The State of Linux Security (Towards Trusted Linux) - Carahsoft

pridefulauburnData Management

Dec 16, 2012 (4 years and 10 months ago)

187 views

The State of Linux Security
The State of Linux Security
(Towards Trusted Linux)
(Towards Trusted Linux)
Doc Shankar
Doc Shankar
IBM Federal Strategy/Architecture
IBM Federal Strategy/Architecture
dshankar@us.ibm.com
dshankar@us.ibm.com
Key Messages
Key Messages
•Secure solutions have been built using open source software
•Open source community has invested heavily in Linux security
•IBM has provided security leadership in a number of key areas
* Certifications (across all eServers)* Audit capability
* MLS capability* Trusted Computing
* Encrypted File Systems* UK Govt. SELinuxDeployment
•IBM first to show open source can be certified
•IBM has sponsored 8 Linux evaluations
•IBM has open sourced evaluation evidence
•MLS/LSPP Compliance of a main stream OS (RHEL 5)
•IBM is leading the open source effort to add MLS to Linux
•Linux builds on the rock-solid security tradition of Unix
•Diversity inoculates against class breaks
•IBM is committed to elevating Linux as a secure operating system
•IBM/RH/TCS partnership to provide CD & MLS solutions
Linux Security Options
Linux Security Options
Password
Open SSH/SSL
Kerberos
PKI
Smart Card
Token
CAPP/EAL4+
Certificate
openCryptoki
PAM
Bastille
VPN
IPSEC
AppArmor
LSM
Open SSL
MLS
TCP Wrapper
Hardening
ClamAV
Open LDAP
iptables
Physical Access
Astaro
Snort
H/W Crypto
Nessus
Tripwire
SELinux
DAC
MAC
Hook Verification
RSBAC
LIDS
TrouSerS
eCryptfs
Trusted Computing
noexecstack
PIE
IPsec
Enterprise Security Problem
Enterprise Security Problem
S/390®
AS/400®
UNIX
NT
Core Network
Security
Management
Certificate
Authority
Firewall
Customers
Mission-Critical Servers
Suppliers
Distributors
Perimeter Network
Access Network
Mobile Employees
Business Partners
PC Security
Active
Content
VPN
Single
Sign-on
Backup
Restore
Intrusion
Detection
Security
Auditing
E-Mail
Filtering
Web
Servers
Proxy-Server
Workload
Management
Internet
Access
PC Anti-Virus
Merchant
Server
Open Source Security Solutions*
Open Source Security Solutions*


Core Network
Core Network


Single Sign On
Single Sign On


OpenLDAP
OpenLDAP


Authentication
Authentication


MIT Kerberos
MIT Kerberos


Heimdal
Heimdal


Web Server
Web Server


SSL + Apache
SSL + Apache


File/Print Sharing
File/Print Sharing


Samba, NFS
Samba, NFS


Certificate Authority
Certificate Authority


CertCA
CertCA


Database
Database


SSL +
SSL +
PostgreSQL
PostgreSQL


MySQL
MySQL


Hardware Encryption
Hardware Encryption


OpenCryptoki
OpenCryptoki

Access Network

VPN

IPSec

Anti-virus

ClamAV

Web browser

Firefox, Konqueror

Email client

Evolution,
Thunderbird, Mutt

Communication

OpenSSH, OpenSSL

Hardening

Bastille

Data Integrity

Tripwire, AIDE

Perimeter Network

Intrusion Detection

Snort, LIDS

Security Auditing

GNessus

Email Filtering

SpamAssassin

Firewall

IPTables

Proxy

Squid
* hardly a comprehensive list
Open Source Linux Security Initiatives
Open Source Linux Security Initiatives
•Security Certification*
–Common Criteria
–EAL2+ achieved*
–CAPP/EAL3+ achieved*
–CAPP/EAL4+ achieved*
–Working LSPP/EAL4+*
•Crypto*
–OpenCryptoki*
–HW crypto acceleration*
–FIPS 140-2**
•Trusted Computing*
–TCG'sTPM/TSS Implementation*
•Networking Security**
–OpenSSL**
–OpenSSH
–IPSec**
•Base Security**
–LSM**
–Audit *
–Kerberos
–PKI
•Applications Security**
–Encrypted File System*
–Firewall
–Antivirus
–IDS**
–Security Scanners
–Position Independent Executables
–Exec Shield
•Mandatory Security**
–SELinux**
–MLS**
•Secure Configuration**
–Bastille**
•Vulnerability reduction/reporting**
•Secure Programming**
–BogoSec
•Verification Tools*
–Vali*
–Gokyo*
–UT tool**
* IBM Leading ** IBM Participating
Why should you trust Linux?
Why should you trust Linux?
•Until 2003, many people believed that Linux would not be
able to get CC certified
•Now, four years later, no other operating system has got
more Common Criteria certificates than Linux®
–Two distributions (Novell SUSE and Red Hat)
–Two different kernel versions (2.4 and 2.6)
–Many different hardware platforms
•IBM®Pentium, XEON, and Opteron systems
•IBM pSeries®, iSeries™, and zSeries®systems
•HP Pentium, XEON, and Itanium systems
•SGI Itanium systems
–Two certifying agencies (BSI & NIAP)
–Assurance levels up to EAL4 augmented by ALC_FLR.3
LSPP Community
LSPP Community
•A true open source effort -challenging
•IBM sponsors a weekly teleconference (open telecon)
–60+ participants from 14+ organizations on the invitation
•IBM, Red Hat, NSA, @sec, HP, TCS, Tresys, OSDL, and PSU +
various individuals
–All development takes place on open mailing lists
•Development goes upstream and is collected in rawhide
–Fedora Rawhide provides daily builds
–Red Hat hosts test kernels for features pending kernel maintainer
acceptance
•Real users provide feedback during development
•Schedule
–In Evaluation (09/05)
–Development Complete (03/07)
–Certification Complete (06/07)
Conclusion
Conclusion
•Linux has much to offer in terms of security
•Linux has a bright future ahead
•IBM is committed to elevating Linux as a secure
operating system of choice in today’s eBusiness
•IBM can maximize the resiliency and security of
Linux environments through the use of
management tools
•IBM is committed to providing MLS & cross
domain solutions on Linux