How safe is linux???

[Guest]

Many of the programs included in Linux distros have programming errors that lead to things like privilege escalation, whereby a common user tricks a program into thinking it has more privileges than it does, says Guardian Digital CEO Dave Wreski.

It is not enough for an operating system to be low cost, reliable and capable of handling mission-critical applications. At some point in every OS's cycle of life, the question comes down to security and safety.

Ever since the entry of Linux into mainstream business computing, security gurus have been trying to measure its vulnerability to security breaches and attacks. They have even gone so far as to count the number of security alerts issued by Linux distributors to see how the numbers compare with those issued by Microsoft (Nasdaq: MSFT) for Windows servers.

A definitive answered has eluded the experts, but that has not prevented them from taking sides in what usually devolves into a religious war over open-source versus closed-source operating systems.

Still, the crucial question plagues companies considering whether to go the open-source route: Is Linux a safe, secure operating system that you can bet your business on? And if it does have flaws, where are they?

Tale of the Tape

It is unfair to compare the number of exploits of a Linux distribution like Red Hat (Nasdaq: RHAT) to Windows Server 2003 to determine whether Linux is safer than Windows, says Jan Hichert, CEO of Astaro, a Linux security solution developer. For one thing, there are more services running on a Linux distribution, Hichert told NewsFactor. But at the same time, attacks on Windows usually draw more attention, so it may seem like Windows is inherently less secure.

Because Linux is open source , and its code is under constant public scrutiny by thousands of developers -- some specifically looking to detect security vulnerabilities -- the argument can be made that it is a more secure operating system and network environment, K.S. (Doc) Shankar, Linux security lead at IBM's (NYSE: IBM) Linux Technology Center, told NewsFactor. "The community's record in making patches available quickly is unsurpassed," Shankar said.

"The number of exploits [is] lower with open-source software, as is the response time until the exploits get fixed," Hichert agreed.

But any operating system can be secured, Steve Hunt, analyst at Forrester Research, told NewsFactor. "Linux and Windows are susceptible to the same types of attacks, but the exact same attack that compromises a Windows system will not work on a Linux system," Hunt noted.

Daemon Seed

Historically, most Unix-like systems, including Linux, have been exploited using insecure daemons like Sendmail, Telnet, FTP, and Samba, Shankar said. Daemons are designed to share information. If a hacker asks a daemon the right question, it will give an answer that can be used to do something malicious.

"It is difficult to predict which [daemons] could be exploited in the future," Shankar said.

Sendmail, in particular, is notorious for its security holes. "Sendmail has a security history that makes it somewhat vulnerable to attacks," Dave Wreski, CEO of Guardian Digital, a Linux distributor, told NewsFactor. Guardian Digital's EnGarde distro, for example, uses Postfix -- a more secure version of Sendmail -- and SSH, an encrypted version of Telnet. Qmail is another mail transport agent that can be substituted for Sendmail.

Information leaks, unauthorized access, and buffer overflows are problem areas for Linux, Wreski said. Information leaks occur when the system reveals information to users that they should not have, such as what other users are doing on the system. Unauthorized access means users are browsing secure files or system processes and sending or receiving e-mail without authentication.

Buffer overflows occur when internal memory space allocated for a specific piece of data is exceeded with malicious content, which can abort a program and leave it vulnerable.

Additionally, many of the programs included in Linux distros have programming errors that lead to things like privilege escalation, whereby a common user tricks a program into thinking it has more privileges than it does, Wreski said.

Specialized Distros

Distributors constantly are working on ways to improve the security of out-of-box Linux distributions, Shankar pointed out. Niche distributions focused on security include EnGarde Secure Linux from Guardian Digital, which provides multi-layered access control, a ready-to-build intrusion detection device, and a network gateway firewall. The distro also prevents Trojan Horse attacks and limits exposure to buffer overflows.

By and large, however, primary Linux distributions are roughly equal, Shankar said, because they all work off the same code base. There is always a trade-off in security, Wreski said. "Off-the-shelf Linux distros try to appeal to the largest mass audience possible." These distributors cannot add tighter security measures because they may adversely impact some part of their audience, he explained.

Keeping It Simple

Linux networks can be more insecure than Windows or Macintosh networks for the simple reason that the management and configuration of Linux is more complex. "A firewall is only as good as its administrators," Hichert said. "This is why people are running into security issues." Programs such as Astaro Security Linux make it easier to configure Linux networks by providing a GUI interface in place of a command line.

Any network is vulnerable, however, if administrators do not take the time to do the simple things right. According to Shankar, organizations can make their Linux deployments more secure the same way they do for any operating system -- by making security a priority, creating a security design for the entire environment, setting policy to implement that design, and then rigorously, constantly adhering to that policy.

If an organization uses a complementary, reasonable set of security measures in concert, it could conceivably live happily every after -- even with an insecure operating system, Hunt said. "The reason most companies turn to Linux as an operating platform is generally not a question of security."

-http://www.newsfactor.com/perl/story/21702.html