Security

Researchers boot one million Linux kernels as virtual machines

In a feat of Linux strength, computer scientists at Sandia National Laboratories in Livermore, Calif., announced that they had run more than a million Linux kernels as virtual machines. Previously, researchers had only been able to run up to 20,000 kernels concurrently. The scientists used virtual machine (VM) technology and its Thunderbird supercomputing cluster for the demonstration.

The aim of the project is to model malicious botnets, which are often difficult to analyze because they are geographically spread all over the world, explains Sandia’s Ron Minnich. The more kernels that can be run at once, said Minnich, the more effective cyber security professionals can be in combating the global botnet problem. “Eventually, we would like to be able to emulate the computer network of a small nation, or even one as large as the United States, in order to virtualize and monitor a cyber attack,” he said.

Running a high volume of VMs on one supercomputer — at a similar scale as a botnet — would allow researchers to see how botnets work and explore ways to stop them in their tracks. “We can get control at a level we never had before,” said Minnich.
Continued »

Centrify streamlines administrator tasks in mixed environments

On Oct. 21, Mountain View, Calif.based Centrify Corp. added DirectAuthorize to its suite of products for integrating Active Directory into mixed Linux and Windows environments. DirectAuthorize streamlines user access rights management so that administrators no longer have to configure rights separately on Windows servers and then on non-Windows servers. By consolidating information in a centralized location, DirectAuthorize eliminates redundant rework.   

DirectAuthorize arrives as the third member of a line of products created to ease the task of managing mixed environments with Active Directory. The other two products, DirectControl and DirectAudit, perform centralized authentication and auditing.  

“Typically we serve customers who are looking to introduce Linux, Hewlett-Packard, AIX, or Unix into their environments, and also often VMware.” Centrify CEO Tom Kemp said. “In terms of access rights and password management, that ends up being a lot of sticky notes next to your screen.” DirectAuthorize replaces non-Windows systems’ authorization infrastructure with that of Active Directory, which allows admins to move all user authorization information to a central location and to manage it from that location.

SE-Postgres tightens SQL security

This post was contributed by Joshua Kramer. For more information about Kramer, go to the EnterpriseLinuxLog About the Editors page.

In the theater of IT operations, security has moved to center stage. Attacks have become more complex, and legislative bodies have passed laws that require data protection. In just the past year, Nevada and Massachusetts introduced legislation requiring that consumer data be protected. 

 In 2006, Oracle introduced its Audit Vault, which purported to restrict access to data even from database management administrators. This kind of tool is extremely valuable in the fight against those trying to steal personal information.  

In early 2009, another player will offer a similar — and perhaps more secure — way to restrict data access As part of its yearly feature update, the PostgreSQL group plans to implement a module called SE-Postgres in the database core. This module inherits security rules and contexts from the SELinux rule set of the host OS to control access to tables, individual rows of data and even individual columns. Currently SE-Postgres is available as a patch to the Postgres 8.3 database (for those who don’t mind compiling source code). 

This inheritance of rules applies to all facets of SELinux and therefore gives you power beyond simply restricting access by role. When SE-Postgres is configured properly, a client’s SELinux context is propagated to all data it touches. For example, rows inserted by a subject with SystemHigh privileges will carry the Secret label. A query submitted by a subject with user_t privileges will not return rows that have such a label. For the most part, referential integrity is preserved; a table join will fail if one of the objects required in a table is disallowed by SELinux context. There are a few minor exceptions, but those will be closed as the project progresses.

Whirlwind Tech Tour explores remote administration tools

This week, SearchEnterpriseLinux.com launched its Whirlwind Tech Tour, a new site feature in which we ask Linux professionals a weekly question and post their answers side by side. This week we asked about remote server administration. Done correctly, remote server administration enables companies to distribute resources and prepare for disaster recovery. It also requires a strong toolset to perform these roles well.  

Which tool is best for remote server administration in a Linux environment, and why?

 Jay Lyman, an open source analyst at Boulder, Colo.-based 451 Group, recommends the General Public License-licensed Virtual Network Computing (VNC) system for its user-friendly general user interface. This tool works with Open Secure Shell (OpenSSH) to perform tunneling, a method to establish secure connections between local and remote networks.  OpenSSH itself received several mentions in our IT pros’ responses .

As Kristian Erik Hermansen noted, the tool does more than tunnel. Hermansen’s description of OpenSSH’s capabilities: It can “forward graphical applications to remote machines, create a series of tunnels, redirect traffic over a SOCKS proxy, and perform way too many other features to mention.”  

Serge Wroclawski expected SSH to be at the top of respondents’ lists but suggested they trade it in for more automated remote administration tools. He advises managing remote server configuration with tools such as bcfg2 and Puppet. 

“Remote server management is a multidimensional problem, and managing the Linux OS is only a part of it,” said Ideas International Inc.

CEO Tony Iams Iams outlined several considerations in approaching this problem, but concluded that  “perhaps the most important factor in choosing a remote Linux management tool…is to make sure it integrates smoothly into the dominant management tools and procedures that are already in place.” 

Do you have a question you’d like to see asked and answered? Email it to  editor at searchenterpriselinux.com class=”MsoCommentReference”> . To see the complete responses from our IT pros, go to the feature main page.

Trusted Computer Solutions shores up security methods with CounterStorm

As threats become less predictable and more targeted, security technologies have shored up their methods and devised additional precautions to secure company systems. With its acquisition of CounterStorm, a government-run security software company, Trusted Computer Solutions (TCS) has done just that. CounterStorm adds to TCS’ existing security protection process built into TCS’ Security Blanket. Security Blanket hardens and creates a baseline for a system, and CounterStorm acts as a vigilant guard to maintain these measures.

“Ten years ago, most attacks were random,” said Ed Hammersla, the chief operating officer at TCS. “Now we are seeing attackers who have a focused knowledge of their victims. CounterStorm acts as a last line of defense in an environment in which more serious, targeted attacks … have become prevalent.”

Security Blanket first runs a security compliance profile on a system, automatically brings it into compliance with specified security standards and monitors the system for possible breaches.

CounterStorm strengthens the lockdown process with yet another measure: anomaly-based targeted threat prevention that observes a system’s typical behavior, scans for deviations and isolates and attacks these anomalies. With this approach to abnormalities, CounterStorm makes server scanning and issue resolution easier for admins. “It is much easier and less costly to fix 100 servers than it is to fix 1,000,” said Hammersla.

With the acquisition, TCS expands further into commercial applications for its security tools. Hammerla said that while government and the private sector have different security needs, an unsecured system can result in damage to either. “Government and commercial software security administrators have different concerns,” Hammersla said, “but face the same consequences.”

“Hospitals, for example, are not particularly anxious about their networks being infiltrated by China, but the government certainly is,” Hammersla said. “However, over time, I think that we will see more and more of the commercial and government compliancy standards merging.”

Sourcefire strengthens virtualization security with RNA

As attacks upon software systems become more sophisticated, it is crucial to adapt security measures to emerging threats. Virtualization is presently one of the most exciting technologies in the enterprise, but also among the most vulnerable.

At VMworld, Sourcefire, the security company that brought Snort to the market, has introduced a new product offering through its Sourcefire 3D. Most important, the release improves Real-time Network Awareness (RNA), a feature able to monitor both hardware and virtual environments.

First, RNA enables administrators to tailor the software to their compliance and policy requirements; the VM Detection feature combats the problem of VM sprawl by detecting all virtual machines and making them visible.

RNA is now supported by VMware’s support services, Technology Alliance Partner (TAP) program and VMsafe. VMsafe includes an application program interface (API), which enables other security applications to monitor for and catch intrusions that RNA cannot see.

RNA saves enterprise resources by identifying threats as they occur by continuously collecting information about virtual machine activity at the surface level of a virtual environment. Other security tools collect such data only during the day, allowing intruders greater opportunity to inflict harm on the system.

SELinux now enabled in AppArmor’s openSUSE

On Friday, Aug. 22, openSUSE announced that its newest version, 11.1, will support Security Enhanced Linux, or SELinux. Novell’s security tools, AppArmor and SELinux, have traditionally been considered intense rivals. In this interview, openSUSE’s Andreas Jaeger, Roman Drahtmüller and Matthias Eckermann discuss openSUSE’s support of SELinux.

OpenSUSE now has basic enablement with SELinux. That’s great for SELinux users now, but will openSUSE be able to integrate new patches for SELinux?

Andreas Jaeger : OpenSUSE is developed with a community approach; We are proud to have opened the openSUSE build service to the community, with the option to develop and package open source software cross-distribution.

As SELinux is a cross-distribution effort, we encourage members of the SELinux community to participate in the openSUSE build service: to develop, test-drive and integrate new user land patches and tools into openSUSE and other distributions using our cross-distribution service. This way, all distributions running with SELinux enabled in the Linux kernel will benefit.

Is support of SELinux indicative of a larger industry trend toward interoperability?

Roman Drahtmüller: Novell observes a tendency in the industry to increase the security value of a system by introducing additional controls beyond the scope of the application. This means the application is exposed to these controls but cannot change them.

In moving from AppArmor to SELinux, does a company sacrifice compliance benefits?

Drahtmüller: AppArmor profiles for application containment and confinement are comparatively easy to manage throughout an infrastructure. Creating them is a distinct, low-pain checkmark item. The same applies to evaluating log messages that record possible violation attempts against protected system services.

For customers, the transition to SELinux may need a change in thinking and architecture, but also allows for the definition of a complete policy in a system. It helps to disallow actions that are not subject to a defined policy. There are environments that require such a functionality — regardless of the cost associated with it — for compliance reasons.

We anticipate that customers with these requirements will aim for a SUSE Linux Enterprise operating system, as it targets the special needs of customers working in compliance-bound environments.

Security tools have created a tradeoff between capability (SELinux) and usability (AppArmor). Is Novell’s approach to this tradeoff changing with its basic enablement of SELinux?

Matthias Eckermann: As in earlier releases of our product, openSUSE 11.1 reflects our belief in the value of additional security mechanisms in the operating system. The benefit of such mechanisms is maximized if the configuration and administration is as transparent, straightforward and as easy as possible for administrators.

Security needs that aim toward mandatory access control, mandatory integrity control or even multi-level security require a suitable architecture. With the basic SELinux enablement, we will allow our partners and customers to use such an architecture to implement solutions that fulfill their specific needs.

Nevertheless, we want our users to be able to choose their own priorities between administrative effort and functional benefit.

What do you think? Leave a comment below or contact chunter@techtarget.com.

Red Hat tight-lipped on breach, but risk appears small

Red Hat Inc. has declined to provide additional details on last week’s security breach on some Fedora servers that were illegally accessed. Although Red Hat said it did not believe that the package-signing key used to gain access to Fedora operating systems was compromised, the Raleigh, N.C.-based company issued a new Fedora signing key as a precaution. Fedora is Red Hat’s free operating system where innovations are introduced and tested before they are incorporated into production-ready Red Hat Enterprise Linux (RHEL).

Related to the Fedora intrusion, Red Hat also announced a breach into a few Open Secure Shell (SSH) security encryption packages for some versions of RHEL 4 and RHEL 5 that are not under the umbrella of a Red Hat network management system. As a precaution, Red Hat issued an updated version of the affected RHEL Open SSH security packages.

No big deal? 
Reaction to the breach is muted at best.

Joe Clabby, a principal at Falmouth, Maine-based Clabby Analytics, said that a new signing key install “could be a real hassle” for a large install base without an automated deployment system, but he didn’t think it was a huge problem. “It’s good they found it and made it public so people can fix it and life goes on,” he said.

Charles King, a principal analyst at Hayward, Calif.-based Pund-IT Inc., agreed.

A security breach is “always disquieting,” he noted, but this one is probably of lesser impact, because most data centers do not run Red Hat exclusively. In one sense, the breach could be viewed as an indicator of Red Hat’s growing success. Hackers generally target only commercially successful distros, King said.

Well-known tech blogger Jason Perlow said that the breach is “standard stuff” that will be remedied quickly because the entire open source community will become engaged in developing a remedy, versus a breach with a proprietary vendor, which could take months to solve the problem.

I suspect that most large Red Hat installs run RHEL rather than Fedora, thus reducing the probable risk to businesses. Nevertheless, as an admittedly impatient journalist wired to ask questions and expect answers, Red Hat’s failure to be more forthcoming about the extent of the breach and the potential impact is disappointing. Users aren’t well served by a limited statement and a wall of silence.

Cisco router too costly? Vyatta wants to help

Vyatta Inc., the startup with attitude vying to take on the mighty Cisco Systems Inc., is seeking to expand its toehold in the networking market with the introduction of a larger router and security networking appliance — and at a fraction of the cost of comparable Cisco gear.

The Belmont, Calif., company, which describes its customers as smarter and better looking than those of its giant competitor in its press releases, debuted its 2501 appliance last week at LinuxWorld Conference & Expo. The 2501 has nearly twice the horsepower (1.8 GHz versus 1 GHz) and more expansion slots than its 514 predecessor, which was introduced last March.

Although Cisco has overwhelming market share, Vyatta’s pitch is its eye-popping price advantage (it’s about a tenth of Cisco’s cost). In addition, the functionality of Vyatta’s router is in software, which is easy to upgrade, versus Cisco’s proprietary hardware boxes, which can only be upgraded via replacement.

Rob Whiteley, the principal analyst at Forrester Research Inc. in Cambridge, Mass., said the new router is better and more powerful than its predecessor and would enable Vyatta to go after more than the low-hanging fruit of small companies and branch offices.

The 2501, in contrast, has the additional processing power and throughput required for medium to large networks and could function as a link to a wide area network (WAN) or a security appliance.

Vyatta will never be large enough to meet all of most companies’ needs, Whiteley said. But the growing acceptance of open source products and the current budget-shrinking economy should help Vyatta’s cause, he said. Ultimately, Vyatta’s success will depend on its ability to offer additional services along with its routers, he said.

Surveillance tools beat hidden malware at its own game

Just as surveillance tools have flourished in the physical world because they can monitor systems in hiding – think nanny cam – such seemingly invisible monitoring systems have flourished in the digital domain.

Rootkits, a form of malware designed to take control of a system without the authorization or knowledge of an administrator, can wreak havoc on a system and compromise everything it does by infecting code, nestling within it and becoming the malevolent phantom of an OS.

If security plays second fiddle to other system administration duties, your system may be just as much at risk as if you didn’t monitor it at all. But a new crop of rootkit detection tools is designed to detect these malware breaches and, in some cases, beat malware at its own game.

Products such as F-Secure Blacklight and OSSEC help protect system information from being used against you by making it inaccessible to nonadministrators. Unlike traditional antivirus scanners, these tools examine the system at a deep level to detect active rootkits and rout them out. Tools like Blacklight also tout themselves as user-friendly and nontechnical .

The new security tool ProcL goes a step further by hiding information about which version of software a system uses. As a result, malware attempting to gain system access cannot tell whether the system has software from 2008 or 1988 and will likely move on to an easier target.

For more on ProcL, see the Scanit website. And to check out an advanced security “hiding” tactic involving virtualization, click here.