|
|
 |
|
| |
NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.
Appendix A. Hardware and Network
Protection
The best practice before deploying a machine into a production
environment or connecting your network to the Internet is to
determine your organizational needs and how security can fit into
the requirements as transparently as possible. Since the main goal
of the Red Hat Enterprise Linux Security
Guide is to explain how to secure Red Hat Enterprise Linux, a
more detailed examination of hardware and physical network security
is beyond the scope of this document. However, this chapter
presents a brief overview of establishing security policies with
respect to hardware and physical networks. Important factors to
consider include how computing needs and connectivity requirements
fit into the overall security strategy. The following explains some
of these factors in detail.
-
Computing involves more than just
workstations running desktop software. Modern organizations require
massive computational power and highly-available services, which
can include mainframes, compute or application clusters, powerful
workstations, and specialized appliances. With these organizational
requirements, however, come increased susceptibility to hardware
failure, natural disasters, and tampering or theft of
equipment.
-
Connectivity is the method by which an
administrator intends to connect disparate resources to a network.
An administrator may use Ethernet (hubbed or switched CAT-5/RJ-45
cabling), token ring, 10-base-2 coaxial cable, or even wireless
(802.11x) technologies. Depending on
which medium an administrator chooses, certain media and network
topologies require complementary technologies such as hubs,
routers, switches, base stations, and access points. Determining a
functional network architecture allows an easier administrative
process if security issues arise.
From these general considerations, administrators can get a
better view of implementation. The design of a computing
environment can then be based on both organizational needs and
security considerations — an implementation that evenly
assesses both factors.
The foundation of a LAN is the topology, or network architecture. A topology is
the physical and logical layout of a LAN in terms of resources
provided, distance between nodes, and transmission medium.
Depending upon the needs of the organization that the network
services, there are several choices available for network
implementation. Each topology has unique advantages and security
issues that network architects should regard when designing their
network layout.
As defined by the Institute of Electrical and Electronics
Engineers (IEEE), there are three common topologies for the
physical connection of a LAN.
The Ring topology connects each node
using exactly two connections. This creates a ring structure where
each node is accessible to the other, either directly by its two
physically closest neighboring nodes or indirectly through the
physical ring. Token Ring, FDDI, and SONET networks are connected
in this fashion (with FDDI utilizing a dual-ring technique);
however, there are no common Ethernet connections using this
physical topology, so rings are not commonly deployed except in
legacy or institutional settings with a large installed base of
nodes (for example, a university).
The linear bus topology consists of
nodes which connect to a terminated main linear cable (the
backbone). The linear bus topology requires the least amount of
cabling and networking equipment, making it the most cost-effective
topology. However, the linear bus depends on the backbone being
constantly available, making it a single point-of-failure if it has
to be taken off-line or is severed. Linear bus topologies are
commonly used in peer-to-peer LANs using co-axial (coax) cabling
and 50-93 ohm terminators at both ends of the bus.
The Star topology incorporates a
central point where nodes connect and through which communication
is passed. This central point, called a hub can be either broadcasted or switched.
This topology does introduce a single point of failure in the
centralized networking hardware that connects the nodes. However,
because of this centralization, networking issues that affect
segments or the entire LAN itself are easily traceable to this one
source.
Section A.1.1.3
Star Topology introduced the concept of broadcast and
switched networking. There are several factors to consider when
evaluating the type of networking hardware suitable and secure
enough for your network environment. The following distinguishes
these two distinct forms of networking.
In a broadcast network, a node will send a packet that is
received by every other node until the intended recipient accepts
the packet. Every node in the network can conceivably receive this
packet of data until the recipient processes the packet. In a
broadcast network, all packets are sent in this manner.
In a switched network, packets are not broadcasted, but are
processed in the switched hub which, in turn, creates a direct connection between the sending and
recipient nodes. This eliminates the need to broadcast packets to
each node, thus lowering traffic overhead.
The switched network also prevents packets from being
intercepted by malicious nodes or users. In a broadcast network,
where each node receives every packet on the way to its
destination, malicious users can set their Ethernet device to
promiscuous mode and accept all packets
regardless of whether or not the data is intended for them. Once in
promiscuous mode, a sniffer application can be used to filter,
analyze, and reconstruct packets for passwords, personal data, and
more. Sophisticated sniffer applications can store such information
in text files and, perhaps, even send the information to arbitrary
sources (for example, the malicious user's email address.)
A switched network requires a network switch, a specialized
piece of hardware that replaces the role of the traditional hub in
which all nodes on a LAN are connected. Switches store MAC
addresses of all nodes within an internal database, which it uses
to perform its direct routing. Several manufacturers, including
Cisco Systems, D-Link, SMC, and Netgear offer various types of
switches with features such as 10/100-Base-T compatibility, gigabit
Ethernet support, and IPv6 networking.
An emerging issue for enterprises today is that of mobility.
Remote workers, field technicians, and executives require portable
solutions, such as laptops, Personal Digital Assistants (PDAs), and
wireless access to network resources. The IEEE has established a
standards body for the 802.11 wireless specification, which
establishes standards for wireless data communication throughout
all industries. The currently approved IEEE standard is 802.11g for
wireless networking, while 802.11a and 802.11b are legacy
standards. The 802.11g standard is backwards-compatible with
802.11b, but is incompatible with 802.11a.
The 802.11b and 802.11g specifications are actually a group of
standards governing wireless communication and access control on
the unlicensed 2.4GHz radio-frequency (RF) spectrum (802.11a uses
the 5GHz spectrum). These specifications have been approved as
standards by the IEEE, and several vendors market 802.11x products and services. Consumers have also
embraced the standard for small-office/home-office (SOHO) networks.
The popularity has also extended from LANs to MANs (Metropolitan
Area Networks), especially in populated areas where a concentration
of wireless access points (WAPs) are available. There are also
wireless Internet service providers (WISPs) that cater to frequent
travelers requiring broadband Internet access to conduct business
remotely.
The 802.11x specifications allow
for direct, peer-to-peer connections between nodes with wireless
NICs. This loose grouping of nodes, called an ad hoc network, is ideal for quick connection
sharing between two or more nodes, but introduces scalability
issues that are not suitable for dedicated wireless
connectivity.
A more suitable solution for wireless access in fixed structures
is to install one or more WAPs that connect to the traditional
network and allow wireless nodes to connect to the WAP as if it
were on the Ethernet-based network. The WAP effectively acts as a
bridge between the nodes connected to it and the rest of the
network.
Although wireless networking is comparable in speed and
certainly more convenient than traditional wired networking
mediums, there are some limitations to the specification that
warrants thorough consideration. The most important of these
limitations is in its security implementation.
In the excitement of successfully deploying an 802.11x network, many administrators fail to exercise
even the most basic security precautions. Since all
802.11x networking is done using
high-band RF signals, the data transmitted is easily accessible to
any user with a compatible NIC, a wireless network scanning tool
such as NetStumbler or Wellenreiter, and common sniffing tools such as
dsniff and snort.
To prevent such aberrant usage of private wireless networks, the
802.11b standard uses the Wired Equivalent Privacy (WEP) protocol,
which is an RC4-based 64- or 128-bit encrypted key shared between
each node or between the WAP and the node. This key encrypts
transmissions and decrypts incoming packets dynamically and
transparently. Administrators often fail to employ this shared-key
encryption scheme, however; either they forget to do so or choose
not to do so because of performance degradation (especially over
long distances). However, enabling WEP on a wireless network can
greatly reduce the possibility of data interception.
Red Hat Enterprise Linux supports various 802.11x products from several vendors. The Network Administration Tool includes a facility
for configuring wireless NICs and WEP security. For information
about using the Network Administration
Tool, refer to the Red Hat Enterprise
Linux System Administration Guide.
Relying on WEP, however, is still not a sufficiently sound means
of protection against determined malicious users. There are
specialized utilities specifically designed to crack the RC4 WEP
encryption algorithm protecting a wireless network and to expose
the shared key. AirSnort and WEP Crack are two such specialized applications.
To protect against this, administrators should adhere to strict
policies regarding usage of wireless methods to access sensitive
information. Administrators may choose to augment the security of
wireless connectivity by restricting it only to SSH or VPN
connections, which introduce an additional encryption layer above
the WEP encryption. Using this policy, a malicious user outside of
the network that cracks the WEP encryption has to additionally
crack the VPN or SSH encryption which, depending on the encryption
method, can employ up to triple-strength 168-bit DES algorithm
encryption (3DES), or proprietary algorithms of even greater
strength. Administrators who apply these policies should restrict
plain text protocols such as Telnet or FTP, as passwords and data
can be exposed using any of the aforementioned attacks.
A recent method of security and authentication that has been
adopted by wireless networking equipment manufacturers is Wi-fi Protected Access (WPA). Administrators can configure WPA on their
network by using an authentication server that manages keys for
clients accessing the wireless network. WPA improves upon WEP
encryption by using Temporal Key Integrity
Protocol (TKIP), which is a
method of using a shared key and associating it with the MAC
address of the wireless network card installed on the client
system. The value of the shared key and MAC address is then
processed by an initialization vector
(IV), which is used to generate
a key that encrypts each data packet. The IV changes the key each
time a packet is transferred, preventing most common wireless
network attacks.
However, WPA using TKIP is thought of as a temporary solution.
Solutions using stronger encryption ciphers (such as AES) are under
development, and have the potential to improve wireless network
security in the enterprise.
For more information about 802.11 standards, refer to the
following URL:
For administrators who want to run externally-accessible
services such as HTTP, email, FTP, and DNS, it is recommended that
these publicly available services be physically and/or logically
segmented from the internal network. Firewalls and the hardening of
hosts and applications are effective ways to deter casual
intruders. However, determined crackers can find ways into the
internal network if the services they have cracked reside on the
same network segment. The externally accessible services should
reside on what the security industry regards as a demilitarized zone (DMZ), a logical network segment
where inbound traffic from the Internet would only be able to
access those services and are not permitted to access the internal
network. This is effective in that, even if a malicious user
exploits a machine on the DMZ, the rest of the internal network
lies behind a firewall on a separated segment.
Most enterprises have a limited pool of publicly routable IP
addresses from which they can host external services, so
administrators utilize elaborate firewall rules to accept, forward,
reject, and deny packet transmissions. Firewall policies
implemented with iptables or using
dedicated hardware firewalls allow for complex routing and
forwarding rules. Administrators can use these policies to segment
inbound traffic to specific services at specified addresses and
ports while allowing only LAN access to internal services, which
can prevent IP spoofing exploits. For more information about
implementing iptables, refer to Chapter 7 Firewalls.
|
|
|
