News
News
3/3/2005
02:29 PM
Connect Directly
RSS
E-Mail
50%
50%

Linux Security Rough Around The Edges, But Improving

SELinux from the NSA offers more security tools but also more complexity, which will likely slow its adoption

The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They won over the Linux developer community with the changes. But its success depends on the adoption by U.S. companies and government agencies, something that remains very much in doubt.

For more than a decade, the National Security Agency has worked on a way to use a computer's operating-systems to control where software applications and their users can access data within IT environments. The agency succeeded years ago in creating such "mandatory access control" features for specialized operating systems, but very few users had the access or inclination to deploy them. Taking a gamble in 2000 on the emerging Linux operating system, NSA started applying its security approach to the open-source code. The result is its Security Enhanced Linux technology, which it hopes can raise the nation's overall level of cybersecurity.

"Quality of (software) code is crucial to the security of this nation," Dickie George, technical director of NSA's Information Assurance Directorate, said Thursday at an SELinux symposium. George added that the directorate's mission is to research and develop the technology and processes that industry can use to protect itself, and critical U.S. infrastructure, from cyberattacks.

NSA's faith in Linux is being rewarded in the Linux development community, at least. SELinux's mandatory access-control capabilities were included in version 2.6 of the kernel. With the mandatory access control, a Linux system can be partitioned into separate domains that contain any damage that viruses might cause.

Debian, Novell, and Red Hat, three major distributors of the Linux operating system, only have recently released their own packages built on version 2.6 that allow customers to take advantage of some SELinux features. Red Hat and Novell differ markedly, however, in their perception of SELinux's usefulness today.

Red Hat is encouraging users to try SELinux capabilities, even though writing SELinux security policies in the current version is complex. Red Hat's mid-February release of Red Hat Enterprise Linux 4—based upon the SELinux-friendly version 2.6 kernel—is an attempt to marry high-level security features with the basic operating system, says Donald Fischer, senior product manager for Red Hat Enterprise Linux. Red Hat users can use the Gnome 2.8 desktop included with Red Hat Enterprise Linux 4 to do limited configuration of SELinux.

Novell, however, believes SELinux is still too complicated for most users to implement. "It's not the technology itself [that's] the problem, but that it cannot be used to the full extent," says Chris Schlaeger, Novell's VP of research and development, adding that users need an easier way to describe their security needs, upon which the system could then execute. "It's a lot of work to do this today using SELinux," Schlaeger says.

Schlaeger acknowledges SELinux is an advancement in operating system-level security. "Novell isn't saying that SELinux is bad, but rather that more needs to be done," he says. For one, security must take into consideration more than operating-system-level security, he says. With application-level security, for example, companies can let the apps running on their servers perform tasks while preventing them from affecting other applications.

Still, support for the 2.6 Linux kernel by Linux's two most prominent providers, Red Hat and Novell, almost certainly will spread knowledge of SELinux. That will cast a spotlight on the technology's shortcomings, and likely lead to improvements that ultimately eliminate the need for companies users to seek out highly secure, highly specialized operating systems.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.