Hardening a Unix computer for Internet use
Rob Kolstad, long-time USENIX executive and noted
industry personality, often points out that a good system
administrator is a master of change on many time scales. That
statement is most appropriate in the context of last month's topic,
managing TCP/IP connections. New services appear monthly, new host
entries pop up daily or every few hours, and you can get hit with a
routing table update at least every 30 seconds. The number of moving
parts conspires to keep at least some things broken, some of the time.
Last month we talked about the myriad configuration problems that
interfere early in the process of making a connection. This
month, we'll proceed with our discussion of TCP/IP mechanics by
covering performance and security concerns.
After identifying the remote system's IP address and desired service
port number, the rest of the connection process should be as simple as
knocking on a door when you know the street address and floor number
on which it's located. Nothing in life, electronic or carbon, is that
simple. The door-knocking analogy highlights most of the additional
things that can go wrong in TCP-land: nobody answers the remote door
(performance problem), you are deemed persona non grata and
are turned away at your destination, or you run into troubles getting
out of your own building. To start our journey, we'll look at server
performance limits that create connection bottlenecks, and then
explore the popular TCP wrapper package used to establish access
controls over network services. We'll conclude with an overview of the
SOCKS tools that let you enjoy the security of a well-locked door but
still sneak out for an occasional network snack.
Connection erection
Just because you can name the remote end of a socket with an IP
address and port number pair doesn't mean the other side can or even
wants to talk to you. Making yourself appear interesting (and trusted)
is a security problem we'll cover shortly. Making sure your servers
have sufficient connection management resources is a growing
performance problem. As the use of network services has exploded, many
years-old assumptions about resource allocation have proven far too
restrictive.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
