The NSA's ultra-secure Linux technology evolves for the enterprise

LinuxWorld panel discusses the evolution and challenges of Security Enhanced Linux

Boston - Linux and open-source developers are working to make Linux security tools developed by the National Security Agency more accessible and usable by regular system administrators and application developers.

Software developers and users discussed how Security Enhanced Linux (SE Linux) is evolving, and the benefits - and potential pitfalls - it could introduce when deployed in an enterprise data center. This discussion took place in a panel on SE Linux at the LinuxWorld Expo this week.

SE Linux is not a Linux distribution, such as SuSE or Red Hat, but is instead a set of modifications to the Linux kernel that limit the access that applications have to memory, processors, operating system configuration files and other critical components of a server or PC operating system. SE Linux uses mandatory access controls to limit applications' access only to the minimal amount of resources they need to run. The idea is to prevent hackers from taking over or breaking into a server by exploiting openings in poorly designed code, or by squeezing through small holes in well-designed software.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Boston - Linux and open-source developers are working to make Linux security tools developed by the National Security Agency more accessible and usable by regular system administrators and application developers.

Software developers and users discussed how Security Enhanced Linux (SE Linux) is evolving, and the benefits - and potential pitfalls - it could introduce when deployed in an enterprise data center. This discussion took place in a panel on SE Linux at the LinuxWorld Expo this week.

SE Linux is not a Linux distribution, such as SuSE or Red Hat, but is instead a set of modifications to the Linux kernel that limit the access that applications have to memory, processors, operating system configuration files and other critical components of a server or PC operating system. SE Linux uses mandatory access controls to limit applications' access only to the minimal amount of resources they need to run. The idea is to prevent hackers from taking over or breaking into a server by exploiting openings in poorly designed code, or by squeezing through small holes in well-designed software.

Introduced in 2000 by the NSA, SE Linux "only covered a small subset of the overall [Linux] system," said Stephen Smalley, a research scientist for the NSA. "SE Linux policy has since been expanded to cover more of the system. A year ago we had fairly immature support and a monolithic policy. Today we have support for modular policy, enabling third-party application developers to create policies [for SE Linux] and package them with their applications."

A major step in making SE Linux easier to use has been the development of the SE Linux Reference Policy, an open-source project for creating tools that make it easier to create and apply SE Linux policies to software.

Smalley says other developments the NSA is working on for SE Linux are ways to apply the technology to desktop Linux systems, as well as to multiple virtualized Linux systems running on top of a single hardware platform.

The U.K. Central Government is testing SE Linux with its infrastructure of Linux and IBM WebSphere servers. The goal is to secure the Web services architecture for its municipal-service Web sites and public-facing applications.

"We wanted to enforce policies which say that application servers can only talk to the end points that they're authorized to talk to," said Mark Hocking, technical architect for the U.K. Cabinet Office's e-Government Unit. Such mandatory access controls have been used for a long time in government operating systems and highly customized systems, he said.

The U.K.'s e-Government Unit wanted to apply SE Linux protection to a range of Java 2 Enterprise Edition (J2EE) applications it uses with minimal changes to the WebSphere servers it has up and running. So far, the group's beta tests have been successful, Hocking says.

"We're not saying it will have 100% [security] assurance, but it seems to be working quite well. We believe we can apply SE Linux to commercial off-the-shelf products to give us a higher level of assurance than what we would have had without it."