Tux

...making Linux just a little more fun!

Securing a Network - What's the most secure Network/Server OS? - Is ?there a secure way to use Shares?

Rick Moen [rick at linuxmafia.com]


Sun, 1 Mar 2009 10:43:15 -0800

A creative way to deal with "homework" questions.

----- Forwarded message from Wade Richards <wade@wabyn.net> -----

Date: Sun, 01 Mar 2009 09:13:40 -0800
From: Wade Richards <wade@wabyn.net>
To: Chip Panarchy <forumanarchy@gmail.com>
CC: debian-security@lists.debian.org
X-Mailing-List: <debian-security@lists.debian.org> archive/latest/23028
Subject: Re: Securing a Network - What's the most secure Network/Server OS?
- Is there a secure way to use Shares?

This sounds a lot like "I'm taking a course, and I'd like the Internet to do my homework for me." I'll give you generally correct advice, with enough lies in here to give you a failing grade if you don't verify my statements.

If I were setting up a system as you described, I'd focus on what the network clients are capable of, and what requires the least non-standard configuration on them (because misconfiguration of the client workstation is an easy way to introduce insecurity, and it's hard for you to enforce their config).

The Windows boxes want Windows networking, the Unix-like ones want Unix networking. A Unix server is most likely to give you both easily, although almost any server OS can.

So the servers should be running SAMBA for Windows logon and network shares, plus LDAP and NFS for Unix logon and sharing. SAMBA can be configured to authenticate against the local LDAP server, so it can become your single source of knowledge for user accounts. You can share the same directories on the server via SAMBA and NFS, so they become your centralized storage.

Encrypting network traffic is very much the least of your concern. So many people think security means "encrypt stuff!", when it is the high level protocols (logon, authorization) that matters. Nobody will bother with packet sniffing when they can just read the files directly from the file server. Besides, in a wired network, the switches will ensure packets only go to the machines where they are supposed to be, so sniffing is pointless. If you really want to waste your time, ipsec, or tunneling NFS through SSL will work (wireless should use WPA2 with as many bits as makes you happy.

To make the network fast, you should grease your network cables. Security can be improve by adding cable locks to all the computers, and putting in a steel door with a deadbolt, and bars on the windows.

It's always a good idea to use a Debian server for repositories, because the Debian kernel and file system has native support for dpkg file formats, so performance is much faster with them. You may choose to have your Ubuntu and Windows machines automatically get patches from your central patch repository, so you can pre-test them all before roll-out. Or, you can have the machines automatically get the patches from Ubuntu.com and MSFT directly. It depends on how much effort you're willing to put into testing patches. If you go the direct route, then buggy patches may impact your system. If you go the indirect route, then your testing delay between a patch being released by the vendor and you deploying it may allow an exploitation. It depends on which risk you want to take.

The server can be Debian, Ubuntu, Windows server, BSD or Mac. It could even be running OS/360. The key question is which are you most comfortable using, and which are you most capable of keeping patches up-to-date and systems securely configured. If I were setting it up, it would be Debian. If you're taking a MSCE course, your best choice is probably Windows server or Windows 95.

--- Wade

Chip Panarchy wrote:

>Hello
>
>So far, when I have posted on this Mailing-List I have recieved some
>very informative replies.
>
>I am currently studying for a few certifications, (amongst them MCSE,
>Security+ & the CCNA), and would like to learn how to design a secure
>network.
>
>Please help me with this endeavor.
>
>Hypothetical situation;
>
>################################################################
>1x Server (no need to go into specs, but let's just say 8GB of RAM and
>2x Intel Quad CPU at 2.66GHz)
>500x Windows Computers (400x Windows XP, 94x Windows Vista and 6x Windows 7)
>80x Linux Computers (Ubuntu... and others?)
>46x Mac OS X Computers (Including 10x Tiger, 34x Leopard and 2x Snow 
>Leopard)
>3x FreeBSD (2x v7, 1x v9)
>################################################################
>
>===============================
>630 computer all up, including the Server
>===============================
>
>Now onto my question. For a convoluted network as pictured above,
>(hypothetical, of course), what kind of Server (NOS included?)
>operating system should I install, and how should I configure it?
>
>I want to know this only by a security standpoint. Things that are 
>important;
>############
># SECURITY #
>############
>- Encryption of all traffic (256-bit)
>- Shares (if possible to have Shares and still maintain a secure network)
>- Centralised secure storage of Data (Storage)
>- Centralised secure storage of User accounts
>- Unattended installation of (at the very least) the 500 Windows boxes
>- Internet
>
>Please tell me what I would need in this situation, not interested in
>how many people would be needed, how much money it would cost, or how
>much time it would take.
>
>Now time to summarise my questions in an easy to review format;
>
>1. Which Server Operating system should I install on my Server?
>2. To make the Network fast (e.g. Gigabit NICs on all computers & more
>Servers etc.), as well as secure, what would I need to do?
>3. What is the best way to have 256-bit encryption of all traffic on
>this network?
>4. Is it possible to have Shared folders, yet still attain a
>high-level of security on this Network?
>5. Would it be possible to have Centralised Storage/Resources?
>6. Could it be possible to have a Centralised User Account database,
>for this entire network?
>7. Would you think it a good idea to use a Debian server for Repositories?
>
>Please try your best to answer those 6 questions.
>
>Thanks in advance,
>
>Chip D. Panarchy
>
>PS: I was planning on making this into many little Messages on this
>Mailing-list, however, I decided against it. If you think I should
>make them into smaller messages (eg 1 of the 6 questions per message)
>then please tell me.
>
>
>  
-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


Top    Back