News Stay informed about the latest enterprise technology news and product updates.

Author dissects inclusion of IPsec in Linux 2.6 kernel

The IPsec (Internet Protocol security) improvements in the Linux 2.6 kernel will take networking to a new level, said author and IT instructor Richard Petersen. In particular, IPsec removes third parties from virtual private network (VPN) creation, making the process virtually painless. In this interview, Petersen describes how IPsec changes security processes in Red Hat Enterprise Linux and the Fedora Project. He also offers advice to how to decide between Fedora or RHEL in enterprise environments and between KDE and Gnome on the Linux desktop. Petersen teaches Unix and C/C++ courses at the University of California at Berkeley. He is the author of several books on Linux, including Red Hat Enterprise Linux & Fedora Edition: The Complete Reference and Red Hat Linux Pocket Administrator from McGraw-Hill/Osborne Media.

Richard Petersen
Can you discuss how the IPsec enhancements in the 2.6 Linux kernel might change security in Red Hat's Fedora Project?
IPsec integrates encryption into the IPv6 protocol, providing for secure transmissions. For Fedora, IPsec will mean that any group of Fedora users could set up what is in effect their own private network, using any physical network system such as the Internet. Friendly systems can also be arranged for encrypted transmissions for any communications. You would no longer have to rely as much on third-party encryption like SSH.

On the other hand, authentication issues, such as those handled by Kerberos, still are required. And how will this change security in Red Hat Enterprise Linux?
IPsec makes the use of virtual private networks an integral part of any network system. This has enormous impact on commercial networks such as those supported by [RHEL]. In effect, networks are no longer conceived of as physical entities that have to be manually secured. Instead, you have a much more logical implementation of a network, where the physical network can be any system, intranet or Internet.

A secure network can then be imposed on this physical layer and placed anywhere with instant global reach. Once VPNs had to be implemented with third-party software, configuring each system accordingly. Now, they are part of the very Internet protocol used to connect systems. This takes networking to an entirely different level, letting any number of customized networks to be set up using purely a software implementation. What capabilities does offer that too few administrators use?
IPsec remains difficult to implement. Dual key sets have to be arranged between hosts for reciprocal interaction. Administrators should take note that IPsec is now part of the Red Hat Network configuration tool, with its own panel [system => network =>-config] on Fedora.


Is Linux security on a par with Unix? Read this commentary from expert advisor Kenneth Milberg and find out.


Bookmark's Linux security learning guide

What are the most common mistakes you see administrators making in managing servers?
I don't think we can think in terms of common mistakes anymore where servers are concerned. Most admins handle their servers well. It is important to tailor a server to their network's particular needs. One important change in the way of thinking about servers is that they are no longer just providing the rare specialized service. All services, including printing, authentication and even backups are now handled by servers. But I think most administrators already have this attitude. It is, of course, important to maintain detailed documentation on your server configurations. What's your favorite shortcut or workaround in dealing with Red Hat administration?
There has always been a tension between the command line direct configuration and the Red Hat GUI administration tools. I think that the Red Hat administration tools have matured to the point where they can be relied on. Just be clear on what files are actually being configured in /etc/sysconfig. What one thing could a Red Hat administrator do each day that could make his systems run more efficiently?
Every system has its own quirks and requirements. On a daily basis, there are the standard procedures of monitoring network and user usage patterns. As a long-term strategy, you should also try to centralize configuration as much as possible, like using Amanda [a client-server based backup application] for server-based backups procedures, LDAP for user authentication, Kerberos for controlling user access, LVM [logical volume manager] for transparent hard disk management and, of course, DHCP for centralized physical network configuration, and even IPsec to create secure virtual networks. In an enterprise environment, would you use Gnome or KDE (or something else) on the desktop? Why?
It all depends on how any customized software is implemented with the Gnome or KDE interface. Essentially, this centers around the fact that KDE uses the Qt tools [an open source GUI toolkit], which can make for very quick and effective development, but could also hamper development if you run into licensing issues for Qt. KDE does integrate a fine set of system tools, but these tasks are also effectively covered by the Red Hat administration tools. Red Hat does have a preference for Gnome, but has always strongly supported both interfaces. KDE does have a strong international following, especially in Europe. Could you offer a time-saving tip on setting up Fedora?
Just bear in mind that the Red Hat software administration tool is now far more effective and manageable than previous versions. For an installation, you could easily install just basic software, then later install the packages you want.

Also, for quick basic issues, check the unofficial Fedora FAQ at In what enterprise settings, if any, would you use Fedora instead of Red Hat Enterprise Linux?
If you are starting up in a small and manageable work environment --where you are not sure yet how you want your systems to be implemented -- Fedora would work fine, providing you do not need any commercial services. It would also work if you are just using basic tasks, like a simple informational Web site. If, however, you are conducting any time critical or secure transactions, particularly in large networks, you definitely need the support that Red Hat can provide with [RHEL].

FEEDBACK: What does the addition of IPsec to the Linux 2.6 kernel mean to your enterprise?
Send your feedback to the news team.

Dig Deeper on Linux servers

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.