Intrusion detection for Linux a challenge

In this interview, NetIQ managers try to fill in some of the security gaps in Linux and address what keeps administrators up at night.

NEW YORK -- SearchEnterpriseLinux.com's reporters got earful from exhibitors and visiting experts at last week's

LinuxWorld Conference & Expo. We're choosing a few choice words from reporters' notebooks in our "LinuxWorld sound bites" series. In this interview, NetIQ security experts Todd Tucker and Erik Salwen share their customers' concerns about Linux's security shortcomings and NetIQ's Linux security agenda. Tucker is NetIQ senior product manager, vulnerability management products. Salwen is NetIQ Security Event Management Solutions senior product manager.

In your discussions with corporate system and security administrators, what Linux security issues come up most often?

Todd Tucker: They're concerned about ensuring that systems are configured securely, not just the native configuration, but ensuring that the systems are patched up to date. Failures in both areas can lead to various security flaws.

Secondly, they want to monitor their Linux security in real time. In other words, they're finding that intrusion detection in a Linux environment is as challenging as it is for any other environment.

What tools do IT shops use to address those problems?

Erik Salwen: Most of the frustrations that I've heard from administrators have to do with the limited choices that they have for managing their security in their Linux environment. Most security event management [tools] seem slanted toward the Windows environment. Obviously, the focus in the last year has shifted much more onto Linux; but there's some catch-up needed.

Tucker: There are also gaps in software distribution and patch management technologies for Linux. There's only a handful of vendors that extend to those areas of management for Linux. We're not a software distribution or patch management vendor, but it is something that comes up a lot in our discussions with administrators.

So, what particular gaps in security tools for Linux is NetIQ working to fill?

Salwen: The big gaps we're focusing on are intrusion detection and vulnerability assessment. There are tools for Unix and Red Hat Linux. But, very few vendors cover SuSE Linux. We do offer in that regard vulnerability assessment technologies or products for Linux platforms using an agent-based approach where we audit the platform, essentially from the inside out looking at the system as if you were an administrator or in the case of Linux, if you're a root on the box. And then the other products offers intrusion detection, host-based intrusion detection for Linux, as well and does everything from the monitoring the logged files on Linux, monitoring the file system, even looking at file integrity changes on that platform.

What are the troublemakers in security, in terms of software, located in a Linux system?

Salwen: Most of the back doors, or vulnerabilities, are discovered and fixed before the kernel is released. The vulnerabilities happen with the services that are being added on around that and the various distributions.

Tucker: One thing that is fairly unique to the Linux world is the Loadable Kernel Module. There have been back doors created in these loadable kernel modules that are very unique to Linux. Those are these things can be loaded into or snapped on top of the kernel that can makes security very difficult to deal with.

Dig deeper on Linux security risks and threats

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close