RealTime IT News

Red Hat Strengthens Security

Not content to rest on its laurels, Linux leader Red Hat is advancing its security aresenal with a number of enhancements and certifications.

Red Hat Certificate System (RHCS) will be updated this year with support for smartcards and automated log-ins on Red Hat, as well as other platforms including Windows servers, desktop and Internet Explorer.

RHCS, which evolved from technologies acquired from Netscape in 2004, triggers the deployment and maintenance of user identities via a Public Key Infrastructure (PKI) .

Mike Ferris, director of security solutions at Red Hat, said that RHCS is not yet fully open sourced, though that is Red Hat's long term intention.

The Red Hat Directory Server, another piece of technology Red Hat snapepd up from Netscape, is available under open source licenses at this point.

Red Hat Directory Server and its community counterpart Fedora Directory Server compete with OpenLDAP . Ferris noted that Red Hat continues to ship both OpenLDAP and Directory servers with Red Hat Enterprise Linux.

"We acknowledge and encourage the use of either OpenLDAP or Red Hat directory server," Ferris told internetnews.com."We will continue to ship OpenLDAP as part of the underlying enterprise Linux platform as we do have customer that are using that."

"But when we start talking about scalability and deeper integration with things like certificate system, our focus is on building out the Red Hat Directory Server and likewise the community Fedora Directory Server as part of that."

Red Hat Enterprise Linux 4 (RHEL) is also now certified for Controlled Access Protection Profile compliance as part of the Common Criteria for Information Security Evaluation (CAPP/EAL4+). Red Hat continues to pursue EAL4 certification with HP.

Version 5 of Red Hat Enterprise Linux is already in evaluation for EAL4, though it isn't set to be released until later this year.

Ferris commented that RHEL 4's EAL 4 certification does open some opportunities that may have been limited before, but he stressed that it's not just a "numbers game."

"It's core to people having confidence inside and outside of the government sector that we've gone through the certification the technology, the process and everything involved meets those requirements." Ferris said. "It certainly does help."

One of the key security components of RHEL 4 is security enhanced Linux, or SELinux. SELinux imposes mandatory access control policies that only allow users and applications to have the privileges they need to complete their tasks.

Red Hat first tested SELinux in Fedora Core 2 and included it with RHEL 4 when it was originally released last year.

The upcoming RHEL 5 is set to further improve SELinux and expand its default security footprint.

"Today, any customer that deploys RHEL4 and takes the default install is getting the protection as part of the platform," Ferris explained. "Out of the box without having to make any modification there are approximately 15 applications that are being protected as part of the platform."

"One of the things we're doing for Enterprise Linux 5 is essentially locking down all of the system space." Ferris added. "We will be including the necessary policies and protections so that any application running in an RHEL 5 environment will be as protected at a systems level as it can be with default targeted SELinux policies."

SELinux competes with Novell's AppArmor, which also utilizes the Linux Security Modules (LSM) framework to provides security hooks for certain Linux kernel objects. Ferris argued that though the two products are similar in some respects, SELinux provides a deeper and broader platform.

Simplicity and broad adoption are the two driving factors to Red Hat's security initiatives according to Ferris.

He explained that regardless of how a user obtains RHEL they get a default level of protection right from the start.

"The moment you connect you've got your firewall turned on, you're using default targeted policies as part of a network facing application and you have at a minimum a discretionary access control system that is there protecting you," Ferris said.