Secure IT with Linux

WITH LINUX NOW a staple in so many IT shops, it’s not surprising that Linux-based security tools are becoming so plentiful. An administrator can now deploy any number of tools, ranging from network intrusion detection, host intrusion detection, “sticky honey pots,” wireless access-point detection, vulnerability assessments, and packet generation.

Therein lies the problem. The sheer number of available solutions on the market can be overwhelming, even to Linux veterans. And although most Linux distributions provide a good sampling of out-of-the-box security tools, not all of them are easy to understand or configure.

Popular tools such as Snort (an intrusion-detection system), Nmap (a network scanner), and Free S/WAN (an IPsec VPN client/server), which have all set standards for strong performance and low prices, are good places to start.

Another addition to the cadre of Linux security tools is SNARE (System iNtrusion Analysis and Reporting Environment), the first host-based IDS (intrusion-detection system) that can easily be plugged in to an enterprise environment. (Network-based IDSes, such as Snort, have been available for some time.) The developing Saint Jude also works at the kernel level. But instead of monitoring system calls, Saint Jude monitors privilege transitions and then alerts administrators when abnormal events occur.

The LaBrea application offers an even more proactive defense against malicious attacks. Created in response to the Code Red attacks, LaBrea is best described as a “sticky honey pot” that keeps attackers at bay by rendering their systems unusable, or at least slowing communications to a crawl.

LaBrea works by taking over unused IP addresses on the network and creating virtual machines to respond to connection attempts. The solution then responds to those attempts, fooling the infected machine into thinking it has acquired another target to infect. In reality, the target machine is a virtual IP address that LaBrea owns and is not attached to any physical system. The attacking machine sends data to LaBrea, which does not respond, leaving the attacking machine to wait until the TCP session times out. In this way, LaBrea can help dramatically reduce malicious connection attempts.

Another innovative tool, Bastille Linux, offers relief to administrators looking to harden their Linux servers. Bastille Linux automates the hardening process, securing the server on the basis of settings and configurations established by the user. The solution currently supports Red Hat and Mandrake Linux systems.

For many organizations, the security of WLANs (wireless LANs) is a top priority. The SLAN (Secure LAN) solution can help by enabling server and client authentication, data privacy, and data integrity using per-session and per-user short-life keys, which provide much of the functionality lacking in the current 802.11 standard. Essentially, SLAN works similarly to a VPN but without the complexity or cost.

Other enterprises are concerned about tracking down rogue access points that have been installed on their WLANs in violation of company policy. The 802.11b Network Discovery Tools package is a scanner for Linux systems using the WaveLAN/Orinoco wireless cards, such as Lucent’s, that identifies wireless access points. When combined with a GPS (global positioning system), the scanner can even log the physical coordinates of the access point.

Finally, companies flabbergasted by the wealth of available tools may want to consider Trinux, an entire Linux distribution that boots off a floppy disk or CD-ROM and can download packages from an HTTP or FTP server. The Trinux distribution boasts a package list that includes the latest versions of many network security tools, including tools for port scanning, packet sniffing, and OS fingerprinting. Enterprises without abundant Linux expertise may find the Trinux solution particularly appealing: After all, why bother downloading and installing individual packages when you can find everything in one place?

As the Linux movement continues to gather momentum, expect to see more and more enterprise-grade security tools emerge. Most solutions lack a centralized support organization or formalized development and release schedule, but longtime Linux users are already accustomed to those drawbacks. Perhaps surprisingly, many of the tools on the market today are just as effective as their commercial counterparts.