Last summer, Linux backers at several companies had some explaining to do after hundreds of DNS servers running Version 5 of Red Hat Inc.'s Red Hat Linux operating system were compromised by hackers launching buffer overflow attacks. Taking advantage of a known vulnerability, mischief makers took charge of those servers, which maintain databases of domain names and their corresponding IP addresses.
Although it was quickly determined that these servers were open to attack because Linux had been installed using default settingsââ,¬"something Red Hat advises againstââ,¬"the incident served to reinforce the impression held by many top IT managers that, because its source code is open and readily available, Linux is not as secure as closed-source operating systems.
Although enterprise support for Linux is growing, such concerns about security could delay use of the operating system for business-critical applications. After all, a security breach could mean the loss of millions of dollars in transactions and, more important, compromise the confidence of customers and partners. While concerned that hackers can poke around Linux source code freely, many IT managers unfamiliar with the operating system say they also worry about being able to find knowledgeable security managers.
However, security experts and IT managers with Linux experience say that, despite incidents such as last summer's DNS (Domain Name System) assault, Linux is no more prone to incursion than a proprietary operating system. In fact, rather than making Linux more vulnerable, they say that the open-source nature of the operating system makes it stronger because it enforces a rigorous peer review process. That means that, even if breaches do occur, patches are readilyââ,¬"and freelyââ,¬"available. That leads to quicker fixes.
In addition, many large ISVs are beginning to migrate their commercial security products to Linux. As a result, experts say, IT managers moving to Linux should be able to protect themselves from security vulnerabilities by taking such basic steps as training security managers, using the right tools, and keeping up-to-date on the latest security advisories and releases.
"Some people see it as a trade-off when it comes to Linux," said Jimmy Alderson, an analyst with Atlanta-based Meta Security Group Inc. "Because it's open source, it's easier to find places to break in. But on the other hand, it's that much easier to fix. You can come up with a fix or count on thousands of other programmers to come up with one."
Closing the holes
As far as Ron Bialkowski is concerned, there is no trade-off. The vice president of franchise computing in the hotel division of Cendant Corp., in Parsippany, N.J., scoffs at the idea that Linux is unsafe because of its open-source roots.
"The key to using Linux is making sure that you close the holes before people find them," Bialkowski said. "Peer review of the operating system means those holes are caught that much faster."
Bialkowski and his security managers work closely with their Linux vendor, Caldera Systems Inc., and the open-source community by reporting holes when they find them and working on fixes. They also make suggestions to Caldera, of Orem, Utah, on security capabilities they'd like to see in future releases of its software.
"People pore over the code, and it's really a matter of looking good in front of your friends," Alderson said. "Because vulnerabilities are easier to find, that means simple ones aren't going to pop up someplace. When you post something, you've really got several thousands of pairs of eyes judging you."
The eyes have it
Peer review in the open-source world comes down to a matter of pride. When a programmer posts a fix on a popular Linux development site, such as Transmeta Corp.'s www.kernel.org, his or her colleagues examine the changes and often offer their own opinionsââ,¬"or even challenges.
"We were more confident with Linux because it was open source," said Damon Covey, project technical lead at Cendant. "As a result, Linux is virtually virus-free. There are so many people looking at the code that we feel it is just as secure as any proprietary operating system."
Cendant began booking Linux into eight hotel chains, including Ramada and Days Inn, to run its property management system two years ago. Cendant franchises running the Front Clerk hotel management package from Hotel Software Systems Ltd. are equipped with servers running Caldera's OpenLinux Version 1.1. Users access the applications from Windows 95 desktops running a terminal emulation program. The hotel management software runs each hotel's operations and integrates with Cendant's mainframe-based central reservations system.
Cendant cannot afford security breaches to its central reservations system. That's why Bialkowski likes having access to Linux's source code. Covey and Senior Project Manager Jeff Daniels were able to customize the operating system's kernel by removing certain networking components that they didn't need. By doing so, they reduced their vulnerability to outside attacks, Covey said.
Moving target
Experts say that the ability to make changes to the kernel is a strong security selling point when it comes to Linux. By customizing the operating system, security managers can make it that much more difficult to attack their networks. Experts warn users never to load the default installation to run mission-critical applications because default installations are often designed to provide ease of use rather than security.
"Before you put an operating system into production, you have to at least close down the known holes," said Patrick McBride, an analyst with Meta Security Group. "If you can take it one step further by actually making changes to the kernel, you're that much more secure."
Savvy Linux users such as Chris Dos recommend tailoring separately configured servers to fulfill different tasks. Dos, the corporate administrator at KB Holdings Inc.'s KBkids.com site, in Denver, said that if, for example, a company wants a Linux DNS server, it should begin by uninstalling the Web server components and any other software that is not required for DNS management. That way, if a security hole is found in the Web daemon, hackers will not be able to exploit the vulnerability on the DNS server.
Other Linux experts are taking it a step further by rewriting portions of the kernel to enhance security. Matthew Marsh is president of Paktronix Systems LLC, an Omaha, Neb., company that provides Linux-based network security products. Marsh uses his own version of the operating system, which he created by making adjustments to the kernel.
Ongoing assessment and monitoring are also critical to securing Linux. Rather than trying to monitor Linux servers differently from servers running closed-source software, Dos said that good security managers take the same precautions with all servers. He regularly performs port scans for all of his operating systems and applies updated patches.
"All you have to do is make sure your security is up-to-date," Dos said. "Whether it's [Windows] NT or Linux or Solaris or NetWare, there are always going to be holes found in every operating system. The best practice is to remain on top of it."
Dos purchases his Linux servers from Penquin Computing Inc., of San Francisco. One of the reasons he said he decided to buy from Penguin is because of the company's willingness to customize products to meet his security requirements. Dos also works with the vendor to improve the security and reliability of Penguin products by suggesting changes and improvements that can be made to the operating system.
Dos uses a version of GNU/Linux running on 20 Penguin servers for a number of purposes throughout his company. He will not reveal what version or distribution he is using, nor will he say what he is using the operating system for. The reason? Security through obscurity.
"If a hacker can identify which operating system you're using, they can narrow down the field of the tools they can use on your systems," Dos said. "For the most part, it doesn't matter what distribution of Linux I'm using because most of the distributions are very concerned about security. What matters is that I'm using the most recent one."
Keeping quiet about which version of Linux you're running can be an important first level of defense, Paktronix's Marsh said, because each distribution of Linux is slightly different. A spreadsheet running on SuSE Inc.'s Linux will look the same as a spreadsheet running on Caldera's OpenLinux, but the versions would invite different plans of attack because of variations in the kernels. Contrast that to a commercial operating system, such as NT, Marsh said. If a hacker were to find a buffer overflow in a version of Office 2000, any machine running the software would be exposed, since it runs the same on every machine.
"When it comes to security, something as little as a variation in the kernel can be the difference between a safe network and one that is knocked out," he said. "But it's wise to secure all of your operating systems the same way. A virus can't do too much, whether it's NT or Linux, if the server is properly administered."
Of course, keeping a determined would-be intruder from breaking into an enterprise network is difficult, no matter what the operating system. Marsh said some of the most popular attacks on Linux systems include buffer overflow attacks, denial-of-service attacks and war dialer scans. These are often random attacks launched using automated tools that jump from system to system looking for holes. And, Marsh is quick to point out, they are also some of the most popular attacks used on proprietary operating systems.
"That hackers will try to attack Linux first because they can look at the source code is the biggest pile of fear, uncertainty and doubt," he said. "Do you think no one will attack you because they can't see the source code?"
