Besides reducing licensing costs and increasing reliability, Linux in the server room can offer, under many circumstances, the most bang for your buck on the performance front. But it can't promise you security right off the bat: Typically, Linux is no more or less secure than any other operating system straight out of the box.
The basics of security boil down to three areas: configuration issues, patch and version levels, and the number of network services, and which ones, are running.
Most mainstream Linux distributions are finally beginning to address security issues up-front and have improved by:
>> Enabling fewer network services by default, forcing administrators to enable the services when necessary. Keeping it simple is the key, and the fewer services running, the fewer vectors exist from which an attacker can choose.
>> Configuring predefined security profiles (low, medium and high). These profiles implement appropriate configuration settings for a desired level of security.
>> Releasing patches in a timely fashion. The time period between public announcement of a vulnerability and release of a vendor patch to fix it can be a dangerous one, during which the host is highly exposed to attack. Reducing this window of opportunity requires effort on behalf of both the Linux vendor and the security administrator, who must test and install the patch in a timely manner. Most of the major Linux distribution vendors push out patches in reasonable time frames.
Although these efforts have gone a long way toward improving the security of Linux, most mainstream vendors still don't address the needs of those who require a high level of security or need a bulletproof server at installation time. Enter security-enhanced distributions. Of the many vendors offering this type of secure solution, two offerings, Engarde Secure Linux and Immunix, caught our favor as the most polished and ready for prime time.
EnGarde Secure Linux
EnGarde Secure Linux (ESL; www.engardelinux.org) is administrated completely over a Web-based user interface. ESL was developed by Guardian Digital for use on its rack-mountable server appliances. In keeping with the tradition of open source and the GPL (GNU Public License), Guardian Digital is releasing the entire distribution to the public, making it available for download from the company's site.
The goal of ESL is plug-and-play operation from a Web browser. A few operations, however, still require you to drop to the console CLI (command-line interface); these include setting up Tripwire and resetting the root password. Security enhancements are present, but in future releases we'd like to see the addition of a few features, such as StackGuarded binaries. The main features of ESL are secure e-mail services including Postfix, POP with SSL and IMAP with SSL. Integrity checking via Tripwire is also available.
The only problem we saw with this implementation is some sloppy HTML programming, such as passing user names and passwords in the URL -- even inside SSL sessions. This simply is not a good idea.
Still, if you're looking for an e-mail and DNS server that is relatively secure right out of the box, easy to set up and a snap to administer, ESL is your ticket to ride.
Buffer overflow attacks are still among the most common methods of exploitation. Even though overflow attacks are well-researched and have known solutions, they still are the source of most break-ins. So if we have known solutions to this problem, then why do we see reports of new buffer overflows on Bugtraq regularly? One reason is that secure programming techniques are rarely taught in computer-science curriculums. In addition, most software vendors simply can't afford to go back and audit their legacy code; thus their applications are left dangling in the wind, waiting to be exploited.
One solution is to wrap binaries in such a way as to protect them from stack smashing (buffer overflowing). This is exactly what StackGuard has been doing for years by patching the GNU Compiler Collection (GCC) to produce binaries that are resistant to almost all types of buffer overflow attack methods. StackGuarded binaries are therefore resistant to just about all the canned scripts used by the vast majority of attackers.
The Immunix Linux distribution builds off a stock Red Hat distribution but recompiles all binaries using a StackGuard-enabled GCC. In our tests, the Immunix product worked as described.
One major difference between this distribution and stock Red Hat is that you no longer have access to the GNOME and KDE desktop environments. Immunix includes only the Enlightenment window manager for X Window, but that shouldn't be too much of a problem because most Immunix installations are going to be server-oriented anyway, forgoing the need for X Window.
WireX Communications produces the Immunix distribution with build extensions to support special purpose servers.
Under Active Development
The National Security Agency's Security-Enhanced Linux (SE Linux; www.nsa.gov/selinux/) created a stir when it was first released in December 2000. The NSA typically keeps to itself (for obvious reasons), so its move to kick security enhancements to the Linux kernel back to the community prompted much interest.
SE Linux provides mandatory access control by confining the actions and domain of a given process, such as a network daemon, to only the needed resources -- a level of protection not found on conventional operating systems. Even if a process is compromised, damage is limited to the configured domain, leaving other processes intact. In this way, damage from poorly coded programs or daemons that fall victim to attack can be limited.
You can install SE Linux by downloading the NSA patches for the kernel and surrounding tools. Make sure you have the official source tree at the same version level. Apply the patches and recompile. If this sounds daunting, SE Linux is probably not for you. And remember, the NSA still uses the words research prototype to describe the project.
The Openwall Project is undertaking source-code review as its primary defense against software vulnerabilities. Along with configuring components to use safe defaults, Openwall is integrating strong cryptography into its Linux distribution. The software is still in beta but is available for download from various mirrors listed on the site.
Castle Linux is a research-driven distribution built around a concept called Rule Set Based Access Control, or RSBAC. Like SE Linux, it can make use of several security models, including mandatory access control as well as role capability and the familiar ACLs.
Blue Linux is another security-enhanced distribution under development. Once it's completed, commercial support will be offered by Blue Secure. Blue Linux features a unique, fully automated security-patch-installation utility. A number of obvious factors may prevent an administrator from requiring full automation, but this is a step in the right direction. Many overworked administrators never get around to installing the patches, and such a capability will undoubtedly be a boon.
Kevin Novak and Patrick Mueller work for Chicago-based security consultancy Neohapsis. Send comments on this article to them at firstname.lastname@example.org and email@example.com.