[CALUG] opinion on book(s) on network security?

Jim Sansing jjsansing at verizon.net
Sun Jun 8 12:57:04 EDT 2008 

I agree with Rajiv, for most home networks, books are overkill (or in
some cases, underkill).  My suggestions for home networks are:

- It is assumed that when you say 'home network' you have a router
connecting to your ISP.  If not, get one.  The 2 routers I have had were
set to disallow inbound connections to any port by default, but verify
this.  Then, if you allow any port to have access, specify the hosts or
subnets to be allowed to use it.  This will get you 75% of the way to a
protected network.

- If you have a wifi access point, make sure it has encryption enabled. 
You will have to set a key on each computer that uses it.  WPA/WPA2 is
stronger than WEP, but if all your access point supports is WEP, at
least use it.

- If you have MSFT on your network, especially make sure unnecessary
services are turned off.  If you are not using file/print sharing,
disable it.  And it is my understanding that some versions have ports
open for unneeded services, such as database access, by default.  If you
haven't already, replace IE with Firefox (as your primary browser),
Outlook with Thunderbird, Office/Works with Open Office, chat apps with
Pidgin (GAIM), etc.

- Set BIOS passwords.

- Keep updates up-to-date.

- Educate everyone who has access to a computer on your network about
good passwords, how to handle spam, avoiding links that go to unknown
sites, and good netiquette.

- If you are still concerned, install nessus or nmap and run a local
scan periodically.  You can also install host IDSes, such as Tripwire (I
don't know of a FOSS equivalent for MSFT), on each host altho'
monitoring them can be time consuming--weekly is probably sufficient.

This much should put you in the top 90 percentile of secure home
networking, and will probably be enough to convince attackers to defer
to lower hanging fruit (ie. the bottom 90 percentile ;-).

Later . . .   Jim


Rajiv Gunja wrote:
> Ed,
> I have read/browsed that book online. I felt that it is good only for
> learning different jargons that is put out there when geeks and
> sysadmins talk about security. But it fails very much to explain how
> to protect your system or even simply identify what services a
> distribution will have open.
>
> Yes I agree that it is very difficult to write a Linux Network
> Security when there are over 150 Linux Distributions, but at least the
> basic concept of Security should be covered in a book I read and this
> book fails it.
>
> I would suggest couple of alternatives:
>
>     * Go to a book store, if you or your company does not own access
>       to Online Book Library, find a nice chair and browse through 2
>       or 3 Security books, does not matter if they are Linux or UNIX
>       (avoid Windows as that OS has nothing in common with Linux)
>     * If you own your own Linux Server, find out which services you do
>       not need and shut it down. For even my desktop, I run http and
>       ssh and thats about it.
>     * Choose a distribution which does not install all kinds of
>       application you do not need. Good way is to create a kickstart
>       file with the bare minimum if you are installing servers.
>       Avoiding X is also good when installing servers.
>     * If this server is in your company, ask your company to purchase
>       a good port/vulnerebility scanner and scan all your servers.
>
>
> Where I work, I get my servers scanned once before the applications
> are installed and once after, thus avoiding any unwanted ports or
> vulnerebility of apps.
>
> Hope this helps.
>
> -GGR
> Rajiv G Gunja
>
>
> On Sat, Jun 7, 2008 at 8:31 AM, Ed Browne <edward_d_browne at yahoo.com
> <mailto:edward_d_browne at yahoo.com>> wrote:
>
>
>     Has anyone seen the book "Linux Network Security"
>     by Peter G. Smith?  Can you recommend it?  I stumbled
>     across it, and it seems possibly to be what I'm looking
>     for, a practical book with emphasis on protecting your
>     home (linux) network from the big, bad world outside.
>     If you have other recommendations along those lines,
>     I'd be happy to hear them.
>
>     Thanks very much - Ed
>
>
>     _______________________________________________
>     CALUG mailing list
>     CALUG at unknownlamer.org <mailto:CALUG at unknownlamer.org>
>     http://lists.unknownlamer.org/listinfo/calug
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> CALUG mailing list
> CALUG at unknownlamer.org
> http://lists.unknownlamer.org/listinfo/calug
>

More information about the CALUG mailing list