I'd like to share my ideas of network security in the hope to put forward alternate (or complimentary) point of views. This is a theoritical network security framework that I based my implementations of network security:
1. I consider computer network like a 'fortress'. Just as a fortress requires perimeter defense from outside, computer network needs to be defended around its perimeter against attacks from outside such as the internet. But unlike a 'fortress' that is vulnerable to attacks always from several points around, computer network has only one or two, maybe three points of vulnerability from the internet, depending on whether a network is multihomed or not. For perimeter defense, a network needs firewall(s). Usually, firewall setup is the same for each point of vulnerability. With firewalls, my policy is simplicity, flexibility and manageability. For this I use http://www.shorewall.net open source software.
2. On some rare occassions, perimeter defense on the 'fortress' is penetrated. This is 'Network Intrusions'. or intrusions. Some intrusions are benign or harmless whilst others are malicious. We need to be alarmed when intrusions are malicious otherwise we ignore them. We need to have some system that is able to detect intrusions and to be able to classify these as alarming or otherwise. There are open source Intrusion Detection Softwares that can detect these intrusions as well as take actions to process these alarming or malicious intrusions. I use,
http://www.snort.org http://www.cert.org/kb/aircert
The good thing about these tools is that they may process malicious packets originating from outside as well as from inside a network.
3. Just as the good guys are quickly developing softwares and systems to defend the integrity, reliability, and security of their networks, the bad guys on the other hand are busy developing tools to spoil the good work. We must remember that bad guys are not only amongst the outsiders, also they lie low amongst the insiders.
The bad guys are developing sophisticated tools to snoop on our passwords, to unravel our encrypted packets, replay hanshaking procedures to authenticate unauthorized access, etc. To make it extremely impossible for these bad guys to apply their tools successfully, I use encryption and state of the art open source tools like,
openssl openldap cyrus-sasl kerberos
to encrypt and hide authorization and authentication procedures.
O. Plameras
Matthew Palmer wrote:
Put up at http://www.hezmatt.org/~mpalmer/talks/2004/security-slug/, please be gentle with my ADSL link.
- Matt
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
