Security

Besides reliability there is no other equally important feature of a production system than security. If a system is not secure then no matter how reliable it is or how advanced the functionality which it offers it is nothing more than a liability. This section examines methods to improve the security of individual applications as well as complete computer systems and networks.

Documents include information on encrypting the network traffic of a variety of common applications using SSL and TLS, the construction of a custom firewall using the Linux kernel's Netfilter subsystem and the iptables application as well as information describing how to configure IPsec using the racoon daemon to create a Virtual Private Network (VPN).

Building a firewall with Netfilter and IPTABLES

In an increasingly networked world our computers are more vulnerable than ever to attack. New software defects are discovered every day and new exploits of these defects are increasingly being used by automated "bot-nets" to attack and compromise other machines making a good defence against such attacks more important than ever. The first line of defence against this onslaught should usually be a well configured firewall which can act as both a barrier against unwanted network traffic and a filter to ensure that the network traffic we do allow is legitimate.

This document aims to be a how-to describing the planning and implementation of a Linux firewall based on NetFilter kernel subsystem and the iptables user-land application. The filtering of TCP, UDP and ICMP packets is covered as well as simple routing and Network Address Translation using the the SNAT, DNAT and Masquerade targets. We also discuss logging filtered packets both as an aid to debugging connection related issues and as a method of monitoring for new attacks and attack vectors.

Encrypting network traffic using IPsec

Whenever we send any data over a network of any kind, private or public, wired or wireless, that data is vulnerable to both interception and modification unless steps are taken to ensure the security and authenticity of said data. This document examines how we can use the Internet Protocol Security Extensions, or IPsec as it is more commonly known, to provide end-to-end encryption services providing security against interception, modification and replay.

In addition to documentation on how to use the setkey application and racoon daemon to provide security between peers on a Local Area Network (LAN) using IPsec in transport mode we shall also examine how to use IPsec in tunnel mode to create a Virtual Private Network (VPN) to transparently connect two networks together over the Internet.

Securing network traffic using SSL/TLS

Whenever we send any data over a network of any kind, private or public, that data is vulnerable to both interception and modification unless steps are taken to ensure the security and authenticity of said data. In this document we shall examine how we can use the Secure Sockets Layer, or SSL as it is more commonly known, and its successor Transport Layer Security, or TLS, to provide end-to-end encryption services providing security against interception and modification. We shall also examine how user, client and server certificates can be used to ensure the authenticity of our data.

In addition to an explanation of how to configure and install the OpenSSL software to allow certificates and certificate requests to be generated and signed we shall also give detailed examples of how to configure a variety of common applications, such as the Postfix SMTP server and the Courier IMAP server, to use either SSL or TLS to secure the data they send and receive.