Although great strides have been made toward making the
Linux operating system easier to install, complexity remains a major hurdle for
many network administrators. Many information technology professionals are too
busy meeting the immediate demands of their enterprise to fully consider, plan,
and then deploy a new operating system and all of the backend software such a
deployment will require.

In his book, Linux Quick Fix
Notebook, Peter Harrison presents a detailed reference book for many of
the common configuration and installation processes required for the deployment
of a Linux network and/or Web site. No matter how many times you have
configured a network or a Web site under the Linux operating system, there will
likely be features you forget to implement if you don’t have some form of
reference. This is where the Linux Quick
Fix Notebook comes in handy. Chapter 2, Introduction
to Networking, is available for download from TechRepublic.

In the following interview, Peter Harrison discusses the
‘host your own Web site’ decision making process and presents his
thoughts concerning the future of Linux, what is holding it back, and what can
be done about it.

Title: Linux Quick Fix Notebook
Author: Peter Harrison
Chapter 2: Introduction to
Networking
Publisher: Addison-Wesley
Professional
www.phptr.com/title/0131861506

This chapter is excerpted from the
forthcoming new book, ‘Linux Quick Fix Notebook’, authored by Peter
Harrison, scheduled to publish in late March. The chapter is reprinted with
permission from publisher Prentice Hall PTR.

Interview

[TechRepublic] In
your book, you ask the question Why Host Your Own Site? That chapter lists and discusses
the pros and cons of hosting your own site. Do you have a general rule of thumb
for when an organization would be best served by self-hosting? Which beneficial
aspect should carry the heaviest weight when making a decision on self-hosting
versus virtual hosting?

[Peter Harrison] The
decision to do self-hosting for your business should be strictly based on
business needs. Embark on it when your service provider threatens the future
growth of your company. Plan well, only use proven stable technologies, go
slowly, have a backup plan, inform your customers and minimize your exposure to
downtime risk at every step of the way.

The business strategy of a virtual hosting provider is to
reduce their costs as much as possible via standardization. Each Web server
handles hundreds of Web sites, each with access to only a single type of
application server, database, shopping cart, blog, Web
mail or message board forums software suite. Customization usually occurs
through a standard Web GUI interface which is usually geared towards altering
the work flow features of the software and not its overall performance. Support
is usually only given through instant messaging.

For a simple Website with the aim of providing supplemental
information to newspaper or Web advertising then basic virtual hosting
services, which start at about $10 per month, should be sufficient. The cost
advantage of this service declines as you require additional high end services
or customization.

There are two broad scenarios where self hosting for small
businesses starts to become desirable:

Online product searches with shopping carts:

Sometimes you want visitors to be able to search your Website
for a list of available products by name, by category, in a particular price
range, or from a specific manufacturer. This requires Web pages to be generated
dynamically using application server software that queries a database. This can
cost about $100 per month, and if you need the person to buy the product using
a shopping
cart, then the price can reach as much as $150 for an entry level service.
You can lease a dedicated server for $200 per month in a collocation data
center and if you choose to use Linux, your software procurement costs would be
negligible. Self hosting in this scenario can become desirable if you already
have a capable IT staff with sufficient resources to complete the project
within your budget and on time.

Customized services and support:

There are many combinations of factors that can make a
virtual hosting provider become unsuitable for your business.

With virtual hosting you are at the mercy of your service
provider to provide software updates or patches to fix security, performance or
functionality problems. You may find that the completion time for your request
may be long if you are one of a hundred customers on a server. The service
provider also has to ensure that the upgrade won’t affect any of the other Websites
and this can add delays.

There will be times when you need to implement software that
needs to be installed external to your home directory and that isn’t supported
by your hosting provider. Examples of this include a new database product and
centrally managed server logins using LDAP.

With hundreds of Websites on a server, you run the risk of
slow response times due to one of the URLs owned by another company suddenly
becoming popular. The cause of this latency is often difficult to determine,
and correct especially in a shared environment where you don’t have access to
many systems tools.

Additional white paper resources

An Introduction to Managed Hosting

Real World IT: TechRepublic’s Guide
to Dedicated Hosting

Web Hosting: Tool Box

Many businesses rely on a Web presence for the majority of
their revenues and cannot afford to have extended periods of downtime. With the
use of load balancing devices it is possible to spread your Web hits across two
or more servers. The load balancer regularly probes your servers and
automatically steers traffic away from any server that appears to be
malfunctioning or down. This is a useful offering if you need to take an application
offline for maintenance. Many virtual hosting providers don’t offer such a
service to individual customers.

You may want your applications to run on unique TCP/IP ports
and be accessible only to certain IP address ranges or you may want communications
with these ranges to be fully encrypted over a virtual private network (VPN).
This will usually require some form of VPN or firewall service that your
provider may not offer. Your security policy may open a vulnerability to other Web
sites. For example, allowing FTP access to the virtual server allows this
access to all sites on the server, this may be viewed as a security risk for
your neighbors. If you don’t want to risk this type of exposure, then consider
self-hosting.

You may require highly customized reporting or have
complicated inventory listings which have to track parts, sub assemblies and
finished products. There may be the need to link your shopping cart order entry
system with the inventory system of a supplier which your virtual hosting
provider may be able to do, but it may expose more of your business to this
provider thereby increasing your risk.

If you decide to do self-hosting, you should also consider
its consumption of your business resources, namely time, talent and money. The
financial cost of the equipment is obvious, but there are resource costs
related to installation, training, staff shortages, consulting, security and
long term maintenance. With an existing IT staff, the strain would be less but
if the company has less than a dozen employees the price of customization could
be a high proportion of your business overhead expenses.

If you are a small company with limited IT staff, or have capable staff who would be better utilized expanding
the business, then it may be best to adjust your requirements so that they can
be easily managed by a virtual hosting service. As the customization needs of
the company grow consider self hosting. Create a pilot project using only the
most essential customization and if successful, gradually migrate over to a
production version of the pilot site. Convert your pilot to general testing and
staging area and then add modifications to the production site when you are
satisfied they work.

Sometimes businesses should accept the fact that self-hosting,
though desirable, may be beyond the budget and capabilities of their
organizations. Switching from a virtual hosting operation to a more expensive
fully managed hosting provider that specializes in customizations may have to
be considered. Replacing your virtual hosting provider with a fully managed
service may be required if virtual hosting hinders the growth or survival of
your company and you feel you would be incapable of completing a successful
self-hosting operation on your own.

802.11g/n

[TechRepublic] In
the book, you discuss the configuration of 802.11a/b wireless
networks in Linux using either Wireless Tools or Linux-WLAN. Are there
similar packages for 802.11g/n? Are the configurations similar to those you
outline?

[Peter Harrison] There
are a number of ways to get 54 Mbps 802.11g/n cards to work with Fedora, but
most open source references focus on the Prism54 and NdisWrapper
projects.

Though it works, the Prism54.org software suite has a number
of limitations. It requires you to apply kernel patches and then recompile the
kernel. It is also only compatible with a limited number of wireless cards.
This can be a daunting process even for experienced Linux users.

Windows uses the Network Driver Interface Specification
(NDIS) as a standardized method for the operating system to communicate with
the NIC driver software from various manufacturers. The Linux NdisWrapper
software suite, available from ndiswrapper.sourceforge.net, allows you to run
your Windows NIC card’s drivers under Linux by creating a software wrapper
around the Windows driver to trick it into thinking that it is communicating
with Windows and not Linux. The compatibility range is therefore much wider and
in cases where you need to recompile your kernel, the project’s Website has
links to RPM packages of standard kernels with NdisWrapper
support. Installation instructions on the project’s Web site are reasonably
clear and a proficient Linux user should be able to get their NIC card working
within an hour or two on their first try.

NdisWrapper has some limitations
too. It only works on hardware architectures supported by Windows, the very
useful iwspy
command isn’t supported and the wrappers add a layer of software complexity
that would not exist normally. There is a commercial competitor to NdisWrapper called DriverLoader created by the Linuxant
Corporation which readers may also want to consider.

NDISwrapper transparently
interfaces with Linux wireless tools which makes configuration very similar to
that of 802.11b. The higher speed 802.11g capability is activated by placing
the string ‘RATE=54Mb/s’ in your /etc/sysconfig/network-scripts/ifcfg-eth* file. You also
have to deactivate your 802.11g NIC in the /etc/modprobe.conf file and instead list the NDIS driver. I
have a brief tutorial of how to do this on my Website.

My experience with NdisWrapper in
the home has been very good, but like Prism54 and even Linux-WLAN, you have to
reinstall the product each time you upgrade your kernel. This may not be
tolerable in a mission critical business environment where maintenance related
downtime needs to be kept to a minimum and where all software used needs to be
100% Linux compatible to ensure stability.

When 802.11g WiFi technology
becomes more mature it will indubitably be supported natively by Linux Wireless
Tools without the need for additional software, but there will always be NICs that don’t support Linux and knowledge of NdisWrapper will be invaluable.

Additional download resources

Support and Configuration Checklists for Small/Midsize Networks

Linksys wireless access point: Lock
it down in 10 steps

EAP Authentication Protocols for WLANs

Securing systems

[TechRepublic] When
an organization places a server of any kind on the Internet, it becomes responsible
for the security of that node. More than just a few of the security
vulnerabilities exploited by the nefarious members of society stem directly
from small operations that simply do not keep up with the latest
server-software security patches. What are the essential steps an organization
self-hosting a Web site should take to secure their systems?

[Peter Harrison] Security
is really a broad topic and should be considered as anything that can
potentially affect the availability of your site. I have included some general
categories that come immediately to mind:

Restrict network access

A good rule of thumb is to try to make HTTP traffic the only
unencrypted traffic to hit your Web site from the Internet. Remote access by
employees or satellite offices should be done via encrypted VPNs
or using secure login clients such as SSH.

This requirement demands a firewall to easily support VPNs. Most entry level units start at about $400 making
them reasonably affordable and often use a Web GUI to make them easily
configurable. I generally prefer the use of a single firewall to protect a
network as the management of firewall applications running on individual
servers can quickly become unmanageable.

Other servers that support your Website via mail and DNS
services can’t have encryption, but have inbound Internet access limited to
these ports only. Remote access to them by employees should be over secure
channels.

When you install your servers, you should also ensure that
they are only listening on the expected TCP/IP ports. Direct access from the
Internet to database servers should be severely restricted. Internet based SQL
queries should only come via VPNs. The less of your
site that’s visible, the better it is for security.

Be proactively informed and patch accordingly

There are many vulnerability email notification services
such as CERT and newsletters provided by SecurityFocus.com that
help you keep abreast of the latest events.

You should patch whenever you can and be aware that this
activity may cause your application to stop working. Always have a means to
revert to the original configuration when doing this.

Patching shouldn’t be the only means of application
security. Most software vendors provide tools to reduce the risk to attack and
have their own security mailing lists to inform you of required upgrades. These
should be taken utilized at every opportunity.

Bolster physical security

Your servers should be in a secured, cool, clean area with
access limited to only authorized personnel. Power should be reliable and
protected by a UPS. The location should have water free fire suppression
equipment as a first line of defense. Your data should be backed up regularly.
If you cannot afford a tape unit, then disk to disk backup within your server
or to another server on your network should be considered. Make sure you have
redundant infrastructure whenever possible. This should include dual routers,
switches, firewalls and servers with preferably automatic failover.

Improve user management

Force the changing of passwords regularly. Be judicious with
providing super user capabilities, and use the sudo
utility whenever privileged access needed. Disable user accounts and all
network access to employees who have left your organization.

This short list should be sufficient starting point for most
small self-hosting operations and should reduce your vulnerability to attack
significantly. Last but not least, assign the role of IT Security Expert to one
of your members of staff so that the topic is given the attention it deserves.
Make this person train and inform staff of security issues so that the entire
organization can participate in making the entire organization more secure.

Linux toolbox

[TechRepublic] The
Linux/MySQL/Apache setup is arguably the most-popular Web site server system in
use today. In addition, open source software continues to grow in popularity.
What Linux and/or open source software would you like to see develop in the
next year? Is there a particular piece of software or a service you feel is
missing from the current Linux toolbox?

[Peter Harrison] The
growth of the open source movement will be stunted unless software developers
seek new sources of inspiration for usability. It may seem odd, but life’s
lessons learned in your kitchen are very applicable. Linux needs to be
microwaveable.

It is now possible to replace Windows with Linux for basic
office tasks. The overall look and feel is purposely similar, the file formats
are generally compatible, and as many office applications work on both systems,
retraining costs have been greatly reduced. In the very near future the
decision to use Microsoft Office, versus a product like Linux’s StarOffice, will hinge not only on cost but also on
personal preference. User demand for common features and competitive pricing
will make the differences in cost and the user experience of desktop operating
systems almost unnoticeable.

Similar trends are occurring in the use of open source
software in the back office. Linux based applications are being
enthusiastically promoted by younger systems administrators who have been
exposed to non-proprietary software. They will soon occupy the management
positions needed to ensure the acceptance of open source projects throughout
the organization. Software aggregators such as RedHat,
Novell, Mandrake and Red Flag have created corporate personae with whom binding contracts defining performance, features,
warranties and support can be made. It is becoming easier to justify new large
scale projects with Linux in businesses, for legal, financial and strategic
reasons.

Unfortunately, for the back office, Linux is still too hard
to use. Most importantly there is no standardized and simple method for
installing software. Why can’t all installation programs automatically use a
software archive’s filename extension to determine and implement the necessary
installation steps? Why should you ever need to read an installation README.TXT
file when you could be prompted instead? Why don’t installation programs prompt
you for the parameters most likely to be needed by the application to get it to
work? The requesting of an application’s administrator password, automatically
creating supporting databases, and the prompting for whether the application
should be immediately started and/or started on reboot should be standard
options. Why can’t the addition of network routes or IP addresses on interfaces
be done via a series of simple command line prompts? Why doesn’t Linux have a
series of simple ‘show’ and ‘set’ commands to view the
system’s status and modify configurations?

When I go to the supermarket I have a choice in food. I can
buy less satisfying microwaveable food or buy all the ingredients from scratch
to create a meal worth remembering. Linux software installation should be the
same. There should be two options from the command line; the first should
prompt the user for the most likely parameters 80% of the population should
need to get the basic application to work. It should be as easy as reheating a
TV dinner, you shouldn’t have to refer to the README.TXT file. The second
option would maintain the default configuration file for expert gourmet
editing.

Additional white paper resources

A Guide to Developing an Enterprise Open Source Strategy: The
Rise of Open Source and the LAMP Stack

Meeting the High-performance Demands of Industrial Computing

Great strides have been made to create helper applications
to make the Linux command line less intimidating. It would be good if each
application had its own basic configuration script ‘for dummies’ with
the same naming scheme based on an application’s daemon name, so for example, sendmail-guru would be used to set up a mail server and httpd-guru would be used to set up the Apache Web server’s
daemon. The further development of companion Web GUI interfaces for
applications similar to the Samba SWAT and the CUPS printing utilities would
also be of great help. Standardized configuration URLs running on HTTPS would
help to make things easier. To a great extent this exists already in the Webmin application suite. Basic Webmin
style functionality just needs to come bundled with the base software to get
the user started and should be easily disabled for security reasons once the
configuration is complete.

Linux software installation may be easy using the console
GUI, but it can be intimidating from the command line. Unless Linux software
installation is as easy as it is in Windows, the resistance from systems
administrators that are only familiar with Windows and other proprietary
operating systems will continue. This is a large group of technology filters
who need to be persuaded to consider open source as a convenient potential business
alternative. Their involvement will help to accelerate Linux adoption in
businesses.

This need is even more important as Linux is at the center
of an increasing trend in the use of commodity operating systems that are cheap
enough to fit a vast number of budgets and efficient enough to breathe new life
into old hardware. We will therefore see it being used by increasing numbers of
people with much less initial exposure to technology and access to financing.
Simplicity will be critical for more universal acceptance.

Microwaveable

The Linux community is extremely vibrant, maybe even
irrepressible, and thousands of new open source software projects are created
each year. I can think of no better feature or product that I feel more
strongly about than the need to simplify the Linux experience for the systems
administrator and newbie without sacrificing functionality. Only then will
Linux be considered as a viable alternative at all levels of the decision
making process in homes, schools, governments and the private sector. It’s not
the product, it’s the packaging. Linux needs to be microwaveable.