IBM Linux Security Direction & Activities

IBM Linux Security Direction & Activities Doc Shankar IBM Linux Technology Center dshankar@us.ibm.com Agenda • • • • • Linux Security Options Linux Security – What’s now? Linux Security – What’s new? Tivoli Security Management Solutions Conclusions 9/18/2006 Doc Shankar 2 Linux Security Options LSM VPN Nessus DAC Bastille Open SSL Password TrouSerS Smart Card MLS LIDS PAM Token Open LDAP Hook Verification Trusted Computing PKI H/W Crypto MAC openCryptoki Kerberos Certificate noexec stack CAPP/EAL4+ PIE AppArmor eCryptfs Hardening Snort TCP Wrapper Tripwire iptables IPsec ClamAV RSBAC Astaro 9/18/2006 Doc Shankar 3 IPSEC Physical Access Open SSH/SSL SELinux Open Source Security Solutions* * not a comprehensive list Access Network VPN IPSec, FreeSWAN Anti-virus • • Core Network Single Sign On • Authentication • • OpenLDAP MIT Kerberos Heimdal SSL + Apache Samba, NFS OpenCA Perimeter Network Intrusion Detection Snort, LIDS Security Auditing • FreeAV, OpenAntivirus Web Browser • Web Server • File/Print Sharing • Nessus, Saint E-mail Filtering • Mozilla, Konqueror Email client • Certificate Authority • SpamAssassin Firewall • Evolution, Pine Communication • Database • • IPTables Proxy • • OpenSSH, OpenSSL Hardening • • Hardware Encryption • SSL + PostgreSQL MySQL OpenCryptoki Squid Bastille Data Integrity • • Tripwire, Shred 9/18/2006 Doc Shankar 4 Linux Security – What’s now? • • • • • • • • • • • Base Security Features (PAM, Permission bits, ACLs, SELinux, AppArmor) Network Security Features (iptables, OpenSSL, OpenSSH, IPSec, Labeled IPSec) Achieved CAPP/EAL4+ certification LSM hooks in 2.6 kernel (BSD Secure Levels, BSD Jail, TPE, DigSig) SELinux in 2.6 kernel (Type Enforcement, Confinement, Targeted Policy) AppArmor Trusted Computing (TPM driver in 2.6 kernel, TSS & TPM-tools open sourced) Lots of good free security software – – – – Snort, ClamAV, OpenSSH, OpenSSL, Tripwire, AIDE, nmap, GnuPG, and many more Tivoli, CA, Symantec Lots of good paid (commercial) software Main distributions concerned and handling security well Red Hat, Novell SUSE, Mandriva, etc Trustix, Astaro, Openwall Secure distributions exist 9/18/2006 Doc Shankar 5 Linux Security – What’s new? • SELinux Adoption – Targeted policy default in RHEL4 – Policy Development Methodology/Tools - Virgil – Performance – Across all eServer • AppArmor – Available in SLE9 SP3 • • • • • • • • MLS/Linux LSPP Compliance Vulnerability Mitigation Audit Capability OpenSSL FIPS 140-2 Level 1 EAL5 (Mandriva) zSeries HW Instructions OSDL Initiatives – DCL – CGL – DTL • Trusted Computing – Infrastructure Open Sourced – OpenTC • Encrypted File System 9/18/2006 Doc Shankar 6 Linux Security Initiatives • Security Certification* – – – – – – – – – Common Criteria EAL2+ achieved* CAPP/EAL3+ achieved* CAPP/EAL4+ achieved* Working LSPP/EAL4+* OpenCryptoki* HW crypto acceleration* FIPS 140-2** TCG' TPM/TSS Implementation* s OpenSSL** OpenSSH IPSec** LSM** Audit * Kerberos PKI • Applications Security** – – – – – – – • Crypto* Encrypted File System* Firewall Antivirus IDS** Security Scanners Position Independent Executables Exec Shield SELinux** MLS** Bastille** • • • • • Mandatory Security** – – – • • Trusted Computing* – – – Secure Configuration** Vulnerability reduction/reporting** Secure Programming** – BogoSec Networking Security** • Base Security** – – – – Verification Tools* – – – Vali* Gokyo* UT tool** * IBM Leading ** IBM Participating 7 9/18/2006 Doc Shankar Linux and Common Criteria • Until 2003, many people believed that Linux would not be able to get CC certified • Now, three years later, no other operating system has got more Common Criteria certificates than Linux® – Two distributions (Novell SUSE and Red Hat) – Two different kernel versions (2.4 and 2.6) – Many different hardware platforms • • • • IBM® Pentium, XEON, and Opteron systems IBM pSeries®, iSeries™, and zSeries® systems HP Pentium, XEON, and Itanium systems SGI Itanium systems – Two certifying agencies (BSI & NIAP) – Assurance levels up to EAL4 augmented by ALC_FLR.3 9/18/2006 Doc Shankar 8 Tivoli Security Management Solutions • Tivoli Access Manager for eBusiness – Block unauthorized access, SSO • Tivoli Access manager for Operating Systems – Centralized policy, centralized audit, heterogeneous environments • Tivoli Identity Manager – Centralized & autometed point to cfeate & manage new accounts & passwords • Tivoli Federated Identity Manager – Partner with external organziations, Share data & web services with 3rd parties • Tivoli Directory Server – LDAP, Store white pages, autenticaion & personalization information • Tivoli Directory Integrator – Synchronize informatiom among many IT systems & depratments • Tivoli Compliance Manager – Enforce security policy, optimize server configurations 9/18/2006 Doc Shankar 9 Conclusion • Linux has much to offer in terms of security • Linux has a bright future ahead • IBM is committed to elevating Linux as a secure operating system of choice in today’s eBusiness • IBM can maximize the resiliency and security of Linux environments through the use of management tools 9/18/2006 Doc Shankar 10