Security /

Red Hat boosts Linux security

Release 7.0 to feature more stable kernel.

By Deni Connor
Network World, 08/14/00

RESEARCH TRIANGLE PARK, N.C. - Red Hat is prepping an upgrade of Linux that lets system managers significantly tighten the security of their networks, as well as more easily install and configure the operating system.

Code-named Pinstripe and referred to in prerelease Red Hat documentation as Linux 7.0, the new version supports features that users in corporate environments have long sought. They include several easy-to-use desktop interfaces and a hardened Linux kernel that makes the operating system more stable. The upgrade is scheduled to ship by year-end.

Breaking Linux news
Latest Linux news from Network World and around the 'Net. Updated daily.

"Pinstripe offers better support for recent hardware, a more secure base install, integration of many popular packages, and better features for mass deployment," says Alan Shutko, software engineer for In-Touch Management Systems, a paging software maker in Melville, N.Y.

"This should make it easier to deploy Linux and fit it into a company's architecture," he adds.

Three of the most important features of Red Hat Linux 7.0 are its use of the latest unreleased Linux kernel, 2.4; inclusion of more complete security features, such as a secure remote access program and Secure Sockets Layer (SSL); and a new installation program that is tailored to the Linux experience level of the user. Linus Torvalds, the creator of Linux, expects the 2.4 kernel to be available by the end of September.

"The 2.2 [Linux] kernel was a great kernel. However, it was lacking in hardware and file system support," says Jesse Noller, an enterprise engineer for a business software company in Massachusetts, adding, "general TCP/IP problems plagued it in the enterprise."

"Linux 2.4 [employed in Red Hat Linux 7.0] uses a new threading model that lets people who need speed and stability tap into the kernel and get a lightning-fast Linux server on an eight-processor Intel box that can serve up a few million pages for a fraction of the cost of Windows NT," Noller says.

Red Hat confirms that Linux 7.0 will also have symmetrical multiprocessing support for up to eight server processors, although the company declined to discuss the upgrade details in depth.

Noller says that enhancing Lightweight Directory Access Protocol (LDAP) authentication functionality and adding SSL are also a boon for corporate networks. With LDAP and SSL exploited, "people in an enterprise environment can have multitudes of machines governed with a singular policy [model]," Noller adds. "This is an excellent step for Linux in the way of enterprise-grade security support."

Other Linux users, many of whom will gather this week for the LinuxWorld Conference & Expo in San Jose, agree.

"Network managers need better tools to centrally administer network information, such as user IDs and passwords," says Bill McCarty, associate professor of IT at Azusa Pacific University in Azusa, Calif. "The Network Information Service {NIS] was too insecure to serve this function." NISis a service that provides information that has to be known to all machines on the network.

McCarty has at least one concern, however.

"Unless LDAP is specially configured, it currently transfers passwords across networks in clear text, which is unacceptable," he says.

Red Hat says it solved this problem by disabling LDAP; during installation it can be correctly enabled by experienced administrators.

Two other security technologies, OpenSSH and OpenSSL, which were formerly available separately because of U.S. export laws on encryption, will be included in Linux 7.0.

OpenSSH replaces Telnet, which is a utility Noller believes is problematic. "Telnet is one of the most insecure protocols on the planet," he says. "Anything is better. Why not use strong encryption [such as OpenSSH]?"

Another customer echoes that assessment.

"Secure logons are important to us," says Josip Loncaric, senior staff scientist at NASA Langley Research Center in Hampton, Va. "Remote logins require OpenSSH because otherwise important information, [such as] passwords, could be compromised. Remote users need to access our systems without this risk."

Red Hat has also improved the installation and configuration program for Linux 7.0. The firm added different installation methods for inexperienced to expert system administrators, changed the manner in which security options, such as Kerberos or LDAP, are installed, and separated workstation from server installations.

This change is significant to at least one user who understands the skill levels of people installing Linux.

The user, who asked not to be identified, says any operating system that is shipping with services turned on runs the risk of unnecessary services being used by hackers to break in. Red Hat has disabled several security options that could cause problems for inexperienced installers.

Red Hat also improved its automated Kickstart installation utility with the addition of new commands and the ability to partition previously unused disk space.

"We insert a Kickstart diskette into a new machine with a blank, unpartitioned disk, turn it on and in 10 to 15 minutes have a fully configured system," says NASA's Loncaric. "Kickstart partitions the disk, then installs from a remote file server over the network, customizes a few things, [such as] IP address and host name, installs [the Linux boot loader], then reboots the system."