Users at LinuxWorld talk up security

In conference sessions and hallway discussions at LinuxWorld Expo last week, open source users swapped strategies for hardening Linux servers and building open source applications that can repel hackers, stand up to regulators and survive the sc

BOSTON – In conference sessions and hallway discussions at LinuxWorld Expo last week, open source users swapped strategies for hardening Linux servers and building open source applications that can repel hackers, stand up to regulators and survive the scrutiny of intellectual- property lawyers.

One company betting the server farm on open source is AthenaHealth, a company in Watertown, Mass., that processes insurance claims and manages information for small medical practices and large hospitals. The company has built a large extranet application based on Linux servers running Oracle, Apache Web Server and a modified version of the open source SugarCRM application.

“Open source doesn’t really increase our security risk; our risk is quite large for plenty of other reasons,” said AthenaHealth CTO Bob Gatewood, whose company stores 15 million medical records, as well as Social Security and credit card numbers for the patient data it manages.

Gatewood delivered a keynote speech at the conference, which drew about 8,000 attendees and 150 exhibitors.

LinuxWorld 2006

Catch up on all the news from the show.

“It doesn’t make a difference if your infrastructure is open source or not,” Gatewood said. “The security issues with proprietary software are pretty well publicized, but I don’t think in general there are any fewer security holes in open source stuff. . . . Keeping the network secure comes down to our testing process.”

When developers want to use a new open source module, the software is deployed in a test network where its behavior is studied, and it is put though security and quality-assurance testing. This process is in place to handle any open source legal and technical risks.

“This triggers a process where we take a look at the license and give it to our lawyers, and our release engineers take a look at the code to determine if it’s safe,” he said.

About the intellectual-property aspects of open source, Gatewood said, “we have to look at what [open source] we’re using. Our lawyers are very much interested in keeping track of what modules and licenses we use, whether it’s [General Public License] or something else.” Because AthenaHealth does not make major modifications to the open source software it uses, issues of violating open source licenses by tinkering with code are not much of a factor.

Predeployment technical testing of open source code is also an important process for Midwest Tool & Die in Fort Wayne, Ind. It uses Linux servers, Apache and SugarCRM to run its manufacturing and e-commerce systems.

“We test-bed everything,” said Craig Swanson, vice president of systems for the manufacturer. “I can duplicate my network now very easily with virtual machines,” in order to set up a full replica of the network for tests. “We have an open-door policy on installing anything you want in the test environment. But we’re rigid on documentation, and we’re rigid on testing and verifying what packages we can install on the final system.”

The company uses Fedora servers, the free, open source version of Red Hat Linux, to run its production environment and Web presence. As a precaution, Swanson uses the open source Mondo Archive tool to take snapshots of its production server images, and keeps backup configurations that can be brought online quickly in case of failures or system problems.

Swanson also uses Security Enhanced Linux (SE Linux), a set of Linux policies and accesscontrol code that limits the ability of hackers to gain access to a server by exploiting weaknesses in the software running on top of the operating system.

“SE Linux has been terrific,” Swanson said. In addition to vetting code before deployment, SE Linux provides another level of assurance that the code won’t be exploited. “We deny everything and allow just what we want” into and out of the servers via SE Linux policies, he said.

Dominion Diagnostics, a Rhode Island company that provides online medical lab services, also uses SE Linux to secure its Web applications and data – which, like AthenaHealth, are scrutinized under such regulations as the Health Insurance Portability and Accountability Act.

“With SE Linux, if someone breaks and hacks the applications, fine,” said Joseph Morin, network operations manager for Dominion Diagnostics. “But they’re not getting anywhere; they can’t execute anything I don’t want them to,” because of the limitations SE Linux puts on how applications can use system memory, processors and configuration files.

All of Dominion’s Web-facing servers – which run Red Hat Linux – have SE Linux turned on, Morin said. While it is a useful tool, he added, configuration and management of policies is complex and arcane – SE Linux technology was developed by the National Security Agency, after all. “It’s complicated and very technical” to edit policies for how software runs under SE Linux, Morin says. But with security threats around Linux rising, Morin said it’s standard practice to use SE Linux, as well as other open source security enhancement tools such as Tripwire and Swatch, which create alerts when Linux servers are misused.

“Windows and Linux both have different problems,” in terms of security, Morin said. “As Linux is more widespread, people are definitely targeting that.”