anta Clara, Calif.?Among the last words spoken at a vendor panel titled Linux and Security Standards here at Jupitermedia’s Enterprise Linux Forum Conference & Expo (June 4-6, 2003) may have been the most insightful. Panelist Bill McCarty said: “Trying to take an insecure product and somehow convert it to a secure product is generally a futile effort. In fact, adequate security has to be built in and tested at the design level on up.”
The statement was a critique of using code-checking tools as a security measure and it could apply to any software product, but at a Linux trade show it seemed a clear indictment of Microsoft products. And during the hour-long discussion, which closed this three-day event, the panel of three Linux experts made clear that the abilities to drill down into the kernel level of Linux and to pick and choose which services to deploy on it?while being completely shut out of Windows products’ source code?make Linux much more accommodating for secure computing.
Joining McCarty, an Associate Professor of Web and Information Technology at Azusa Pacific University, where he directs the Azusa Pacific University Honeynet Project, were Bob Toxen, author of Real World Linux Security, Second Edition and a consultant in his own practice at Fly-By-Day Consulting, Inc., and David Truax, a pSeries Lead for IBM eServer Linux Test Drive.
Michael Hall, Managing Editor for Jupitermedia, moderated the proceedings, and the following are the highlights of the panel’s responses to the topics he presented.
BM: Although many people in attendance here would like to, kicking Windows off the desktop is a tough proposition. You need to find a way to cope with heterogeneity rather than hope to expel the Windows presence.
Linux has a role to play in protecting the more vulnerable Windows services and servers from the threats that are out there, particularly the desktop stuff.
Vulnerability numbers don’t always favor Linux in Linux-vs.-Windows comparisons
DT: With the different types of distributions that are available for Linux, are you going to count every vulnerability on every possible distribution? Do you report all the applications that run on Linux? Then you have to include every application deployed on Windows as having vulnerabilities as well. You have to compare a single Linux distribution to a single Windows distribution. You can’t combine Debian, Red Hat, and SuSE [into a single Linux vulnerability count] because they share the same package.
BM: Attributing vulnerabilities to applications and platforms can get kind of complicated. Apache can be run on Windows. [If that system is compromised] is that an Apache vulnerability or is it a Windows vulnerability?
How have distributors done with Linux security out of the box?
DT: There’s been significant improvement. You pick up a current [Linux] distribution off the shelf, install it just by defaults, and hit it with a scanner, and you’ll be impressed with what’s not visible. [It used to be that] anything was visible by default. A two-year-old version of Red Hat would have SendMail on, FTP on, Telnet on, and by that point SSH was also several years old, and it was wide open to the world. Today, the basic principle is turn it all off and leave it to the individual to turn it on.
DT: What’s coming up fastest is separation of authority or user separation, and buffer overflow protections within the actual kernel of Linux. So, although current buffer overflow attacks would be able to occur in the application, they wouldn’t be able to affect the operating system.
BT: I think something else we’re going to see is smarter firewalls and intrusion prevention. Right now, people say ‘let’s try to define what an attack packet looks like.’ I think we’re going to see a little more intelligence in terms of what kind of [traffic people] expect to pass through [their] Web servers.
Something I’ve been advocating for about four years is an adaptive firewall. If someone’s been attacking you for a half an hour, [an adaptive firewall would make it] easy to say let’s just block his IP and we’re done with him at that point.
BM: There are third-party patches available for Linux kernels. I anticipate those will be rolled into major Linux distributions and that will make a real difference in security in terms of upping the ante on the developers of the exploits.
How does Linux architecture compare with Windows in terms of security?
BM: Linux has the advantage of transparency. With most of the Linux configuration items, you can look inside it and audit it better than a Windows system. My recommendation would be to embrace platforms that have transparency and “auditability” because then you can have more confidence in the security of your network.
You can open up a Linux system. You can automate the automated Linux system to a degree that, to my knowledge, is impossible with the proprietary formats and the undocumented structures that inhabit the Microsoft operating system.
BT: With Linux, each service (Web service, mail service, DNS service, etc.) is a separate program that you can run as a separate non-group user. Therefore, if any one of them gets compromised, it doesn’t have to affect the other services running, and it’s not going to affect the kernel for the vast majority of vulnerabilities. So, really, you have much tighter security. With IIS and IE, they essentially run with all privileges. So using the vulnerabilities in IIS and IE, the attacker basically gets control of that whole system.
An audience member named Jim Dennis, who was attending the conference on behalf of Linux Gazette, had this to add: “The modularity also gives you diversity. You don’t have as much of a mono-culture. Sure, Apache runs on about 50-something percent of all Web sites visible in the world, but it’s not always running on Linux and not all Linux boxes are running Apache. One exploit isn’t going to take down everybody.”