The reference SME for this how-to is a single office SME with less than 100 employees. All different departments function in the single location. A limited number of staff require regular access to information and services remotely. Microsoft Windows desktops and laptops are networked over a wired ethernet network. Several meeting spaces have wireless networks available. Internet connection is provided by a single 512 KB ADSL link. An external service provider hosts the SME's internet presence and e-commerce activity.
There are four areas you need to have preplanned before starting your infrastructure deployment.
Network infrastructure, all network traffic coming from the internal network is allowed and by default, all network traffic coming from the external network is filtered. A non-routing network is required. The standard default of 192.168.2.1 will cause problems when the VPN is used. Many public networks use 192.168.2.1. Using a 10. network is recommended. Remember, no 10. networks are routed, so you can choose anything between 10.0.0.1 and 10.254.254.254
Managing remote access.
Creating a VPN (Virtual Private Network) creates a completely different security paradigm. The VPN enables a presumably trusted system to access services inside the network.
Topic | Used in How-To | Your Answer |
Network Range | Used: 10.40.40.0 |
|
DHCP Range | Used: 10.40.40.100-10.40.40.200 |
|
Gateway Address | Used: 10.40.40.1 |
|
Domain | Used: limestone.lan |
|
Perimeter Server Name | Used: headwall |
|
Time Server | Used: ca.pool.ntp.org |
|
We are working through documenting Operational Best Practices for managing Linux systems.
The basics include:
Steps to achieve these best practices include formally documenting your technical architecture, what applications are includes, which are excluded. When a new application is required, the search path is driven by an Architectural Principle to give priority to the Linux OS repository, then selected third-party repositories, then download or creation of executables. For all applications approved that are not in the Linux repository life-cycle management must be provided to monitor for security and break-fix patching.
In all but a few cases only use yum to install software for the distribution repository. Using the application manager drawing applications from established repositories facilitates keeping current and effectively managing applications. The distribution-based repositories are one of the great strengths of Linux. Downloading applications and performing isolated installations is a good way to increase your operational requirements. Downloading source code, compiling and installing should be avoided wherever possible. It leads directly to an escalating TCO. Increasing the operational burden on a SMB infrastructure is a very poor practise. Webmin is not available as part of the standard CentOS repository. As a rule, adding software from third-party repositories and directly from a developer has the potential to raise your costs. Before using a before using a non-CentOS.org repository you should think very carefully. One of the strengths of a distribution-based repository is the ability to minimize operational costs. In the case of Webmin the application must be acquired from a non-CentOS repository. See the sidebar for a discussion of the choice between Dag's repository and the developer. For Webmin, use the developer repository.
The developer's Webmin will allow updates outside of the rpm management system, where using Dag's repostory updates will keep the rpm database in sync. For a Perimeter Server we want to mimize all management and risk, so webmin will be installed from Dag's repository.
Rules about what traffic to allow and what traffic to deny are expressed in terms of zones.
You express your default policy for connections from one zone to another zone in the /etc/shorewall/policy file.
You define exceptions to those default policies in the /etc/shorewall/rules file.
Items to decide: