24
Tue, Dec
1 New Articles

The Linux Letter: Espousing the Open-Source Option for Networking

Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Not long ago, I found myself in a discussion with a recent IT graduate (whom I'll call Tom) over the virtues of using open-source components versus commercial products for managing and participating in a network. As is typical with many IT graduates of late, Tom believed (or was taught) that commercial products were the be-all and end-all of the networking scene. To him, nothing else was worth considering.

I suspect that most IT graduates are learning only about commercial offerings while in school (no doubt due to the sweet deals that Microsoft and other vendors use to coerce institutions of higher learning); hence his preference for them. He was quite surprised to learn not only that the Internet is based largely on open-source software but also that a company's entire network could be built, secured, and managed using only open-source products. In fact, when I told him, he threw down the gauntlet and challenged me to prove it to him. Never one to back down from a challenge (particularly when I know I'm right), I took him on a tour of some of the well-known open-source software and tools available for both Internet and intranet use.

The Internet Services Infrastructure

The first things I pointed out to Tom were a few of the many open-source software products that support the Internet. (I've mentioned them in previous articles, so I won't elaborate.) The short list includes Berkeley Internet Name Domain (BIND), which provides the vast majority of DNS services for the Internet; Apache Web Server, which serves up HTML for the majority of Internet Web sites; and Sendmail (and work-alikes Postfix and qmail), which move the majority of all that spam--I mean email--from place to place.

Tom conceded that open-source and the Internet seemed to be inextricably linked, since I picked what he considered to be the "Big Three" on the list of things that happen on the Internet. Of course, I also could have pointed out that other services that people cannot seem to live without, such as instant messaging and audio streaming, are handled adroitly by projects such as Jabber and Icecast, respectively. But since he didn't ask, I didn't volunteer that information. (I hate it when people continue to argue even though they've won the argument!)

Having easily survived the first round, I directed our discussion to a relatively simple network that can be found in the majority of businesses across the country if not around the world. You probably have one of these yourself.

The Network Scope

The network we considered is typical of what many readers of this column use: one or more subnets (to keep departmental traffic segregated), a connection to the Internet, perhaps a few servers that provide email and Web services to the outside world, and finally a few more to handle their internal file/print serving, intranet Web site, and business applications. The users of this hypothetical network may have wireless connections within their company locations and probably access the internal network from the Internet via some kind of virtual private network (VPN). For the most part, the client computers are running some version of Windows. The servers are most likely running UNIX or UNIX-like OSes, the iSeries, or even Windows.

The Network Appliances

When designing a network, we have to make decisions that affect performance and security. Using routers in combination with switches allows us to direct packets efficiently to their destination while maximizing our use of available bandwidth. The routers allow us to segregate groups of users (thus minimizing useless intergroup traffic), while the switches keep collisions between devices to a minimum. To enforce our security policies, the firewall is always the first line of defense.

The most famous name in the business of routers and firewalls would probably be Cisco Systems, and the quality of its products is excellent. But you can duplicate a great deal of the functionality of the Cisco boxes using open-source software. Cisco does have some proprietary extensions that, if you need them, are worth the price of admission. But for a run-of-the-mill site, an excellent substitute is readily built.

Take any Pentium-class computer, add two network interface cards, 32 MB or so of RAM, and Linux, and you have a machine capable of becoming a router or firewall. A quick search for "Linux Router" on Freshmeat yields projects that provide some sophisticated routing functionality, including the ability to do traffic shaping (for Quality of Service applications) and Network Address Translation (NAT). There are projects meant to be run from a single floppy, a CD, or even a compact flash memory module. Linux really wants to route traffic for you and can be configured to do so with a few simple commands.

What about a firewall? The Linux kernel has had the capability to do network packet filtering for a long time. The latest kernel versions, 2.4 and 2.6, have extremely powerful capabilities in this regard. Most Linux distributions will allow you to enable the firewall during installation so that your local box is properly protected from the rest of the network. More-sophisticated firewall configurations can be built from the command line, or if you like doing system management via a GUI, an open-source tool such as fwbuilder will generate the script for you. A search of Freshmeat for "Linux firewall" yields yet another plethora of options from which to choose.

If you read any of the literature concerning open-source firewalls, you undoubtedly will read a disclaimer warning you (in so many words) that you can easily shoot yourself in the foot should you configure your firewall improperly. I'm convinced that statements like that are generated by those with a vested interest in your not doing the setup yourself. Sure, if you don't know what you're doing, then you certainly could shoot yourself in the foot. But you can just as easily cause bodily harm using a proprietary product under the same circumstances. That a solution is commercial is not a guarantee of its efficacy or security. This stuff isn't rocket science; with some effort, you can learn what you need to know to configure a firewall. But if you really want to feel secure, then hire someone who has experience configuring firewalls to do it for you, be it a commercial or an open-source solution. Of course, now you get to worry about whether or not he or she did it properly, but at least you didn't make the mistake.

By the way, you can also use the fwbuilder program I mentioned earlier to configure your Cisco Pix firewall if you purchase the commercial license for the product. Learn to use that tool and your knowledge is transportable between the commercial and open-source world!

Addressing

The basics of running a TCP/IP network include managing the IP addresses for your machines--both assigning them (via dhcpd) and resolving the address for a given host name (via named, a.k.a. Bind). There isn't much to discuss here; virtually every distribution includes the servers that you'll need to accomplish this. (Notable exceptions are distributions that sell "workstation" versions, such as Red Hat Enterprise Workstation, since they are billed as workstation products. You wouldn't normally run these types of services on a workstation machine). The configuration of these services are well-described both in the online documentation (man pages) and at The Linux Documentation Project site, so I won't mention it further. Suffice it to say that UNIX had TCP/IP before most of the other OSes did, so its capacity to handle related tasks is a given.

Authentication

Only the most grossly simple networks, such as a husband-and-wife, two-computer network, require no user authentication (although I'm sure many married couples would refute that statement!). Once again, the open-source world can provide the required authentication services.

For a Windows network, Samba may fit the bill. But if a more-generalized authentication system is appropriate, then there is always OpenLDAP or Kerberos. Servers for all three of these methods are available and usually are included in Linux distributions. Keep in mind, however, that Samba has some limitations within a Microsoft-managed domain. Also, the version of Kerberos that is included with Linux distributions conforms to the official Kerberos standard (not the bastardized standard created by Microsoft), so there are some interoperability issues between the two versions.

Externally Accessing the Network

Our users want to access our network from their homes, and we want to let them--but only if it can be done securely. The same holds true for the wireless access from within the buildings. Wireless access points are notorious for security breaches. The solution in both cases is a VPN. The concept is simple: Join two secure networks together across an insecure one by creating an encrypted tunnel between the two.

There are a number of ways to accomplish this task. Many take advantage of the ssh tool and its ability to redirect ports from one machine to another. For simple situations, it works well, but for more complete solutions, turn to something like OpenVPN. This project runs on Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X, Solaris, and Win2K/XP and can be used to build the required VPN between your employees' homes and the office network or between wireless devices and the office network.

Keeping Watch

Of course, once your network is up and running, there is always the task of monitoring its status. For that, Nagios is hands down the most powerful open-source tool. Nagios can monitor the status of your servers, your managed switches, even network-attachable temperature monitors. It provides an excellent graphical view of your network status. And it can do customary notifications (email, pagers, cell phones, etc.). Thus, you can have a professional-grade network operations center at an extremely reasonable price: free.

Although Nagios will tell you when there is a problem, you sometimes need a network protocol analyzer to track down the problem source. Among open-source aficionados, the tool of choice for this task is thereal. Ethereal will allow you to watch the bits flowing across the wire. It will organize the results for you, letting you follow the conversations between devices. It even speaks EBCDIC, so it can be useful when tracing packets to an iSeries.

Should I or Shouldn't I?

The decision to use open-source instead of commercial, proprietary solutions comes down to a few factors. Ask yourself the following questions:

  • Can I get all of the functionality I need using open-source tools, or is there something I want that is proprietary? (If you answer the latter, then your decision is simple.)
  • Will what I'm planning to do be something that comes up frequently, or is it a one-shot deal? (You may not want to take the time to learn to configure routers or firewalls if it's unlikely to come up again. But, if you learn to do it yourself, you'll be able to add a firewall at will, wherever it makes sense. This holds true for both commercial and open-source products.)
  • What do I have more of--time or money? (Learning how to configure all of this is rewarding and can be extremely useful. It also can save lots of money. But even though I know how to change my oil and perform basic car repairs, I don't have lots of time, so I pay someone else to do it for me.)
  • Do I have lots of old equipment available on which to learn? (If you have some spare computers around, then you can resurrect them from the dead and once again make them useful. There is some gratification in recycling equipment besides the result of stretching your budget.)

What About Tom?

Once I outlined all of this to Tom (and showed him some of it running on my laptop), he was convinced that what I said was indeed correct. Now, he runs Linux on one of his two home systems so that he can learn more about the networking aspects of the operating system.

How about you? Interested in giving open-source a try on your network?

 

 

Barry L. Kline is a consultant and has been developing software on various DEC and IBM midrange platforms for over 21 years. Barry discovered Linux back in the days when it was necessary to download diskette images and source code from the Internet. Since then, he has installed Linux on hundreds of machines, where it functions as servers and workstations in iSeries and Windows networks. He also co-authored the book Understanding Linux Web Hosting with Don Denoncourt. Barry can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: