Linux vendors stepping up their focus on security

Customers should expect to see enhanced, easier-to-use security tools from leading Linux distributors in the coming months as vendors focus on making the platform tough enough to support even the most critical business applications.

Gone are the days of having to bolt on Linux security features through patches to the kernel. The Linux 2.6 kernel includes the hooks necessary to integrate security directly into Linux distributions without modifying the kernel itself.

That means users should see offerings that fit right into their Linux environments, analysts and industry experts say. It's a reflection of the maturing of the Linux operating system and a growing focus on security by vendors such as Novell and Red Hat.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Customers should expect to see enhanced, easier-to-use security tools from leading Linux distributors in the coming months as vendors focus on making the platform tough enough to support even the most critical business applications.

Gone are the days of having to bolt on Linux security features through patches to the kernel. The Linux 2.6 kernel includes the hooks necessary to integrate security directly into Linux distributions without modifying the kernel itself.

That means users should see offerings that fit right into their Linux environments, analysts and industry experts say. It's a reflection of the maturing of the Linux operating system and a growing focus on security by vendors such as Novell and Red Hat.

While Novell is working at integrating its longstanding security tools, such as identity management, into its SuSE Linux distribution, users can expect to see Red Hat build out offerings on top of technology it acquired from Netscape, including a directory server and a certificate management system.

"The key focus moving forward is to make sure we build security into every component, every process, every bit of what we're doing," says Mike Ferris, director of security solutions at Red Hat. "When we think about security, it's really about making it ubiquitous."

As an example, Novell and Red Hat now build application security into their Linux offerings. Application security technology limits access to operating systems and protects applications and operating systems from internal and external threats such as malicious code and viruses. The idea is to protect data on Linux from application vulnerabilities without having to resort to emergency patching.

Red Hat includes Security Enhanced Linux (SELinux) in Red Hat Enterprise Linux 4. SELinux is a National Security Agency-backed project that enables users to set detailed access controls to protect operating systems from threats.

Novell offers AppArmor, access control software it acquired from Immunix last May. Novell has offered AppArmor as a stand-alone product since the fall,but last week the company announced it was integrating AppArmor into its SuSE Linux distribution. The company also kicked off an open source project built on key components of the AppArmor code.

Developers can go to www.opensuse.org/apparmor and have full access to the source code, says Charlie Ungashick, director of product marketing for Linux at Novell. "That way, we will garner community involvement to review, test and develop the technology."

Analysts say the move is a good one for Novell, whose biggest challenge is to raise awareness of the AppArmor technology. Novell executives say AppArmor is a simpler approach to application security than SELinux. Some analysts agree, noting that today most SELinux deployments are in the government sector.

"Novell AppArmor is less complicated to implement than SELinux," says Stacey Quandt, research director of security solutions and services at the Aberdeen Group. "The challenge for Novell is not technology but marketing. By creating an open source project around AppArmor, it may be of more interest to developers and increase the mind share and use of the technology."