Q

Linux security features: Advantages of Security Enhanced Linux and IPsec

Security expert James Turnbull describes the advantages and standard features of Linux distros IPsec and Security Enhyanced Linux over Windows.

Do all Linux distros come with Security Enhanced Linux and IPsec? How do these two things make Linux more secure than Windows? If not, then do they have equivalent security tools? Are there equivalents in Windows?

No, not all distributions come with SELinux and IPsec. Some distributions come with SELinux and IPSec integrated into them and others have this functionality available as add-in packages. Probably the best example of an integrated SELinux distribution is Red Hat ES and Fedora. Red Hat has tightly integrated SELinux in these releases and designed a well-rounded series of policies. Red Hat also has built-in IPSec functionality. Examples...

of other distributions with SELinux available as a package include Debian, SuSE and Gentoo. Most of these distributions also have packages and add-ons to the kernel that allow IPSec functionality.

SELinux and IPSec provide very different functionality. SELinux is a security enhancement integrated with the kernel that enables mandatory access controls. This allows you to write policies that segregate information, processes, applications based on access controls and integrity requirements. This means the compromise of a particular application or process does not automatically mean that the whole host is compromised. IPSec is a series of protocols that allow the secure exchange of packets at the IP layer. This is principally designed to allow the implementation of VPNs (Virtual Private Networks) between hosts or networks. It is not an inherent host security feature as such. It simply allows secure communication between hosts or networks.

Do these things make Linux more secure than Windows? Well, IPSec is present on most modern Windows versions and provides the same functionality as it does under Linux hosts. However, SELinux is a powerful tool that provides significant host integrity to Linux hosts. By default this sort of security is not built into Windows hosts. You can add some of this sort of security or similar functionality by adding a Host Intrusion Detection System agent, such as those made by companies like ISS and McAfee. But most of these are not as powerful and sophisticated as SELinux. SELinux can be hard to implement and can cause problems with the functionality of your applications. I recommend doing some reading on SELinux and determining whether you require this sort of functionality for your purposes. The SELinux site at the NSA should provide a good starting point.

This was first published in October 2005

Dig deeper on Linux system security best practices

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close