The two faces of Linux

About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store

NEWS

The two faces of Linux

By Brian Fonseca and Ed Scannell
January 13, 2003 1:01 am PT

WHILE LINUX continues to make inroads among corporate accounts, it is also is taking on one of the burdens typically assumed by archrival Microsoft, as it becomes a more attractive target for hackers.

ADVERTISEMENT

<a href="http://ad.doubleclick.net/jump/idg.us.info.news/article;abr=!ie;pos=imu;pkey=security;skey=;paud=;saud=;sz=336x280;tile=2;ord=595414211108?"> <img src="http://ad.doubleclick.net/ad/idg.us.info.news/article;abr=!ie;pos=imu;pkey=security;skey=;paud=;saud=;sz=336x280;tile=2;ord=595414211108?" border="0"> </a>

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

TOP NEWS

IT SOLUTION SEARCH

New services-oriented offerings on tap from Guardian Digital and MSSP (managed security services provider) Guardent are looking to remedy open-source and Linux security liability.

At LinuxWorld Conference & Expo in New York later this month, Guardian Digital will release new products to accompany its Web-based EnGarde Secure Linux Professional tool, which offers DNS, Web, and mail services support.

Set to make its debut is Guardian Digital Secure Mail Suite featuring anti-virus and spam protection, Web mail, secure remote access, and integrated centralized directory access using LDAP, said Dave Wreski, CEO of Guardian Digital, based in Allandale, N.J. Guardian Digital also will reveal its Content and Policy Enforcement Center at the event.

Wreski said that two other Linux security products, Guardian Digital Secure VPN Server Suite and Guardian Digital Internet Acceleration and Management Server, should be available after LinuxWorld.

Guardent will announce services enhancements in the first quarter to analyze, read, and parse log data from Linux platforms.

The analysis rules will target multiple unsuccessful host log-ins to deter possible brute-force attacks, sniff out backdoor programs, and block DoS (denial of service) attacks, said Jerry Brady, CTO of Waltham, Mass.-based Guardent.

Server crashes and hacks are making managed security more attractive to Linux customers. When Sony Electronics' Web site experienced a couple, Karen Savitch, director of the group's travel division in Woodcliff Lake, N.J., turned to Guardian Digital to manage and shore up the division's Web presence.

"The hacks were blatantly obvious holes in the security software originally on there," Savitch said. "We had Linux at that point, and we needed to start from scratch to shore this up from bottom up rather than just keep patching it, or this was going to keep happening."

According to a recent report from Boston-based Aberdeen Group, Linux and open-source software in general "is now the major source of elevated security vulnerabilities for IT buyers."

Studies from the Computer Emergency Response Team (CERT) showed that open-source and Linux software accounted for some 16 of 29 security advisories during the first 10 months of 2002. Microsoft products only had seven advisories, or about 25 percent, during the same period of time.

Numbers such as these, according to Aberdeen Group, are helping shred the myth that Microsoft has the worst track record when it comes to security, and that both Linux and Unix-based systems are just as vulnerable to viruses, Trojan horses, and worms.

"In the question of what's more secure, Linux or Microsoft, the answer is, it's not Linux," said Eric Hemmindinger, research director, information security at Aberdeen Group. "If there's a lesson ... it's that both OS environments are sources of vulnerabilities today, and despite best efforts of suppliers, they're going to continue to be."

The security analyst said customers must turn to solutions that focus on remediation rather than wait for any OS provider to fix inherent platform problems that may arise.

Linux and other open-source software will stay high on hackers' lists, Aberdeen Group says, because open-source is increasingly being incorporated into routers, Web server software, and security software -- all potential infectious carriers.

While Linux has crept onto the hacker community's radar screen, some industry observers do not believe the OS has the panache among hackers that Windows does.

"My overall sense is Linux is not the security target that Windows is because it doesn't have a company behind that hackers just love to hate. Hackers just get more ego bucks cracking a Windows server than Linux or, say, a NetWare server," said Dan Kusnetzky, vice president of research on operating environments at IDC in Framingham, Mass.

There are many more versions of Linux than Windows, with significant technical differences right down to the kernel level, that work in Linux's favor. This intrinsically makes it more difficult for garden variety hackers to infect a mission-critical server.

As an open-source technology, Linux also has the advantage of having more developers looking at the code to spot security holes and cooperatively pull together fixes from across the development community.

"The major advantage of an open-source community is, when there is a problem, the fixes generally come immediately. There is not a long period of time between when a problem occurs and when a fix is available. Sometimes it comes within hours," said Dan Frye, director at IBM's Linux technology center in Beaverton, Ore.

The security module architecture built into the upcoming 2.6 Version of the Linux kernel, expected later this year, should build a thicker protective security wall around Linux.

	Careful installation reduces Linux security risk Despite the wails of the critics, the fact that Linux is an open-source operating system has turned out to not be a major security factor. Yes, hackers can look at the code and perhaps find a way to cause mischief or steal information, but that hardly makes Linux more of a risk than, say, Windows. Note that Windows has a fairly significant list of vulnerabilities, all of which were found without access to the source code. Linux has its own share of vulnerabilities. Just take a look at the SANS/FBI list of the top 20 most critical security vulnerabilities (www.sans.org/top20), and you'll see an equal number of vulnerabilities for Linux/Unix as for Windows. So it's a wash. The open-source issue simply doesn't appear to make Linux any less secure. What the list doesn't tell you, however, is that eliminating risk from Linux is much easier because it is open source. According to Paul Robertson, director of risk assessment at TruSecure in Herndon, Va., a skilled Linux administrator can remove 85 percent of the risk from a Linux server simply by removing anything that is not needed. "You don't need X-Windows on a Web server," Robertson points out. And that's one significant feature you won't find in a closed-source environment. In open source, you can read the source code and figure out what you can remove. And once a module is removed, it can't be used to compromise the system. In fact, the practice of performing full installs of any operating system, whether it's Linux, Windows, or something else, is a major source of security problems. Usually the administrator (or perhaps an assistant with limited skills) installs the OS, accepting all the default settings because he or she doesn't know any better. Or he or she even sets the installation so that everything available is installed. Either installation results in a lot of unnecessary software running on the server. And anything that's running is a potential vulnerability. Even if your administrator isn't enough of a Linux wizard to start removing modules from the operating system, he or she should at least be able to install the OS with only the features your system needs. This means, for example, that if you don't need Apache, you shouldn't install it. Of course, there are plenty of other factors that affect Linux. But the ability to do more with less is something you can't get from other software, and that gives Linux an important edge. -- Wayne Rash