News
News
3/3/2005
02:29 PM
50%
50%

Linux Security Rough Around The Edges, But Improving

SELinux from the NSA offers more security tools but also more complexity, which will likely slow its adoption

The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They won over the Linux developer community with the changes. But its success depends on the adoption by U.S. companies and government agencies, something that remains very much in doubt.

For more than a decade, the National Security Agency has worked on a way to use a computer's operating-systems to control where software applications and their users can access data within IT environments. The agency succeeded years ago in creating such "mandatory access control" features for specialized operating systems, but very few users had the access or inclination to deploy them. Taking a gamble in 2000 on the emerging Linux operating system, NSA started applying its security approach to the open-source code. The result is its Security Enhanced Linux technology, which it hopes can raise the nation's overall level of cybersecurity.

"Quality of (software) code is crucial to the security of this nation," Dickie George, technical director of NSA's Information Assurance Directorate, said Thursday at an SELinux symposium. George added that the directorate's mission is to research and develop the technology and processes that industry can use to protect itself, and critical U.S. infrastructure, from cyberattacks.

NSA's faith in Linux is being rewarded in the Linux development community, at least. SELinux's mandatory access-control capabilities were included in version 2.6 of the kernel. With the mandatory access control, a Linux system can be partitioned into separate domains that contain any damage that viruses might cause.

Debian, Novell, and Red Hat, three major distributors of the Linux operating system, only have recently released their own packages built on version 2.6 that allow customers to take advantage of some SELinux features. Red Hat and Novell differ markedly, however, in their perception of SELinux's usefulness today.

Red Hat is encouraging users to try SELinux capabilities, even though writing SELinux security policies in the current version is complex. Red Hat's mid-February release of Red Hat Enterprise Linux 4—based upon the SELinux-friendly version 2.6 kernel—is an attempt to marry high-level security features with the basic operating system, says Donald Fischer, senior product manager for Red Hat Enterprise Linux. Red Hat users can use the Gnome 2.8 desktop included with Red Hat Enterprise Linux 4 to do limited configuration of SELinux.

Novell, however, believes SELinux is still too complicated for most users to implement. "It's not the technology itself [that's] the problem, but that it cannot be used to the full extent," says Chris Schlaeger, Novell's VP of research and development, adding that users need an easier way to describe their security needs, upon which the system could then execute. "It's a lot of work to do this today using SELinux," Schlaeger says.

Schlaeger acknowledges SELinux is an advancement in operating system-level security. "Novell isn't saying that SELinux is bad, but rather that more needs to be done," he says. For one, security must take into consideration more than operating-system-level security, he says. With application-level security, for example, companies can let the apps running on their servers perform tasks while preventing them from affecting other applications.

Still, support for the 2.6 Linux kernel by Linux's two most prominent providers, Red Hat and Novell, almost certainly will spread knowledge of SELinux. That will cast a spotlight on the technology's shortcomings, and likely lead to improvements that ultimately eliminate the need for companies users to seek out highly secure, highly specialized operating systems.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.