Security


Ok, so my title is a little misleading, there’s not any rivalry between the different areas of Novell and SUSE, other than the usual desire to see your business unit succeed just a little more “betterly” than the other units do. It’s all about friendly competition.

What’s Red vs. Green?

What I’m referring to (with Red vs. Green) is the necessary dividing line between the traditional Novell business units like Workgroup (Netware, Open Enterprise Server, Groupwise etc.) which I think of as “Red”, and the newer and Open Source-centric business unit called Open Platform Solutions (SLES, SLED, SLERT, SLEPOS etc.), which I think of as “Green”. (Get it? SUSE Green, like the Gecko?)

I have come up with the analogy and strategy of Red vs. Green as a way of helping partners, customers and the casual passerby understand that depending on which Novell/SUSE products they have, they will likely benefit most from a particular set of products and growth options.

“I See Red”

My experience has been that if a customer is “Red”, they’re almost always firmly ensconced in and using the Novell services throughout the enterprise, with some confusion as to how and why they might make use of Linux. The first order of business is to determine how much they know about Linux in general, and in particular Novell’s use of SUSE Linux Enterprise in it’s product lines. After hundreds of these discussions, we can get everyone on the same page with a little discussion, some Q&A and a handy whiteboard in short order.

How Does This Work?

For example, in a conversation with faux customer Air America, I find they have a long-standing Netware infrastructure for File and Print, do a little clustering for Groupwise and use iPrint for printing with all account management taking place through an Identity management setup and eDirectory. They have Windows workstations that make full use of the Netware Client and it’s services. I’d already lean toward “Red” strategy with them, but they might be toying with the idea of going “over to Linux”, so I go a little further.

The questions I ask them are very simple and straightforward:

  • Do you have any data on NSS volumes?
  • Do you use any of the advanced features of NSS?
  • Do you have Novell Clustering Services or Business Continuity Clustering set up?
  • Do you have a very large number of printers?
  • Do your people have Novell Client software on their computers for access to the network?

A “yes” answer to any of these questions points to the Open Enterprise Server (with Version 2, OES = Linux base, Novell’s standard services converted to run great on Linux layered on top). Novell has spent a lot of time and effort to make it as effortless as possible to have this type of organization migrate up to OES, there is a very complete and clear path for this customer to begin to use Linux-based Novell services with the least disruption possible and often at a considerable cost-savings.

I will try if possible to help them see where “Green” might fit in, either for hosting Groupwise or other services, such as Mono (Dot Net compatible server), Virtualization (Xen) or any of a host of other possibilities. Usually this type of customer will stay “Red” and for good reason.

“It’s Easy Being Green”

On the other side of this equation, I will find customers who don’t have a lick of “Red” in their environment, and these are usually standard UNIX shops on the server side, usually either a Solaris or AIX flavor, some HP-UX, but they’ll be using mostly Windows on the client side. Usually if they say “No” to my “Got any Novell products or Netware around?”, they will go “Green” easily.

The discussion with this client is much easier, they’re a classic “Green” customer, all the services and tools they are used to using have an analog (equivalent) in the SUSE Linux Enterprise Server/Desktop product line. Once I determine they have no Netware products in the organization, we don’t even talk about “Red vs. Green”, it’s not relevant, they can even run eDirectory and Zenworks Linux Management on SLES, no “Red” needed.

I additionally will probe to see if they have any Terminal Server or Citrix/Ericom deployed for application security and updateability, if they do, it makes the Linux Desktop play much more likely, especially if they make use of TS/Citrix as a desktop solution. How compelling is $50 or less a seat for the presentation OS on the desktop versus $239 or so for the oddly-shaped box o’ Vista?

Got any changes or suggestions to this whole Red vs. Green thing? I’m constantly getting feedback and changing it, let me know and I’ll credit you and update it.

Enjoy,

RossB

Starting off our new series called Vendor Spotlight is a company that I think is doing some very cool things, ThinFusion Inc. The interview was conducted by phone and included Brandon and Rick Vancleeve

What is ThinFusion?

ThinFusion is the combination of a Linux OS platform running in a thin client environment, while providing access to the majority of Windows-based applications. ThinFusion uses either a thin client OS local, paired to a session on a ThinFusion server, or alternatively allows the use of cross-platform client software to provide secure and very speedy access to the ThinFusion Server session literally from anywhere.

ThinFusion provides a single access point to all the Linux and Windows applications that a user needs. The administrative interface allows for simple drag and drop granting and revoking, in realtime, of access to applications on a group or individual level.

What applications can I run on ThinFusion?

This part is easy…
Since it accesses a Windows Terminal Server for Windows apps you can go to Microsoft’s site and find every supported program out there. You don’t have to go through a giant bug list of “quirks” when running Windows apps in a Linux shell. If it runs in a Terminal Server environment, it runs on ThinFusion.

On the Linux side, since you are in essence just accessing a Linux Desktop you can run all your Linux applications.

Who is ThinFusion Inc?

ThinFusion Inc, is a small company in the Mountains of Montana that have developed ThinFusion to meet the needs of K-12 Schools, Higher Ed, and Small to Medium Businesses. ThinFusion mission statement: Access your classroom from anyplace anytime.

What is a typical customer for ThinFusion?

The typical customer would be a school or business that has a need to control access to applications, reduce administrative and technical support costs and increase the quality of service for its users while maintaining the necessary security and controls.

What is a sample use case of ThinFusion?

A school district with a Laptop lab is an excellent use case for ThinFusion. Typically in this environment the Laptops would be running Windows with most applications installed locally. Often the students are issued the laptops and are responsible for physical security and transport, often including off school property and for all purposes becoming the students main machine for home and school. Such an environment has multiple risks and costs associated with it, including re-imaging regularly due to misconfigurations, virus and spy-ware issues and either malicious or inadvertent deletions and changes to the software.

Particularly if the laptops are issued and kept by the students does the risk of virus infection or inadvertent misconfiguration crop up, the possibility of infection and transport of the viruses and spyware becomes a virtual certainty, with some school environments literally being taken down for periods of time from such infections.

ThinFusion in this environment would remove most or all of the issues discussed. Two choices are possible:

1. Install a very slim Desktop Linux with NX Client software on the student laptop, all application access requires dialup or better Internet access to the ThinFusion Server, thus all applications are run in a very secure and less virus-prone environment.
2. Install Windows or keep the current Desktop OS, adding lockdown software and the NX Client software, requiring dialup or better Internet acccess to the ThinFusion Server etc.

Both of the above examples allow students and staff to securely access their school network just as if they were sitting at a desk in class, from anywhere/anytime. It extends the learning environment beyond the walls of the school, and it allows for collaboration beyond the bus bell. This is the mode that we see businesses transitioning to at record pace, as we see more and more workers using home offices and accessing data through secure remote scenarios.

This environment is effective for students and teachers, with teachers mostly falling into the category of # 2, they having the most need to run 3rd party applications that are typically Windows-based.

What are the support options?

A ThinFusion subscription comes with a full support, training and installation package. Higher levels of support packages are available.

What should you not use ThinFusion for?

ThinFusion is not a great solution for high end multimedia, neither for creation nor viewing. A class of 50 users running a very graphically oriented courseware would be fairly choppy.

How do I learn more about ThinFusion?
Please visit their website (www.thinfusion.com), to experience demonstrations, tutorials, case studies and more. You can also reach them by phone at 1-800-432-0346.

==========

If you can think of an example of a vendor that is going something you can really appreciate and is good for the community, put a comment in or email me: rbrunson[at]novell.com

Enjoy,

RossB

Laura over at the awesome VirtualHosting.com blog has 12 great tips for pre-hacking your own machine.

Your wifi is encrypted and a trial version of McAfee came with that new HP the kid at Best Buy sold you, so no need to worry about computer security, right? Unfortunately, security is a whole lot more complex than your average computer user might imagine.

There are literally hundreds of ways that malware and hackers can compromise your system security, most of which you’ve never heard of. Thankfully, however, there are a number of online tools available which will help you identify (and sometimes fix) the vulnerabilities in your system. In this article we’ve selected 12 basic tests you can run on your machine to identify its weaknesses.

More from the article.

Most IT shops would agree… stolen laptops are a security risk. To combat this problem, many organizations are turning to hard disk encryption as a way to prevent loss of sensitive information. Apparently the US Federal government has even mandated that disk encryption be used on laptops with sensitive data.

SUSE Linux Enterprise Desktop 10 includes some support for disk encryption natively – look here for more info. But if that does not fit your needs; or perhaps you’re looking for a cross-platform solution; or something that does “whole disk encryption”….

At least one commercial offering is also available: WinMagic, purveyor of hard disk encryption, recently announced that their product SecureDoc will be supporting hard disk encryption on Novell’s SUSE Linux Enterprise Desktop – their first official support of Linux (traditionally, they’ve been a Windows only vendor). The product is expected to be generally available by September 2007.

According to their press announcement

“In recognition of the increased demand for Linux, WinMagic has developed an end-point encryption solution which will make it simple for Linux users to protect data at rest no matter where it may reside,” said Thi Nguyen-Huu, CEO of WinMagic Inc. “In developing and testing SecureDoc for the Linux environment, WinMagic’s main focus was to provide the marketplace with an encryption product that will not yield on performance, functionality, or ease of use,” Nguyen-Huu continued. “Our support for Linux is yet another sign of WinMagic’s dedication to open system standards and to furthering those standards for the data encryption market place.”

(Updated) Found another commercial offering for Linux hard disk encryption… CheckPoint’s Pointsec Hard Drive Encryption. Supports SUSE and Red Hat.

(Updated, Oct 9) Here’s a non-commercial “free” product for entire hard disk encryption… TrueCrypt. Although it does not do “whole disk encryption” it does do partition-level encryption. According to the website it supports openSUSE and Ubuntu.

What’s been your experience with hard drive encryption thus far?? Any other vendors in this space you might be aware of?

While investigating spyware and virus blocking options for Open Source customers, I discovered the Untangle product, from untangle.com.  Untangle’s Open Source Network Gateway is a combination of OSS projects, custom Untangle scanning engines and lots of enhancements to the interfaces to the products.  While a commercial company, they have a OSS version that’s to download and evaluate, and if you want a throat to choke, there is the Professional option, which includes support, directory support, policy management etc.

Untangle is intended to be a lower or no-cost alternative to SonicWALL and/or Watchguard, and looking at the product and site, they have attracted quite a community of users and developers, so keep an eye on them, maybe they’ll get bought by someone with deep pockets and really take off.

Untangle includes the following products:

  • Virus/Spyware Blockers – ClamAV and Global Hauri
  • Web Filter –  Untangle scanning engine + URLBlacklist.com
  • Protocol Control – Untangle scanning engine + Layer 7 Netfilters
  • SPAM Blocker – Customized SpamAssassin with additional rules
  • Phish Blocker – ClamAV + phish signature databases
  • Intrusion Detection – Untangle scanning engine + Snort signatures
  • Attack Blocker – Proprietary Untangle DDOS and DOS application
  • Firewall – Proprietary Untangle rules-based firewall application
  • Remote Access Portal – Local LDAP and tun/tap servers + rules and SSL
  • OpenVPN – OpenVPN + tools to configure access
  • Custom Reports – Various OSS and Untangle custom components
  • Router – Uses OSS router code and Untangle enhancements

You can download a copy of the Untangle OSS version without any registration or delay, or you can visit the Untangle site, the Untangle Wiki or their Forums for more information.  Also check out their pre-configured VMWare appliance, modesty and being a XEN guy prohibits me from just linking to it, but it’s hard to miss it on the Wiki site.

I’m running it now in a VM to see how well it works for my purposes, let me know if you try this product, and your experiences.

Enjoy,

RossB

A customer asked me how they might be able to restrict the use of certain apps to only be from certain networks. For example, say you want to only allow SSH access from a management network (192.168.2.0), but not from the general user network (192.168.1.0). How is this done in SUSE Linux Enterprise Server? In short, use a TCP Wrapper which is configured in the /etc/hosts.allow and /etc/hosts.deny files. You can simply use any text editor, such as VI to edit them…

The best documentation of the answer I found was here at Puschitz.com. Thanks go to Werner Puschitz for the insight!

If you know of other helpful sites or documentation on this topic, please post a comment so we can all benefit.

(Update 8/31/07) Some additional suggestions I received. Thanks Edward Clay and Peter Albrecht.

(Response #1) You could do this with iptables or The YaST firewall app.

I found the following example on the following website.

http://www.cyberciti.biz/faq/restrict-ssh-access-use-iptable/

iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 195.55.55.78 --dport 22 -m state --state NEW,ESTABLISHED -j DROP

 

(Response #2) To use TCPwrapper for this, the application must be built with TCPwrapper
support. There are some daemons listed at the top of /etc/hosts.allow
which do support TCPwrapper.

If the application does not support TCPwrapper, I see two options:

1) Use iptables rules for limiting access. For an introduction to packet
filters, have a look at our course 3075: SLES 10 Security.

2) If the server is connected to the respective network (192.168.2.0 in
your example), you can configure sshd to listen only to that interface. The directive is ListenAddress in /etc/ssh/sshd_config. Several other
applications also provide such a configuration.

Overview

We know that over 50% of IT organizations currently use or are doing pilot programs using Virtualization, thanks to Forrester Research’s recent surveys, what we should know know more about is both the security benefits of virtualization and the best practices of how to secure those virtual servers.

Note: In this article a Virtualization Server (VS) is the machine that Virtual Machines (VM) are virtualized on. A VM can be anything that runs in a virtual container, desktop, server, appliances etc.

Security Benefits of Virtualization

The security benefits of running VSes are many, including:

  • Isolation – Running an OS in a VM helps secure it from other apps, you can have each application in it’s own OS container, keeps bad things that happen to the individual VM from spreading to others
  • Rollback – Experienced sysadmins know how important it is to be able to rollback changes that don’t work, getting the system to a previous stable state is paramount for production machines, and VM’s are much easier to rollback, being software only
  • Abstraction – The VM’s have limited access to the physical hardware, the drivers are easier to manage and there is less chance of physical issues with the VM’s than with an OS that runs directly on the hardware
  • Portability – The ease of which you can take the running VM and either migrate it to a new VS or get that VM up and running on another server can make the difference for disaster recovery. With the ability to virtualize the OS and data, it’s much easier to swap out to replacement machines, making patch testing and upgrading much easier too
  • Deployment – Deploying instances of individual servers is 10x easier with VM technologies, physical machine deployments are much more dependent on the physical hardware. Individual machine and OS security settings on the VS are important and the ability to surround the VM’s with appropriate security from the VS is also important (such as using AppArmor to wrap a VM, allowing only a set number of functions) to the security of each VM instance

Security Drawbacks of Virtualization

The chief security drawback of Virtualization is anything that could affect the functioning of the VS, which include any applications, services or activities that might negatively affect the VS’s ability to provide services to and properly host it’s VMs. You would not believe the things we have seen running on VS hardware, everything from BitTorrent to MP3 Shoutcast Radio Stations to very intensive file and print sharing.

It’s important to pare down the VS’s processes to the bare minimum, remove or disable all daemons that might be running, using chkconfig or the YaST Runlevel Editor. The typical VS might have up to 100 running daemons in runlevels 3 and 5, most of which are not necessary. Running the VS in runlevel 3 (no X started by default) will save a number of MB or RAM used, and decrease the load on the CPU for graphical tasks.

Wrapup

SearchServerVirtualization has a set of articles (some of which “inspired” this article) by Anil Desai which are excellent and right to the point in helping you secure your VS’s and VM’s. In particular, his tip articles “Virtualization Security Benefits” and “Improving VM Security” are both good overviews and contain valuable drill-down explanations to help you secure your VS/VM environments.

Enjoy,

RossB

Next Page »