Linux Security Rough Around The Edges, But Improving
SELinux from the NSA offers more security tools but also more complexity, which will likely slow its adoption
The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They won over the Linux developer community with the changes. But its success depends on the adoption by U.S. companies and government agencies, something that remains very much in doubt.
For more than a decade, the National Security Agency has worked on a way to use a computer's operating-systems to control where software applications and their users can access data within IT environments. The agency succeeded years ago in creating such "mandatory access control" features for specialized operating systems, but very few users had the access or inclination to deploy them. Taking a gamble in 2000 on the emerging Linux operating system, NSA started applying its security approach to the open-source code. The result is its Security Enhanced Linux technology, which it hopes can raise the nation's overall level of cybersecurity.
"Quality of (software) code is crucial to the security of this nation," Dickie George, technical director of NSA's Information Assurance Directorate, said Thursday at an SELinux symposium. George added that the directorate's mission is to research and develop the technology and processes that industry can use to protect itself, and critical U.S. infrastructure, from cyberattacks.
NSA's faith in Linux is being rewarded in the Linux development community, at least. SELinux's mandatory access-control capabilities were included in version 2.6 of the kernel. With the mandatory access control, a Linux system can be partitioned into separate domains that contain any damage that viruses might cause.
Debian, Novell, and Red Hat, three major distributors of the Linux operating system, only have recently released their own packages built on version 2.6 that allow customers to take advantage of some SELinux features. Red Hat and Novell differ markedly, however, in their perception of SELinux's usefulness today.
Red Hat is encouraging users to try SELinux capabilities, even though writing SELinux security policies in the current version is complex. Red Hat's mid-February release of Red Hat Enterprise Linux 4—based upon the SELinux-friendly version 2.6 kernel—is an attempt to marry high-level security features with the basic operating system, says Donald Fischer, senior product manager for Red Hat Enterprise Linux. Red Hat users can use the Gnome 2.8 desktop included with Red Hat Enterprise Linux 4 to do limited configuration of SELinux.
Novell, however, believes SELinux is still too complicated for most users to implement. "It's not the technology itself [that's] the problem, but that it cannot be used to the full extent," says Chris Schlaeger, Novell's VP of research and development, adding that users need an easier way to describe their security needs, upon which the system could then execute. "It's a lot of work to do this today using SELinux," Schlaeger says.
Schlaeger acknowledges SELinux is an advancement in operating system-level security. "Novell isn't saying that SELinux is bad, but rather that more needs to be done," he says. For one, security must take into consideration more than operating-system-level security, he says. With application-level security, for example, companies can let the apps running on their servers perform tasks while preventing them from affecting other applications.
Still, support for the 2.6 Linux kernel by Linux's two most prominent providers, Red Hat and Novell, almost certainly will spread knowledge of SELinux. That will cast a spotlight on the technology's shortcomings, and likely lead to improvements that ultimately eliminate the need for companies users to seek out highly secure, highly specialized operating systems.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.