[ISN] Linux Security Rough Around The Edges, But Improving
InfoSec News
isn at c4i.org
Mon Mar 7 06:03:50 EST 2005
http://www.informationweek.com/story/showArticle.jhtml?articleID=60405086
By Larry Greenemeier
InformationWeek
March 3, 2005
The National Security Agency built a version of Linux with more
security tools that its technologists believe could help make the
country's computing infrastructure less vulnerable. They won over the
Linux developer community with the changes. But its success depends on
the adoption by U.S. companies and government agencies, something that
remains very much in doubt.
For more than a decade, the National Security Agency has worked on a
way to use a computer's operating-systems to control where software
applications and their users can access data within IT environments.
The agency succeeded years ago in creating such "mandatory access
control" features for specialized operating systems, but very few
users had the access or inclination to deploy them. Taking a gamble in
2000 on the emerging Linux operating system, NSA started applying its
security approach to the open-source code. The result is its Security
Enhanced Linux technology, which it hopes can raise the nation's
overall level of cybersecurity.
"Quality of (software) code is crucial to the security of this
nation," Dickie George, technical director of NSA's Information
Assurance Directorate, said Thursday at an SELinux symposium. George
added that the directorate's mission is to research and develop the
technology and processes that industry can use to protect itself, and
critical U.S. infrastructure, from cyberattacks.
NSA's faith in Linux is being rewarded in the Linux development
community, at least. SELinux's mandatory access-control capabilities
were included in version 2.6 of the kernel. With the mandatory access
control, a Linux system can be partitioned into separate domains that
contain any damage that viruses might cause.
Debian, Novell, and Red Hat, three major distributors of the Linux
operating system, only have recently released their own packages built
on version 2.6 that allow customers to take advantage of some SELinux
features. Red Hat and Novell differ markedly, however, in their
perception of SELinux's usefulness today.
Red Hat is encouraging users to try SELinux capabilities, even though
writing SELinux security policies in the current version is complex.
Red Hat's mid-February release of Red Hat Enterprise Linux 4based
upon the SELinux-friendly version 2.6 kernelis an attempt to marry
high-level security features with the basic operating system, says
Donald Fischer, senior product manager for Red Hat Enterprise Linux.
Red Hat users can use the Gnome 2.8 desktop included with Red Hat
Enterprise Linux 4 to do limited configuration of SELinux.
Novell, however, believes SELinux is still too complicated for most
users to implement. "It's not the technology itself [that's] the
problem, but that it cannot be used to the full extent," says Chris
Schlaeger, Novell's VP of research and development, adding that users
need an easier way to describe their security needs, upon which the
system could then execute. "It's a lot of work to do this today using
SELinux," Schlaeger says.
Schlaeger acknowledges SELinux is an advancement in operating
system-level security. "Novell isn't saying that SELinux is bad, but
rather that more needs to be done," he says. For one, security must
take into consideration more than operating-system-level security, he
says. With application-level security, for example, companies can let
the apps running on their servers perform tasks while preventing them
from affecting other applications.
Still, support for the 2.6 Linux kernel by Linux's two most prominent
providers, Red Hat and Novell, almost certainly will spread knowledge
of SELinux. That will cast a spotlight on the technology's
shortcomings, and likely lead to improvements that ultimately
eliminate the need for companies users to seek out highly secure,
highly specialized operating systems.
More information about the ISN
mailing list