Run a Business Network on Linux
Run a Business Network on Linux, Part One: Linux oldtimers have known for years that it's not necessary to go into hock for expensive, proprietary networking gear, because Linux comes with a powerhouse networking stack. It also comes with a host of first-rate network services such as intrusion detection, firewalling, proxies; file, print, Web, and email services; excellent groupware and messaging; genuine secure remote access and administration; secure wireless; diagnostic, monitoring, and repair tools; backups and restores; and most everything else needed to run the small-to-big enterprise. In this new series we're going to learn how to run a business network on Linux using best-of-breed applications. Best-of-breed, happily, is a difficult and debatable proposition because there are so many good choices, so we'll just have to roll up our sleeves and do our best.
In this series our workhorses will be Ubuntu Server Edition and Voyage Linux. Ubuntu Server Edition is a good, sensible fluff-free bundle that makes a great LAN server. In addition to the usual mail/file/print/Web/etc. servers, it includes automated and unattended network installations of new PCs, one-click Active Directory integration for the poor souls who must have that, and a commercial support option.
Voyage is a very stripped-down Debian Linux; the stock installation is 68 megabytes. Unlike most embedded Linuxes, Voyage comes with the excellent apt-get package manager. Most tiny Linuxes sacrifice the package manager, so they are difficult to upgrade or add new software. With Voyage you have the entire world of Debian available to you, so customizing your own gear is easy. It's great for firewalls and routers, and specialized servers that need a small footprint.
I see some fine *BSD fans raising their hands, and they are correct- FreeBSD, OpenBSD, and NetBSD also have all these things. In some cases they're even better than their Linux cousins, so as the series progresses I'll include some pointers to these as well.
Avoiding Traps and Pitfalls
TCP/IP networking is supposed to be platform-agnostic; in other words, you should be able to plug any client into a network and have access to all network resources. Of course in the real world it's a bit more difficult than that, as so many vendors invest more resources into locking customers in by devious and unsavory means, rather than giving them good reasons to stay. While I love to crab at Microsoft's non-standard implementations of networking standards, don't forget that Apple didn't even include a TCP/IP stack in MacOS. If you wanted TCP/IP you had to purchase third-party software like Thursby's Dave. Sure, MacOS had AppleTalk , which made networking with other Macs as easy as plugging them in. As long as all the Macs on the local AppleTalk network were running the same MacOS version, that is, or hadn't been made obsolete by an OS upgrade that left not-very-older hardware behind.
Linux is your insurance against lock-in and forced obsolescence, which are just two of the many reasons I like it so much. If you need real interoperability, and not the fake kind that exists only in press releases, then you want FOSS (Free/Open Source Software).
No Cheap Network Hardware
My friends call me a bore on the subject of careful hardware shopping, but then they go out and buy some dumb widget because it has a low price tag, and then they waste all kinds of time trying to make the thing work, and then bore everyone with complaints. The math is simple — what costs less, hours of your time, or a few dollars more for something that works right and doesn't drive you crazy? The Internet is chock-full of user reviews, so you don't have to shop blindly. If a device does not have good Linux support, don't buy it. The more users and devices under your care, the more important it is to invest in quality gear. Downtime, service interruptions, and nurse-maiding cheapo hardware get expensive quickly.
On the other hand, you don't have to pay too much. x86 hardware gives you so much bang for your buck that you don't need specialized, expensive gear for most networking jobs. Sure, your local friendly Cisco-certified person will probably scoff at your Linux-powered router on inexpensive hardware. Let her scoff, for you are saving a ton of money, getting great performance, and using your standard familiar Linux commands. You know there are no secret vendor backdoors (known to every cracker in the world but not you), and that bugs and security flaws will not be swept under the rug.
There are three tools that I think are essential for a network administrator: a good bootable rescue CD, a good bootable rescue USB stick, and a special network administrator's laptop. I prefer SystemRescueCD because I have yet to find an important feature that it doesn't support. You get all the usual important networking and system administration tools, plus it also supports LVM and RAID . A laptop equipped with a serial terminal, at least one wired and one wireless network interface, and all the software utilities you might ever need is a great timesaver, and keeps your blood pressure at healthy levels. It doesn't have to be a super high-powered machine with all the bells and whistles; anything that supports current Linux kernels and is easy to carry around does the job just fine. Stick with Atheros-based wireless interfaces because these support all wireless modes, including management and monitoring. Most of the others only support client functions. The serial terminal is your life-saver when Ethernet goes south, which it will, and it's necessary for embedded boards and headless servers. See The Serial Console: A Front Door Worth Leaving Open to learn how to set it up. Most laptops these days don't have a serial port, but no problem—a USB-to-serial connector is inexpensive and works beautifully. Just plug it in and then run dmesg to see its name, which is usually ttyUSB0.
Come back in two weeks for our next installment, in which we will make sure our Internet gateway is stout and well-secured, and then set up lightweight, reliable intrusion detection that is actually easy to administer, and won't make you crazy with false alarms and endless log analysis and all those other bad things that ID systems are famous for. You can get a head start with the two-part Secure and Manage Voyage Linux series. There is a glitch in Voyage Linux that persists to the new 5.0 release—you'll have to change ownership and permissions on /var/run/sshd to enable remote SSH logins:
# chown root:root/var/run/sshd # chmod 0700 /var/run/sshd
Then run /etc/init.d/ssh restart and you're in business.