Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Currently I am working for a company that is growing very quickly, and with the problems with hackers and virus problems, we are implementing a firewall and I think that a unix/linux firewall would be best. I am wondering if there is a certain operating system of the unix/linux systems to implement as a great security box. I beleive that all internet traffic will have to filter through this system, but I do not want to slow the connect speed down. I realize that it will slightly, but we have to many people depending on FTP and internet downloads, to allow it to slow.
Currently we are running windows OS throughout the network, the server is running the new 2000 server software, but we want to increase the security of this system, many times over.
So is there a Unix/Linux system that would do this, for not much of a price? I allready have the computer together and ready for the OS, could someone lend some knowledge for this issue,Thanks all!
Well for as security goes in Unix type environments, I could suggest FreeBSD or NetBSD.. very secure.. Also many flavors of Linux will do the job right.. but all in all, security on a machine and network is dependant on how well you the administer makes it. I do believe Linux and Unix is better secured than Windows, you have more control, and flexibility along with it.
Basically it all boils down to money and performance.
If you have an endless supply of cash, then you go for a PIX or Nokia FW1 setup with redundancy and VPN acl boards.
If you need very very fast network connectivity, then you go for Netscreen firewalls.
If you don't have a lot of cash and are not too bothered about performance then you go for Linux.
"oh yeah when I say performance, I mean if you have a Lease ATM or Frame relay line that's over 32/mbit/s then you don't use a Linux box, but if you had that line then you would have the cash for some PIX's and FW1's"
Basically if you fall into this criteria. "i.e save money, but still be as secure or more secure then a PIX or Fw1 box" I would recommend the following based on my experience.
A PC "Pentium cpu if you plan to do VPN connections"
600Mhz or more. "if you do NAT I recommend a dual CPU"
no less then 4Gb's Harddisk
3 x 10/100 Network cards "PCI"
VGA graphics, sound optional
Linux Redhat 7.2
Then you just need to patch the OS fully.
Rebuild the Kernel if your going to have VPN's.
Build a very secure stateful firewall rule base.
Add an IDS to the system to notify you, don't do active IDS's only Passive detection.
Use second card for DMZ area for DNS and Mail servers.
Use Third card for internal Network.
Have at least 8 real Assigned internet addresses for the firewall and DMZ area.
trickykid's right, it's down to how well you secure the system, a default box is always wide open to attacks, but it's also up to the technology of the OS to do the best network integrity job it can by conforming to RFC's correctly.
All these are Network issues with different OS.
ICMP Error message echoing integrity :
AIX and BSDI respond back with an IP 'total length' field that is 20 bytes too high. Some BSD
machines (AIX, FreeBSD, etc.) send back an inconsistent or 0 checksum.
ICMP Message Quoting :
For a port unreachable message, almost all implementations send only the required IP header + 8 bytes back.
However, Solaris sends back a bit more and Linux sends back more than that.
TCP Initial Window :
AIX is the only OS which uses 0x3F25.
The new TCP stack for NT5, uses 0x402E. (that is exactly the number used by OpenBSD and FreeBSD)
Old UNIX boxes use 64k increments.
Newer versions of Solaris, IRIX, FreeBSD, Digital UNIX, Cray, and use random ISN's"
Linux 2.*.*, OpenVMS and AIX use complely random ISN's
Windows boxes use a time dependent ISN "not good" (NT5 has improved on this)
All of these types of issues can be addressed with the OS's kernel but it just shows you, if you want a secure box you have to work on it.
Window boxes on the other hand, have such a bad TCP stack that they often don't conform to any of the RFC's for TCP/IP fully, putting them at risk.