LINUX SECURITY --- January 23, 2001 Published by ITworld.com -- changing the way you view IT http://www.itworld.com/newsletters __________________________________________________________________________ ______ HIGHLIGHTS * Network monitoring with SNMP can provide valuable information for both performance tuning and security. __________________________________________________________________________ ______ Network Service Monitoring, Part 1 By Rick Johnson Securing a network involves knowing the status of all services and devices at any given moment, making network monitoring vital for any system administrator. However, few realize the same information has security value as well. Knowing if a service stops responding or if the CPU utilization spikes could provide clues to a compromise, or at least an attempt. Outsourcing this responsibility to a third party is possible, but some companies lack the time and resources to dump this problem into the lap of someone else. Luckily, implementing network service monitors is possible with a minimal application of finances. The most widespread and configurable method uses SNMP (Simple Network Management Protocol). SNMP allows management of multiple network devices using a single standard. Being a standard, almost every network-connected device possesses SNMP capabilities. The most common are routers, firewalls, and switches but even printers have joined the ranks. SNMP is best viewed, in my opinion, as a client-server architecture. The device waits until the daemon initiates contact and asks for specific information based on the Management Information Base (MIB) database controlled by the daemon. A MIB is a collection of information organized hierarchically in a tree form and comprised of specific entries called object identifiers (OIDs). OIDs are the specific variables known by a network device and the operations allowed on it. If a manufacturer wants to add some new commands to a device, such as a router, then they must add the appropriate variables to the MIB database. When meeting certain conditions, such as errors, status changes, or rebooting, a network device can also send unsolicited data called a "trap" to the SNMP daemon. Two sets of passwords, called communities, secure access to SNMP data. The public (read only) community gathers information on the device while the private (read write) community allows modifications to the device's configuration. These passwords must be configured on the device being managed. I beg you, please set them to something other than PUBLIC and PRIVATE. As for setting up a server, or even for monitoring your Linux box, I highly recommend the NET-SNMP (http://net-snmp.sourceforge.net/) package. It contains various tools relating to SNMP including an extensible agent, an SNMP library, tools to request or set information from SNMP agents, tools to generate and handle SNMP traps, and a version of the Unix netstat command using SNMP and a Tk/perl MIB browser. I have only briefly overviewed SNMP, and I highly encourage you to spend plenty of time learning its true value. Next week we will go beyond the world of SNMP and see what else exists. About the author(s) ---------------- Rick Johnson is currently the Manager of Security Services for FusionStorm, a remote managed services company. When not writing, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at rick@pointman.org or on the web at http://www.pointman.org. __________________________________________________________________________ ______ ADDITIONAL RESOURCES Securing Linux, Part 1 http://www.linuxworld.com/jlw/linsec_nl/lw-1999-05/lw-05-ramparts.html Securing Linux, Part 2 http://www.linuxworld.com/jlw/linsec_nl/lw-1999-07/lw-07-ramparts.html Is it time to outsource security? http://www.itworld.com/jitw/linsec_nl/cma/ett_article_frame/0,2848,1_3855, 00.html Decrease your stress Two monitoring tools that will make your job easier http://www.unixinsider.com/jsw/linsec_nl/swol-10-2000/swol-1027-supersys.h tml An examination of network monitoring protocols and tools http://www.unixinsider.com/jsw/linsec_nl/swol-09-1999/swol-09-realtime2.ht ml SNMP versions 2 and 3: Skip the sequels http://www.itworld.com/jitw/linsec_nl/cma/ett_article_frame/0,2848,1_1494, 00.html Better Network Management through SNMP http://www.itworld.com/jump/linsec_nl/whitepapers.itworld.com/data/frame?u =/data/detail&qs=id=965763520_107&type=RES&f=1 __________________________________________________________________________ ______
<<attachment: winmail.dat>>