Positive Security: Worth The Work?

Buy Your Way Safe?

(Page 2 of 2) September 20, 2008 12:00 AM (From the September 22, 2008 issue)

BUY YOUR WAY SAFE?
Currently, IT departments have three options: They can wait for products from major antivirus players--which are in various stages of integrating positive security; they can purchase stand-alone software with a specific focus; or they can build their own. For many scenarios, positive security requires only the tools built in to commodity operating systems.

Implementing a positive security model on Linux also is easier than you might expect. The most popular mechanism is via the SELinux and AppArmor projects. The latest releases of Ubuntu, Debian, Fedora, and OpenSUSE all support one or the other right out of the box. SELinux and AppArmor offer different mechanisms for implementing MAC, and supporters extol the virtues of each. The deciding factor for most environments will be which is the default in their distribution of choice. Both are more than capable of implementing either a pure application whitelist or additional MAC security features.

The protection offered by broadly deploying one of these projects comes at increased management cost; developing appropriate whitelist policies is a time-consuming process at best, and in locations without strong change controls and with large numbers of base configurations, it might be untenable. Single-function servers (think DNS, DHCP, SMTP) are most easily profiled and protected, and should be the first targets for AppArmor or SELinux.

Windows XP has fewer built-in features for positive security than recent Linux distributions, but XP does provide mechanisms for stronger access control. For example, NTFS offers more granular control over files compared with traditional Unix permissions, and Software Restriction Policies) can enable a default-deny policy for running binaries or libraries. Exceptions may be specified by path, which is less secure; by MD5 hashes; or by specifying approved application publisher digital certificates.

Adding on to these base features from XP, Vista offers Mandatory Integrity Control. This feature underpins the new Protected Mode in Internet Explorer.

With Mac OS X Leopard, Apple introduced mandatory access control features based on the TrustedBSD MAC framework. Unfortunately, we've found the initial deployment better suited for internal testing than for any serious use. Most of the important modules from the original TrustedBSD design are missing, and the policies included for built-in applications are minimal, at best.

Still, the framework has been put in place, and hopefully, future releases will apply more powerful policies, and the interface itself will be made public to third-party developers.

LOOKING FORWARD
It won't happen overnight, but positive models will play a prominent role in the future of information security. While initial efforts to enumerate positive security models--whether for application behavior or approved applications--meant higher costs, the budget hit will decrease as more products aim to ease the process. In addition, the failure of negative security methods will continue to drive IT groups to demand more robust tools to protect their networks.

And the benefits of positive models go beyond just security. Controlling what software can run on workstations can effectively enforce a wide variety of IT policies. It's time to think positive.