Arecent Network Infrastructure Protection Center's CyberNotes bulletin lists 74 software vulnerabilities identified from March 7 to March 22 --nearly five per day. Sure, some affect only Microsoft Windows systems, but don't assume you're safe just because your Web-facing servers are Microsoft-free zones. Even if you run Linux, you need someone on staff who can set fine-grain file- and network-access controls to give applications only the privileges they need--thus protecting your root account--you could still get burned.
One suggestion: a security-enhanced Linux distribution. We tested four such products in our Chicago Neohapsis partner labs: Guardian Digital's EnGarde Secure Linux 1.1, Hewlett-Packard Co.'s Secure OS Software for Linux 1.0, Trustix AS' Trustix Secure Linux 1.5 and Wirex Communications' Immunix 7.0. Each is a version 1.0 or higher general distribution on which a range of Linux applications can be run. We also identified four distributions that, though interesting, didn't fit the criteria for our review (see "OpenBSD, PitBull, SE Get Caught in Our Filter," below).
After evaluating the products' security records, documentation and ease of use, and considering the vendors' notification and patching schemes, we hit the distributions with two recent vulnerabilities, ptrace and zlib. Although Guardian Digital's EnGarde took our Editor's Choice award, Red Hat enthusiasts may like Wirex's Immunix. The sleeper in the group was HP's offering--though not for the CLI-impaired, HP-LX is worth watching.
How We Tested Hardened Linux Systems
We deployed the hardened Linux distributions in our Chicago-based Neohapsis partner labs. We installed each on a standard Intel Pentium III Dell OptiPlex with 256 MB of RAM, enough horsepower for any of the products (your hardware requirements will depend on your applications), and placed them behind a firewall. Then we immediately grabbed any available patches and updated the systems. As we noted in the review, some of the products' patching mechanisms are well-thought-out and easy to use, while others are lacking. Next, we configured a few standard applications, such as Apache Web server, to ensure that the distribution's operation was similar to that of a standard Linux platform. For those systems that offered advanced Mandatory Access Control mechanisms--all except Trustix Secure Linux--we examined any included configuration. We then attempted to further lock down the configuration for the chosen application or create a new one, as was the case with Immunix, which doesn't come with any included Mandatory Access Control configuration files. Running exploits against the distributions fell outside the scope of our tests--we hope that would have been an uninteresting exercise, at least on the patched systems.
By the Numbers: Losses Mounting
The Computer Security Institute with the FBI's Computer Intrusion Squad polled 503 security experts in U.S. corporations, government agencies, financial institutions, medical institutions and universities for its April 7 report on cyber crime. The results may surprise you:
90%: Respondents detecting security breaches within the past 12 months
80%: Respondents acknowledging losses as a result of security breaches
44%: Respondents that could put a price on their losses
$455.9: Millions of dollars lost due to 44 percent of security breaches
34%: Respondents that reported losses to law enforcement
12%: Respondents that lost transaction information
OpenBSD, Pitbull, SE Get Caught in our Filter
Security geeks likely have noticed that the product filter we used (full Linux distribution with at least a 1.0 release) eliminated some of the major players in the hardened (security-enhanced) Unix market. Here is a rundown of those vendors:
• OpenBSD: OpenBSD is a free, open-source, BSD-based OS with security as design goal No. 1. When people talk about the most secure operating system--a problematic concept in itself--OpenBSD undoubtedly is mentioned. "Four years without a root hole in the default install" is the famous tag line (incremented every year of course) and is a claim of which the developers should be proud. The recent zlib vulnerability gave a scare because OpenSSH, which is developed by the OpenBSD crew, uses zlib for compression routines. But OpenBSD's superior secure coding practices came through in the end: Its paranoid implementation of the malloc() and free() dynamic memory-allocation functions prevented the vulnerability from being a problem on OpenBSD. Specifically, it prevents the double use of free(), which was the root cause of the zlib security hole.
Although Linux and BSD are both Unix, obviously there are some differences. The novice user will be frustrated by OpenBSD's decreased user friendliness compared with that of the GUI-rich mainstream Linux distributions. OpenBSD does not provide many of the advanced features, such as Mandatory Access Control, found in the secure Linux distributions we tested. Rather, it depends on the secure programming skills of the OpenBSD developers, who also have cumulatively invested dozens of years auditing and patching all the third-party code and packages integrated into the distribution. If you're deploying an Internet server and you need the safest platform, without all the bells and whistles--and with zero licensing costs--look no further than OpenBSD.
• PitBull LX: Argus Systems Group produces PitBull LX, a commercial bolt-on for a variety of Solaris releases and Linux distributions, including Debian GNU/Linux, Linux Mandrake, Red Hat Linux, SuSE Linux and Turbolinux Server. PitBull provides Mandatory Access Control through a feature-rich interface. PitBull works with a model similar to the containment mechanisms found in HP Secure OS Software for Linux; at-risk processes can be configured to be allowed access only to resources defined for the domain in which they operate. Fine-grained control extends down to the network level, where the administrator can limit how a process can access the network. In this way, you can stop an attacker who has gained access to the server from extending his or her reach.
• SE Linux (Security-Enhanced Linux): Did you know the National Security Agency is in the software-development business? Part of its mission statement dictates involvement in computer-security research, with SE Linux as the most visible result. SE provides some of the most advanced operating system security features available. It is free and released under the GNU license, so anyone can use it or build from it. Mandatory Access Control is provided via two mechanisms: type enforcement and RBAC (role-based access control). Type enforcement forces each process to operate within its defined domain, and RBAC lets you define roles based on user type; these roles are tied to domains and governed by the type enforcement rules. SE Linux is provided as a set of patches and is not a standalone Linux distribution. Raw but powerful, SE Linux is not for the faint of heart: It requires advanced Unix/Linux experience and plenty of time and effort to get it rolling.
MAC, or Mandatory Access Control, is a security mechanism typically found in
highly secure operating systems, such as the military's B-level certified
systems. Generally, MAC works by using labels, such as secret or
top-secret, for both subjects and objects. Only subjects with sufficient
clearance can view, copy or otherwise access a particular document. The
level of overhead imposed on system implementation and administration
prohibits MAC from use in anything except the uber-secure environments
mentioned above.
Lighter-weight versions of MAC, such as those included with Guardian
Digital's EnGarde, Wirex's Immunix and HP's Secure OS Software for Linux,
provide many of the security benefits but with simplified deployment and
lower administration costs. These versions do not use labels because such
data classification typically exceeds the security requirements of most
nonmilitary organizations. Labels are also the root cause of complexity, and
therefore costs are incurred for administration and user training. Instead,
these simplified versions of MAC rely on one of two basic concepts: limiting
the power of the administrative account (root), and creating domains in
which risk-laden processes, such as network daemons, run with privileges
only to their own files and resources.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Purchase Today: $299
REPORTS
ANALYTICS
Follow 
