On Feb. 17, 2000, Chris Dinsmore hosted a discussion about how to set up network encryption and adopt other Linux security measures. Turns out some Linux distributions are more secure than others. Read the transcript and learn how you can set up a secure Linux. If you couldn’t join us then, we hope to see you on our next live Guild Meeting.
On Feb. 17, 2000, Chris Dinsmore hosted a discussion about how to set up network encryption and adopt other Linux security measures. Turns out some Linux distributions are more secure than others. Read the transcript and learn how you can set up a secure Linux. If you couldn’t join us then, check this issue’s Bookmarks page for future meeting dates and topics. We hope to see you soon on our weekly live chat.
Note: TechProGuild edits Guild Meeting transcripts for clarity.
Moderator: Good evening, everyone, and welcome to tonight's chat. Because of a problem logging in as a speaker, Chris Dinsmore will be using his "dinsmoc" ID. So when you see "dinsmoc," that’s tonight's security expert himself, Chris Dinsmore. (applause...)
Q: good evening to you, too.
CD: Hi everyone <bows>.
Moderator: Tonight we will be discussing advanced Linux security. We also have some prizes to award, which I'll tell you about in a moment.
Moderator: Chris‑why don't you say a little something about yourself?
CD: Well, thank you sir, and good evening everyone. Just a bit about me. I am a senior network architect for a prominent network security consultancy firm.
Moderator: (And a fair typist) ;-).
CD: I am certified on all of the major network operating systems and architectures, and have been in the networking and security world for about 8 years. And yes, my typing is reaaaaalllly bad. I have severe dyslexia.
Moderator: Thanks Chris‑oops‑we've had worse typists with no reason.
Moderator: And now a little about the prizes. We have 3 to give away tonight, for the most "proactive" speakers—that is, for those members who contribute significantly to the chat, we'd like to give you...
Q: we all are so no prob.
Moderator: A copy of O'Reilly's book, Windows 2000 Active Directory,A copy of Advanced Windows, 3rd ed., by Microsoft Press, and one copy of Symantec's Internet Security 2000.
CD: Excellent book as well.
Moderator: Thanks, Chris—so, CD, what will you speak about first?
Moderator: I see a familiar name—andy_davis, it's good to see you.
CD: Well, on the subject of books I’m going to recommend a few, and mention that you will be seeing reviews of them soon on TPG.
CD: The first books I think everyone interested in security should have, read, maybe memorize are O'Reilly’s Practical Unix and Internet Security, and Building Internet Firewalls.
Q: I love anything by O'Reilly—I'm a big fan.
CD: These two books are the classic Internet security texts, and should be considered required reading.
Moderator: Chris, I was hoping you'd summarize them in a few minutes so we don't have to read them. ;-).
CD: Hmmm, that could be a difficult one ;-)
CD: Let me start with a question to the audience. This is your time as well as mine‑what do you want to talk about?
Linux is not the most secure operating system?
Q: I’d like to know what makes Linux security different from Unix or NT or NetWare security?
Q: I am just a learning sponge, so your call.
CD: Okay, good start.
CD: Linux security isn’t very much different than any other operating system in principle. But when you get down into the details, the differences start to appear, and have strong effects. I'm going to say something that will get me flamed to a nice crisp.
Moderator: uh oh‑
CD: Linux is not the world’s most secure operating system <gasp>.
Q: Flame passes without a singe...
CD: That distinction would fall to the custom UNIX -like operating system that the NSA had written just for their computers.
Q: But it's more secure than NT, no?
CD: Actually, that depends on your implementation. A default Linux install with all of the standard services enabled is no more secure than a default NT install.
Q: Really? I thought out of the box it was more secure...wow.
CD: But you are able to secure Linux much more easily, and much more effectively than you are able to secure WinNT.
More Services = more insecurity
Q: I'm going to be installing Corel Linux shortly, and would like to know how to secure it.
CD: You need to remember that the default install for most distributions comes with dozens of network services enabled, but Windows NT's default install comes with one, network login.
CD: Those dozens of services allow more avenues of attack.
Moderator: I'm curious—how many of you are using Linux now, or are Linux-curious, if I can interrupt for just a moment?
CD: What makes NT so insecure, is the additional Microsoft components that you need to add to it to make it into a Web, FTP, or e-mail server.
CD: Go ahead curious. Sorry, couldn’t resist. I'm an inveterate punster.
CD: I personally have six computers, on which 3 have Linux installed at least part of the time. I also use BSD, Solaris, IPSO, and BeOS.
Q: Are you using Linux as a server?
Needed: A good encryption mechanism
Q: i'm just now getting into dealing with building extranet Web pages and such.
CD: Yes, I do use Linux in a server role. I host several Web sites and an FTP archive from it. I also use Linux as a security auditing tool for other operating systems.
Q: I’m just worried about getting the different pieces to work together.
CD: Linux’s inherent "networking goodness" makes it a much better platform for networking essentials.
CD: That’s a valid worry.
Q: .I’m thinking about security but am not overly concerned right now being on an internal LAN.
CD: In order to implement an effective extranet solution you need to have a good encryption mechanism. And unfortunately it isn’t exactly easy to do that with Linux. Or at least not as easy as on NT.
Q: Tuesday's chat was about SSH (secure shell), is this available for Linux as a good encryption mechanism?
Q: yup, saw something about rsh. what's a secure way of connecting remotely?
CD: SSH is very good for what it does. You can login securely as if it were Telnet, and export an X Windows display, FTP, or HTTP data. But it doesn’t provide for secure point to point communications.
CD: In order to provide the secure point to point link, you need to install an encrypted networking package; several are available outside of the United States.
Extranet or intranet
Q: Are you running a company intranet on Linux?
CD: But in the US, patent and other intellectual property issues have caused problems in deploying these applications.
Q: working on it. actually, an extranet, for our department only right now.
CD: Andy, that would be an intranet. An extranet is a secure network connection or Web site accessible to people outside of your company.
Q: i thought intranet was internal enterprise wide.
CD: Nah, intranets can be anything internal.
Q: oK, I get it. Thanks for clearing that up. then it's an intranet I’m working with.
CD: even if it's accessible to remote users within your company, as long as it’s only accessible to users within your company it's an intranet.
Q: I do Web design, and one security issue I’d worry about would be hiding directories from the public and setting access passwords—I know how to do this on Apache, but I wonder how it's done on Linux.
Q: But just our department right now.
CD: Now, intranets are another story entirely. Linux is an almost ideal platform for intranet development.
Q: oK, I'll bite—"why is that, Chris?".
Q: encrypted packages you were saying?
CD: Because you can deploy and experiment cheap, and you don’t have to worry about licensing.
Q: Meanwhile, what's been taking up more of my time is working with the W2K platform. Really have no idea how to secure it.
Moderator: andy_davis, et. al., for help such as that there is none ;-)—seriously, March will be Windows Month—and we'll have a lot of Guild Meetings on that issue. OK—plug over.
CD: As far as permissions go, UNIX file system permissions are generally adequate for whatever you need. Ah ,yes, W2K was officially released today, not with a bang, but with a whimper ;-).
Q: yup. experiment cheap. a great tool. on the W2K side, try for 20 days, and then buy for $250 or it dies.
CD: OK, so questions about advanced Linux security anyone ;-)?
Q: What do you mean by advanced?
Q: anybody read Jesse Burst? 10% will go in next 3 months, 20% within a year, and 50% when they pry Linux from cold dead hands.
CD: Oh, and BTW, most people ask what IS the most secure operating system the general public can get their hands on.
FreeBSD is one of the most secure OSs
CD: The answer is one of the secure BSD distributions.
Q: how do you lock it down?
Q: not to be confused with FreeBSD?
CD: Well actually it doesn’t have to be an advanced question. Andy, how do you lock down BSD, or Win2K?
Q: Disconnect the ISP?
CD: There are currently about 20 BSD distributions, several of which incorporate encrypted file systems, encrypted networking, and secure user authentication.
CD: There's also a BSD implementation known as IPSO specifically created to run as a firewall.
Q: I would like to know more about how to set up a firewall on Linux and also how to have a secure LAN.
Q: IPSO an acronym?
CD: I'm hoping to get a project going to do the same for Linux.
CD: Sort of, it stands for Ipsilon Secure Operating System.
Q: i'm also holding in my hand a shrink-wrapped dual-CD package of FreeBSD 3.3.
CD: It's only available on Nokia firewalls.
CD: Excellent. I highly recommend FreeBSD to anyone interested in a pure UNIX.
Q: Is that the latest Free DSD?
Securing Apache and Windows 2000
Q: However, my interest right now is in locking down Linux specifically for Apache and W2K workstations.
CD: Remember folks, Linux isn’t UNIX, it's UNIX-like.
CD: Okay, for Apache your first step is to install mod_ssl. then you need to implement the ipV6 network stack and enable manual IPSec encryption.
Q: That's a great and subtle point—please take a moment (in a moment) to say what the differences are—I really have no idea.
CD: Linux is based on a kernel written by Linus Torvalds in 1991. BSD is a true UNIX based on code originally developed by Thompson and Ritchie in 1969-1976 then later distributed freely to universities.
Q: sSL—secure socket layer?
CD: After that you need to do the same in the network properties of the Win2K station.
Q: re: BSD, you've piqued my curiosity. I'll need time to look at it before I could ask questions about it.
Q: What level of encryption is IPSec?
Q: oK, mod_ssl. then, ipv6 stack on both platforms.
All about encryption
CD: OK, I'm going to talk a little bit about encryption; I'd appreciate it if noone broke in for about five minutes until I'm done.
CD: ipsec is what is called an encryption scheme. Encryption schemes are ways of managing encrypted communications. They don’t actually encrypt data themselves, but they allow the encryption algorithms to communicate with the operating system, and for the two machines involved to exchange encryption keys.
CD: Other encryption schemes include isakamp/okley (IKE), Skip, Skey, and FWZ. These schemes then use encryption algorithms like DES, Triple DES, IDEA, CAST, and others to actually encode the data. It’s these algorithms that actually define how strong the encryption level is.
CD: I highly recommend that anyone interested in encryption get Bruce Schneier’s landmark book, Applied Cryptography.
CD: Okay, you can talk away again now ;-)
Q: I really appreciate that—I had no idea. Thanks.
Q: no, you make up for it in vast knowledge.
CD: It’s a great book; the only problem with it is it’s $60.
Q: little off the topic, how soon will this transcript be avail?
Moderator: I can take that one—since I'm furiously editing transcripts...
Moderator: Tuesday's will be available by next Tuesday, and tonight's should be available by Wednesday. I'm also filling in the missing January chats...Jan 6 goes up Friday, I think.
CD: Anyway, to address what you really want to know, manual IPsec supersets DES, 3DES, IDEA, and CAST in most implementations. But the implementation you choose may support different algorithms.
CD: The default, and what the IEEE W3C and the IETF are going to use, is 3DES.
Q: these have to be on the 2 machines that talk to each other?
CD: the two machines have to have the same key management scheme, and those schemes need to be using the same algorithm for communications to occur.
Q: BTW, I’m finding about every point you've made in the book, "Maximum Linux Security," by Anonymous.
Q: Excuse the basic question—but does this encrypt ALL network traffic?
Q: at least I see the terms in the index...
CD: It depends on how you configured it. You could set it up so that all network traffic is encrypted, but that would be a pain. For now, since only a few systems on the Net are using encryption, you need to configure it to only encrypt data to machines you have a need for encrypted communications with.
What about e-mail encryption?
Q: OK—and I'm not taking a stand on this—but suppose your company wants to be able to review network traffic?
CD: That way you can agree with the admin beforehand on what encryption scheme and algorithm to use.
CD: OK, suppose they do, that is their legal right according to most states, but how does encryption affect that?
Q: Well, I was thinking that if e-mail is encrypted it can't be read—which I think is a good thing...
Q: we're talking about doing some internal surveys. maybe that data needs to be encrypted?
CD: Unless you are encrypting communications right from your desktop directly to the server you don’t want anyone knowing you are going to, and unless you use encapsulated encryption, it won’t make a difference. Encrypted e-mail is a different story entirely.
Q: Well, I'm confused—I thought it was all encrypted as part of the security scheme—I told you it was a basic question. I'll just read for awhile...
CD: That can be done from your e-mail program. You don’t need to worry about encrypted networking. You can always encrypt files and e-mails using an application on your desktop, then send them over unencrypted networks.
Moderator: Believe it or not, time is flying—we're getting close to the end.
CD: It always does, moderator, it always does.
Q: I think Lotus Notes provides encryption, but only if your certificate can be passed to the receiver?
CD: In which case, no one should be able to see the contents of your message. Though they will still be able to capture the data, and could in theory decrypt it, or legally force you to via court order.
Q: oK recap for me: sSH, SSL, IPv6. right?
CD: That’s a pretty good start.
Q: Do you know what the recent companies that were hacked on the net were using for security?
CD: They weren’t hacked. they were ddossed. (Distributed Denial Of Service.)
Q: I've recently been getting very involved in learning Linux.
Moderator: Thank you. This was a very informative meeting. If you have comments or questions, we have forums online—just click on forums.
Moderator: And you can also write to email@example.com if you have specific questions you'd like to see covered in these Guild Meetings.
And tonight’s winners are
Moderator: And now for tonight's winners... (drum roll......)
Moderator: First—mynameismikej, as a TechRepublic employee, is ineligible—but he talked anyway.
Q: a ringer?
Moderator: Andy_davis—you win a copy of Symantec's Internet Security 2000.
CD: Darn, that leaves me out too.
CD: Yeah Andy.
Q: Congrats Andy.
Moderator: Sorry, Chris—And mikkilusa—enjoy your new books—Advanced Windows 3rd Edition, and Windows 2000 Active Directory...
Q: wow, great!!
Q: WOW THANKS!
Moderator: Please send your snail mail and e-mail and telephone to firstname.lastname@example.org, and we'll send those out.
Moderator: And remember you lurkers—we're glad you're here. Join in or not, we like to know you're interested.
Q: hey, guys. we're gonna have to populate these forums. i'm 2 for 3 right now...
Moderator: Yes, please do populate.
Q: some of us are just starting out and learn better while not talking.
Q: 3 for 5 hehehe.
CD: I'm going to head over to the forums for a bit, you are welcome to continue the discussion with me there.
Q: g'night everyone....
Moderator: Have a great week, and hope to see you next week for more security Meetings.
Q: thx dinsmoc, it was great.
Q: heading to the forums.
CD: Thank you all for coming, and thanks for your questions.
Q: can't wait to see the free for all!!!
Moderator: Errr... I should point out these are TechPoints forums—we don't quite have the free-for-all set up yet.but we will soon—must get approval from higher up. But that doesn't keep you from posting and answering questions. You'll figure it out.
Moderator: Thanks again to all!
Q: nite all. Ya come back now, hear?
Moderator: by the way—next Tuesday we have a discussion on the security pitfalls of multiple servers.
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.