Securing an enterprise Linux environment can be a tough assignment for Unix or Windows veterans, says author and software engineer Scott Mann. Linux security requires more up-front and ongoing self-education and do-it-yourself work than other platforms. But it will also offer more flexibility. Mann is the author of Linux System Security: The Administrator's Guide to Open Source Security Tools, from Prentice Hall PTR. He's also a Linux...
software engineer at LeftHand Networks, in Boulder, Colo. In this interview, he covers the ups and downs of handling Linux and open-source security.
Why is the degree of difficulty of securing an enterprise environment increasing?
Mann: Let me tell you about one of the interesting things that has occurred over the last four to five years. Every year, the FBI produces a report, a statistical analysis, on computer-related crime. About five years ago, the vast majority of computer-related crime occurred internally. What that means is that people who were already in a position of being trusted and [who] could gain access to the computing environment were the greatest risk. At that time, 75% to 80% of all computer-related crimes were committed by internal sources. As of the last survey, in 2002, it was a 50-50 split. The level of sophistication of criminal activity from the outside is increasing at a substantial rate.
So companies that are serious about securing their proprietary information need to be very aware of that change. They have to stay up to date on what's happening in vulnerabilities, exploits and the way people are attacking corporate systems.
What are the benefits of using Linux in a security-focused environment?
Mann: The major benefit is having the source code. With available source code, I'm more readily able to come to a deep understanding of what the tool is doing. Also, I can more easily determine when there is a security problem and if I have the capability to get in and fix it. Now, that may not be ideal in an enterprise environment. Nonetheless, open-source products provide that opportunity, and proprietary products do not. With proprietary source code, you're dependent upon whatever support the vendor provides for that product.
Another important benefit is the open-source community. Security information is freely available on the Internet. There are a lot of people in the open-source community who have been dealing with Linux security issues and will answer your questions online for free. Some share their knowledge out of the goodness of their own hearts because they don't want people to struggle as much as they did. Others may be consultants who offer free advice as a community service and/or as a customer-recruiting tool.
What are the most common Linux security mistakes made by IT pros?
Mann: The kinds of mistakes people make depends upon what IT world they come from. If they're coming from a Windows environment, the sorts of mistakes are different than if they're coming from a commercial Unix space. It's hard to generalize between the two, because they are quite different.
So, what are the most common mistakes made by those from the Windows world?
Mann: People who've had a lot of Windows experience and no Unix experience have to overcome the Windows way of doing things. That can be tough. With Windows, you don't have [the] luxury of getting into code and seeing what's wrong. That's nearly impossible in most cases. So, most Windows administrators are used to contacting Microsoft support immediately when there's a problem. Typically, they don't go to news groups, and so on, and try to track down problems that way. That's completely counter to the Linux culture. The Linux culture is about doing all the research first and then, when you can't figure something out, you go and dig around.
Another big hurdle for Windows administrators is coming to grips with the fact that the windowing system in a Linux environment is an afterthought. It wasn't part of the original design. It's a completely separate package. The real way to learn how to manage and maintain your Linux environment from a security or administrative perspective is learning about the operating system itself. Most Windows people don't want to do that. They want to leap to 'How do I do this?' and 'How do I do that?' That impatience usually leads to lots and lots of mistakes.
What challenges face Unix pros in securing Linux?
Mann: Unix-literate people can usually get up to speed just by finding some good books on how the Linux operating system works. Commercial Unix people don't have as big a difficulty in making the transition. They immediately find out that they can get a lot more information than they could about a proprietary Unix OS like Solaris, HP-UX or IBM AIX.
Of course, there are big differences between Unix and Linux environments. It takes time to become familiar with all the features of Linux. The good news is that there are a lot of public forums -- such as news groups and Web sites -- that provide a lot of details about how Linux works. The bad news is that it frequently takes a bit of data mining before you come up with whatever it is you're looking for. If you've been working in a commercial Unix space, you have vendor contacts that you can call to get answers. In the Linux world, if you don't work with commercial Linux vendors, then you'll have to find answers for yourself.
What's the common denominator for both Unix and Windows veterans who must tackle Linux security?
Mann: In both Unix and Windows, getting involved in Linux means that a lot more of the research and the implementation work comes down to the administrator.
Even so, administrators shouldn't worry about this added responsibility. I've found that implementing security in Linux environments is actually easier than it is in Unix and Windows. There's so much more information available. You just have to learn how to find what you're looking for. You'll also have to keep up to date on the vulnerabilities that come up and act on that information. If you don't know how to do it and are not up to date, there's a good chance you have vulnerabilities.
When should an IT shop turn to commercial alternatives for security support? What companies provide Linux security services?
Mann: There are commercial companies that provide security consulting services. There are the big houses like J.D. Edwards and IBM. Smaller companies, like Red Hat, offer some consulting services.
Third-party support is something that the enterprise demands. It's become obvious, however, that if Linux is going to make it in the enterprise in a big way, there needs to be a lot more availability of some form of customer support. SecurityFocus.org is a good place to start looking for support services. Organizations need to establish a contractual relationship with a good consultancy, so that they can call on the consultant to provide updates in a timely fashion.
My stand with Linux and security is that Linux implementations designed for security purposes should be ones that knowledgeable people have implemented. They should be designed so that companies with an in-house knowledge base can manage and maintain them. This would decrease dependency on outside consultants.
Doesn't an IT pro have to be very savvy to take the do-it-yourself approach to security that you describe?
Mann: You will find it challenging if you don't have [the] programming skills needed to modify on your own the capability of the tools you're using.
If you're going to use an open-source tool, the onus is upon you to learn as much about that tool as possible. You may have to compile that tool from source. Or, if you've got even a slightly different environment than the one the tool was developed on, you may have to get in and make changes to make it compile properly, etc. There's a tactical level of expertise that is required to get these tools working.
Another challenge is that you're relying on the somewhat whimsical open-source community. You can get assistance through the open-source community, but you may have to be patient. Most often, the community will come through for you. But it may not come through with the right information at the right time.
Here's another drawback: lack of clout. If you work for a large corporation, then you'd have a lot of clout with your commercial vendors. That clout could make your vendor respond quickly to your calls. In the open-source community, you don't have so much clout.
Also, you can be pretty sure that a product or technology from a commercial vendor will have an active -- and, in many cases, well-funded -- development community behind it. That can be the case in the open-source community, but it's less certain.
Is setting up an open-source security environment more work than a comparable commercial environment?
Mann: A lot more work would go into getting a Snort environment set up than a commercial intrusion-detection tool might take.
That said, one could make the argument as to which option is better. My preference would be to use the open-source tool because I have source code. As soon as a vulnerability hits the Web, and I find out about it, I can go in and fix the vulnerability. I don't have to wait for a patch from the vendor.
The big question to ask when deciding between commercial and open-source security: Does your company want to invest in its people as resources, or does it want to invest in third-party vendors as its resources? There are risks associated with each approach. A good security policy will dictate that you do a risk analysis and answer that question in an analytical fashion.
FOR MORE INFORMATION:
FEEDBACK: Are there more trials and tribulations to setting up a Linux/open-source security environment than a commercial one?
Send your feedback to the SearchEnterpriseLinux.com news team.