If you are developing an operating system, what are some of the features you would include? Obviously you would want stability, easy to use features, and tools that the average user can use to make their experiences easier. What about security? Well typically the average user doesn’t worry too much about security. What if you’re not the average user? What if you want to go above and beyond the features that a “Windows” based Operating System give you? What if you want to run some kind of server? Well if you want to go above and beyond what Windows can offer you, Linux may be your answer. Linux offers many enhanced security features including Security Enhanced Linux, chroot jail, and iptables.
SELinux was created by the National Security Agency and released to the open source development community on December 22nd, 2000. SELinux was created as a set of patches to the Linux Kernel to incorporate a strong, flexible mandatory access control architecture into the major subsystems of the Kernel. This work was not intended as a complete security solution. It is simply an example of how mandatory access controls that can confine the actions of any process, including an administrator process, can be added into a system.
SELinux works by placing hooks at strategic points where security is required within the core Kernel. These hooks allow SELinux to request extended access control decisions. Access control decisions usually are made between a process and an object for a specific permission. These security mechanisms provide flexible support for a wide range of security policies. They make it possible to configure the system to meet a wide range of security requirements. You can use SELinux to completely lock down a system, which comes in very handy if you happen to be running a server of some sorts. The default action is to deny a process, if a specific policy rule does not exist to allow access, access is denied. The policy rules can be changed not only from the terminal, but also from the GUI. SELinux Booleans enable customization of the SELinux policy. You can use the Booleans to allow the Apache web server to run cgi scripts. Overall SELinux provides extremely valuable security features that will allow the advanced user to completely (almost) lock down their system.
Another advanced security feature in the Linux world is iptables. Iptables is a command line program to configure a packet filtering rule set. With iptables you can list the contents of the packet filter rule set, and add, remove, or modify rules in the packet filter. What does this mean? Let’s delve a little bit deeper and see what we can find. In Fedora, firewall rules are only active if the iptables service is running. A packet filtering firewall reads each data packet that passes through a LAN. This is completely customizable through the iptables front-end utility. Iptables controls the powerful Netfilter tool. What the Netfilter subsystem does is provides stateful or stateless packet filtering as well as NAT and IP masquerading services. Netfilter also has the ability to mangle IP header information for advanced routing and connection state management.
In UNIX and Linux based operating systems, there is also a method of security called a chroot jail. A chroot jail presents a dramatically restricted vies of the file system to an application, and usually far fewer system privileges. This intends to limit the damage should the application go awry or be subverted by a malicious program.
The last advanced security tool in the Linux world that I will talk about today is a powerful open source super server daemon called xinetd. Xinetd features access control mechanisms such as TCP Wrapper ACL’s, extensive logging capabilities, and the ability to make service available based on time. It can set up specific services to bind to specific IP’s. This lets you provide different services to internal clients rather than external clients. Basically xinetd performs the same functions as inetd, which is it starts the programs that provide internet services. There are two groups of services in xinetd’s configuration file. Services in the first group are called muli-threaded and they require the forking of a new server process for each new connection request. The second group includes services for which the service daemon is responsible for handling all new connection requests. These services are called single threaded. Xinetd takes advantage of the idea of a super server to provide features such as access control and logging.
So we have learned that if you are an advanced user and want to run a server, Linux has many advanced security options, which can protect your system from unauthorized access. SELinux can provide mandatory access controls. IPTables and netfiltering can filter packets, enable firewalls and enable IP masquerading tools. Chroot jail can section off part of the file system for a particular user. Finally xinetd is a super server daemon that features access control lists such as TCP Wrapper ACL’s, extensive logging capabilities, and the ability to make service available based on time. Linux offers many more advanced security features, at least in this Author’s opinion, than Windows does.
No comments:
Post a Comment