 |
 |
| |
|
|
Network Security Services:
Linux Server
Hardening
and Monitoring
Linux is a powerful and very stable operating system for production server implementations. All of the tricks to make it as secure as possible do not come implemented in the normal installation, however! Three levels of performance for this service: Level 1 service: (RedHat Linux Only) Level 1 service is the highest quality security product I offer. It is always based upon my linux version of greatest familiarity, RedHat Linux. I set up your machine from scratch, in my office, and return it to you when done. This makes for a very clean, hardened installation, many times harder to crack than what would be available out-of-the-box. If you are not running BIND and do not expect to add services later, I may even be able to implement a custom kernel that can stop certain cracker (hacker) activities in their tracks.Level 2 service: You would set up a brand new Linux install on a hard drive that contains no files from a previous Linux install, and before connecting it to any LAN you would set up kernel firewalling (not at your router or external firewall, I do mean directly on your machine) to block all traffic except for my IP address, and I would take it from there. This is the preferred method for non-RedHat servers. If a machine is to be a RedHat Linux machine, I will usually try to talk you into having me set the machine up from scratch instead (Level 1 service) because of the additional hardening I can do to the machine.Level 3 service: A linux machine that has been connected to the internet anytime after its most recent hard drive reformat (repartition) and operating system install, is a Level 3 service machine. The reality is that such a machine could be compromised by a stealthy cracker already. I will check it as closely as I can when I get in, and will be able to remove any unsophisticated crackers, but a skillful and stealthy cracker is sometimes undetectable in this situation. Such a machine is monitored and administered in the same highly-careful ways that a Level-1 or Level-2 machine is, but with the understanding that we are not dealing with a positively, known-clean initial install. What happens if, despite our best efforts, someone gets into one of our machines? How we handle a cracker depends on what level of access the cracker has gained, and what the person has done with the machine, and is very much a case by case affair. It can vary from as little as simply changing a password and pursuing an abuse complaint with an ISP to having you ship your hard drive to a unix filesystem expert to attempt to recover destroyed data (or, recover evidence, perhaps), up to and including making a call to the FBI in the event of financial damage. Understand that the perspective of a good security administrator is that a partial machine compromise is not a question of IF, but WHEN. Making it difficult for a cracker to get in is only half of the game - - that effort can be ruined by one legitimate user who uses the same password on your machine as on his email somewhere else. The other half of security administration is building the machine to be a difficult and tattle-tale environment for potential crackers who have gained any level of access. Rates for Services: Level 1 Machine Setup: Per-Machine configuration: $300 plus shipping charges as required. Level 2 Machine Setup: Per-Machine configuration: $150 Level 3 Machine Setup: Per-Machine configuration: $150, unless I have to take out existing crackers and that part of it takes longer than an extra hour. Removal of existing crackers that takes longer than an hour is charged at the regular consulting rate ($50.00/hr). Continual Update/Remote Log/MRTG package 1 - 3 machines: $20.00/each/per month 3 - 6 machines: $16.00/each/per month 7 + machines: $14.00/each/per month Remote Log/MRTG package $7.00/mo MRTG only $5.00/mo Details of these services are: Continual Update: I monitor the disto update releases (RedHat/Fedora), and update the packages on the machine as updates become available. Remote Log: The server logs all of its syslog messages, in realtime, to my remote server. These logs are emailed to you at the end of each month, and can be accessed by me if needed at other times. MRTG: I host a website that contains graphs indicating various statistics on your server which are updated live, at 5 minute intervals. These graphs usually include ethernet traffic statistics, number of tcp connections, disk partition usage, number of logged in users, memory utilization, swap space utilization, and CPU utilization. The statistics are viewable by day, week, month, and year. Secure LAN design: Redesigning an entire site or LAN to have a level of security that matches the LAN's function is not a matter of throwing a commercial firewall at it and walking away, as some people (think of them as firewall software resellers) would have you believe. It requires an honest evaluation of the existing state of the LAN, determination of whether certain kinds of machines should be replaced with more controllable platforms, and usually a number of changes, additions, and safeguards, only one of which may be an internet-facing "firewall". Furthermore, a large number of secure LAN redesigns can, and in my opinion, should, be done with free, open-source software. This is another thing that firewall software resellers would prefer you not believe because, obviously, they make money through selling, and they may come up with a number of bogus yet legitimate-sounding aargumentsgainst this position. The real-world track record of open-source software shows that correctly-managed, open-source software translates into decreased vulnerability. "Security through obscurity" is a phrase that rhymes, nothing more. I can design and implement network security redesigns on some, but not all, sites. I work with sites that are not overwhelmingly Microsoft dependent, or are willing to migrate to a linux platform for their mission-critical servers. Microsoft workstations are normally not a problem, when treated correctly. Because of the time-consuming nature of this kind of job, I am only able to do this for small to medium sized service providers and businesses right now.  |
