Linux Security: Tips from the Experts

By Jacqueline Emigh | Oct 29, 2003 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3101151/Linux-Security-Tips-from-the-Experts.htm

Is Linux more secure than Windows, or vice versa? Fueled by conflicting industry reports, this controversy keeps raging. To arrive at a well-informed opinion on the subject, you need to know as much as you can about what kinds of security measures are actually available for Linux. Moreover, if you're administering Linux already, some implementation tips from Linux security pros can undoubtedly come in handy.

"It's hard to talk about 'Linux' as an operating system, since there are so many different variations. A number of different OSes — such as FreeBSD, VMS, mainframe OSes like VM or VSE, or other proprietary OSes — may lay claim to the title of 'most secure OS,'" observes Pete Lindstrom, CISSP, research director for Spire Security, LLC.

"The truth is that we don't, as a community, attempt to figure out which OS is most secure. We rely on an 'unpopularity' contest to figure that out. Popularity is a fickle thing, though. Right now, Linux has some momentum in security over Microsoft's OS family, but that can change quickly."

The debate over OS security intensified in February of this year, when the Aberdeen analyst group released a report based on publicly available information from CERT. "Contrary to popular misconception, Microsoft does not have the worst track record when it comes to security vulnerabilities. Also contrary to public wisdom, Unix- and Linux-based systems are just as vulnerable to viruses, Trojans, and worms," the report stated.

Positive Perceptions of Linux Security Pick Up Steam

Meanwhile, though, positive industry perceptions of Linux security actually seem to be picking up steam. A study by Evans Data Corp., released earlier this month, found that the number of developers who regard Linux as "the most innately secure operating system" leaped 19 percent over the past six months.

Jim Dennis, a principal at Starshine.org, is one practitioner who gives Linux a big security nod over other OSes. For one thing, Linux distros have been built from the ground up with security as a major focus, according to Dennis.

Dennis also points to the existence of many "hardened" Linux kernels — such as LIDS, RSBAC, and LOMAC — as well as "hardened" Linux distros, including SELinux, OpenWall Linux (OWL), and Adamantix. (Adamantix was previously dubbed Trusted Debian.)

Even without a hardened distro/kernel, though, there are many ways of battening down Linux's hatches. In interviews with CrossNodes, Lindstrom and Dennis both provided plenty of advice for Linux administrators, across areas ranging from security policies to secure installation, including cryptography, protection of CGI and dynamic content, replacement of deprecated protocols, and more.

Page 2: Don't Place the Cart Before the Security Horse

Don't Place the Cart Before the Security Horse

Effective IT security depends first and foremost on sound secuirty policies, Dennis emphasizes. "Policies are requirements. They should be part of your broader requirements analysis."

The following policies should be "implicit," Dennis says:

  • The system should only run MY software, executed by and for MY users

  • Files can only be created/written/read by and for authorized users

  • Files must be available whenever — and from wherever — I want

However, policies alone, of course, are not enough. "Policy docs don't implement. The map is not the terrain," cautions Dennis.

Eliminate What You Don't Need and Restrict the Rest

Dennis recommends installing from either a clean CD or an isolated LAN. Services that aren't needed should be eliminated. Even if you do need a service, you should place appropriate restrictions on its use.

Here's how to disable Linux services, according to Dennis:

  • First, find them:  netstat -nlp -inet

  • Next, disable them:  chconfig $SERVICE off

  • To edit them:  inetd.conf  OR  xinetd.d/*

  • Finally, double-check with:  nmap (from remote machine)

You can restrict access in several ways:

  • Bind services to specific interfaces, via their config files

  • Use the hosts.allow command

  • Implement belts and suspenders such as ipchains, iptables, and ipfwadm

Page 3: Bastille, Tripwire, AIDE, and Samhain

Bastille, Tripwire, AIDE, and Samhain

You should also run Bastille — an interactive lockdown/hardening script — assuming that it supports the distro you're using. Currently, Bastille provides support for Red Hat, SuSE, Debian, Mandrake, and TurboLinux distros of Linux, along with HP-UX and Mac OS X.

"Bastille Linux provides feedback to administrators about security during installation. The focus is on proper configuration," concurs Spire Security's Lindstrom. As opposed to configuration issues, most other approaches to vulnerabilities today focus on software bugs, he says.

Dennis considers Tripwire — a long-standing security solution — to be rather antiquated, in comparison to the newer AIDE. He recommends the installation of both AIDE and Samhain, an open source security project from Lunapark that includes a network console, stealth option, and LDAP authentication.

'Jail Services' and Other Firewalls

Virtually no one would dispute the merits of network firewalls with packet detection. For added layers of protection, though, Dennis advises the use of "jail services" such as chroot, Linux capabilities (Lcap), User Mode Linux (UML), VMware, and dedicated hardware.

"You can think of all of these as firewalling processes, too. One caveat, though, is that chroot isn't root safe. Also, UML and other VMs may cost too much in [terms of] performance," he adds.

New Vulnerabilities in the Wings

On the downside, emerging software technologies such as CGI and dynamic content have introduced new vulnerabilities. "Application-layer protection is a must," Lindstrom cautions. "This can include web shields, web application firewalls, or other solutions that provide some protection against attack."

Page 4: Get Rid of Deprecated Protocols

Get Rid of Deprecated Protocols

You should also swap out older and less secure "deprecated protocols" with newer alternatives, says Dennis, who suggests the following replacements:

Protocol Alternative
POP/IMAP POPS/IMAP (SSL)
telnet ssh/scp/sftp
rdist rsync -e ssh
NIS resync /etc/passwd.group) LDAP over SSL
NFS Still a question mark

No Panacea for Cryptography

Available cryptographies include FreeS/WAN, Kerberos, OpenSSH, and several more. As Dennis sees it, each still has pros and cons. For example, FreeS/WAN, a freeware edition of IPSEC VPNs, "potentially secures deprecated protocols." It is also interoperable with other IPSEC implementations. On the other hand, FreeS/WAN is "NAT hostile," he charges.

Lindstrom also doesn't detect any type of panacea out there for cryptography. "It is nice to know that there is a freeware version of IPSEC VPNs. But the problem of encryption adoption isn't the dollar cost. It's the management and performance issues," Lindstrom maintains.

Security Is Nothing Without Physical Side

Without solid physical security, even the most battened down OS can be compromised in an instant. "Physical security really depends on the situation," Lindstrom says. "Laptops should be under lock and key when not in the user's possession. Sensitive data should be locked up in data centers or other appropriately controlled areas. Access to and from these rooms should be controlled and monitored. Environmental controls should be in place to protect against disasters. Locking I/O devices such as keyboards and monitors is a good idea."

Updates and Patches (Generally) A Must — But Be Careful

"Update, update, update!" Dennis exhorts. "Keep a local repository. Test downgrades, too." Dennis warns, however, that before deciding to install a patch, you should weigh the security benefits against the risks of introducing new features.

Whether you're a Linux veteran or newbie — or even if you're not a Linux practitioner at all yet — it's important to keep up-to-speed on the latest security advancements. Progress can happen so fast in the open source world that, if you blink for a moment, you might miss a promising new Linux security project.

» See All Articles by Columnist Jacqueline Emigh

Is Linux more secure than Windows, or vice versa? Fueled by conflicting industry reports, this controversy keeps raging. To arrive at a well-informed opinion on the subject, you need to know as much as you can about what kinds of security measures are actually available for Linux. Moreover, if you're administering Linux already, some implementation tips from Linux security pros can undoubtedly come in handy.

"It's hard to talk about 'Linux' as an operating system, since there are so many different variations. A number of different OSes — such as FreeBSD, VMS, mainframe OSes like VM or VSE, or other proprietary OSes — may lay claim to the title of 'most secure OS,'" observes Pete Lindstrom, CISSP, research director for Spire Security, LLC.

"The truth is that we don't, as a community, attempt to figure out which OS is most secure. We rely on an 'unpopularity' contest to figure that out. Popularity is a fickle thing, though. Right now, Linux has some momentum in security over Microsoft's OS family, but that can change quickly."

The debate over OS security intensified in February of this year, when the Aberdeen analyst group released a report based on publicly available information from CERT. "Contrary to popular misconception, Microsoft does not have the worst track record when it comes to security vulnerabilities. Also contrary to public wisdom, Unix- and Linux-based systems are just as vulnerable to viruses, Trojans, and worms," the report stated.

Positive Perceptions of Linux Security Pick Up Steam

Meanwhile, though, positive industry perceptions of Linux security actually seem to be picking up steam. A study by Evans Data Corp., released earlier this month, found that the number of developers who regard Linux as "the most innately secure operating system" leaped 19 percent over the past six months.

Jim Dennis, a principal at Starshine.org, is one practitioner who gives Linux a big security nod over other OSes. For one thing, Linux distros have been built from the ground up with security as a major focus, according to Dennis.

Dennis also points to the existence of many "hardened" Linux kernels — such as LIDS, RSBAC, and LOMAC — as well as "hardened" Linux distros, including SELinux, OpenWall Linux (OWL), and Adamantix. (Adamantix was previously dubbed Trusted Debian.)

Even without a hardened distro/kernel, though, there are many ways of battening down Linux's hatches. Lindstrom and Dennis both provided plenty of advice for Linux administrators, across areas ranging from security policies to secure installation, including cryptography, protection of CGI and dynamic content, replacement of deprecated protocols, and more.

Page 2: Don't Place the Cart Before the Security Horse