AppArmor Secures SuSE
Novell secures SLES 10 with AppArmor, a brilliantly easy-to-use application-level intrusion-prevention system. AppArmor has many features found in Security Enhanced Linux, but is far simpler to use. Unlike SELinux, Novell's distribution lets you create profiles with a few clicks. Windows has no comparable built-in protection; you'd need to buy, install and administer a separate host IPS to get this level of security.
AppArmor protects the server by giving specific programs access to designated resources only. Programs can be granted access to files and directories, and they can be given specific capabilities such as "chroot" (to change the root directory) and "reboot." Programs also can inherit permissions from other programs. Even if an exploited program is running as root, the attacker gains access to only those resources assigned to the exploited program, rather than the whole system.
SLES 10 also comes with a firewall and a System Update feature much like Windows' AutoUpdate--and it's just as easy to run. The program can be configured to automatically check for, download and install updates and patches. Unfortunately, Novell only allows updates to be downloaded for as long as your license is valid--and, in fact, Novell would not let us test the feature on our review copy. Microsoft allows all systems to be patched (albeit grudgingly). To be secure, everyone must be secure.
Though SUSE does not allow users with expired licenses to use this feature, users can patch their systems through other means, like downloading patches from Apache's Web site or kernel patches from kernel.org, for example.
SLES 10's firewall has everything blocked by default. Some 28 preconfigured services can be enabled, including HTTP, HTTPS, LDAP and IMAP. Though the firewall is only slightly more useful than port blocking in Windows, it's enough, considering the rest of the security provided. Besides, a full-featured firewall on a basic server inside the network would be overkill.
Ben DuPont is a systems engineer for WPS Resources in Green Bay, Wis. He specializes in software development. Write to him at [email protected].