Paranoid Penguin - Seven Top Security Tools

Linux supports a wealth of outstanding free and open-source security tools—enough, obviously, to write a monthly column on the topic. But whereas I usually focus on one or two particular tools or techniques in-depth, this month I'd like to discuss, at a high level, a variety of my favorite security tools for Linux.

If you're new to Linux or to network security, this may be your first exposure to these particular software packages, and I hope this column nudges you in the direction to learn more. If you're familiar with a couple of them but not the others, I hope this article helps you to augment your toolkit. But even if all of this is old hat for you, I hope you find it amusing to see which of the t00lz on my laptop have been getting the most CPU time lately. So without further ado, I bring you the Paranoid Penguin's Choice.

We begin with the most ubiquitous of our featured tools, Netfilter, the Linux kernel's built-in firewall code. To be precise, the collection of modules in question officially is called Netfilter—iptables is merely the user-space command we use to configure the Netfilter kernel modules. The two names can be used interchangeably most of the time except, of course, when you're issuing iptables commands or talking to kernel developers.

Netfilter was the winner in the Best Security Tool category of our 2003 Editors' Choice Awards. As I explained then, Netfilter is responsible for moving Linux firewalls out of the primordial soup of dumb, stateless packet filtering and into the modern era of stateful packet filters. What this means for non-security geeks is Netfilter allows Linux firewalls to inspect network packets statefully in relation to one another, that is, by associating them with established connections, identifying them as beginning new transactions and so on. In contrast, in pre-2.4 kernels Linux treated each packet as a standalone entity, filtering it based strictly on where it came from and where it was headed. For example, all the packets in an HTTP transaction were filtered separately rather than being treated as a group, but no more.

This new packet power and intelligence has ramifications that extend beyond Linux's usefulness as a network firewall. Netfilter is as useful for local security on servers and even on workstations as it is on proper network firewalls—I explain precisely how and include code examples in my article “Using iptables for Local Security”, LJ, August 2002, and also in Chapter 3 of my book Building Secure Servers With Linux.

The command iptables is, for many people, simple to use after spending some time with the iptables(8) man page. Besides my own material on that topic, I also recommend Robert Ziegler's book Linux Firewalls, 2nd Ed. (New Riders, 2002). iptables is eminently scriptable, and the aforementioned sources and the Internet abound with example scripts you can adapt for your own use.

But what if you prefer to insulate yourself from the inner workings of packet filtering and instead want a GUI front end that speaks plain English to you? You're in luck: many quality third-party front ends for Netfilter exist. One of the best is Firewall Builder (www.fwbuilder.org), which allows you to create firewall rules with reusable objects and with wizards. I covered Firewall Builder in-depth in my two-part series “Using Firewall Builder” (LJ, May and June 2003).

Another popular iptables helper is Mason, which automatically builds iptables scripts by passively observing normal system use. This is useful especially for personal firewall setups on workstations. Mason is available at users.dhp.com/~whisper/mason. Yet another increasingly popular tool is Shorewall, which generates iptables scripts based on how you configure a few simple text files in the directory /etc/shorewall. Shorewall's home page is shorewall.net.

Finally, I'd be remiss if I didn't mention that many Linux distributions have their own (distribution-specific) packages for using iptables. SuSE 8.2, for example, has SuSEfirewall2, which automatically generates and runs iptables commands based on simple parameters you set in the file /etc/sysconfig/SuSEfirewall2. If your preferred distribution has such a tool, it's worth checking out—it already may be installed on your system.

By the way, in case you're wondering what I myself prefer, I usually write my own iptables scripts by hand. For me that's the simplest and most direct way; then again I'm a professional firewall engineer—your needs and skills may vary.