brief introduction to the vi editor, and talks about the importance of having a security policy. Finally, it contains two small scripts: one to remove a disk set from OpenBSD and one to start your firewall under Red Hat Linux.
Building Linux and OpenBSD Firewalls covers quite a bit of ground in its twelve chapters. Almost one-half of the book is dedicated to Internet and network theory, but I still found this information relevant. After all, how can you build a secure firewall if you don't understand how it works and what it can protect? The authors attempt to make the subject matter easier to digest by using liberal doses of humor, although this occasionally makes the book hard to read. They also provide diagrams and sidebars to help explain complicated concepts. The authors provide a web site containing more Linux and OpenBSD scripts for firewalling, along with errata and updates for the book.
I found this book informative and useful. If you have a dedicated Internet connection or if you want to protect your small business from hackers, I think this book will help you.
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- Google's SwiftShader Released
- SUSE LLC's SUSE Manager
- My +1 Sword of Productivity
- Interview with Patrick Volkerding
- Managing Linux Using Puppet
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- Non-Linux FOSS: Caffeine!
- SuperTuxKart 0.9.2 Released
- Tech Tip: Really Simple HTTP Server with Python
- Parsing an RSS News Feed with a Bash Script
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide