|[Home] [Credit Search] [Category Browser] [Staff Roll Call]||The LINUX.COM Article Archive|
|Originally Published: Friday, 20 April 2001||Author: IRC Staff|
|Published to: interact_articles_irc_recap/IRC Recap||Page: 1/1 - [Printable]|
Guardian Digital Presents EnGarde Secure Linux
The other day, some of the creators of EnGarde Linux talked to us about their new secure linux distribution. For those of you who either missed the event or just want to reread what happened, the link below will take you to the log of the event.
|Page 1 of 1|
Guardian Digital Presents EnGarde Secure Linux<davew> Hello everyone. I'm Dave. I'm a Guardian Digital engineer. I've got a few Q & A style blurbs that hopefully should explain a bit about our EnGarde Secure Linux.
* CodeWarrior sits down
<davew> EnGarde is a secure distribution of Linux engineered from the ground-up to provide organizations with the level of security required to create a corporate Web presence or even conduct e-business on the Web. It can be used as a Web, DNS, e-mail, database, e-commerce, and general Internet server where security is a primary concern.
<davew> We released the second in the 1.0.1 series. The version we released today runs on older machines, including i386, i486 and pentiums. Previous we released a version specifically compiled to take advantage of Pentium Pro and above processors.
<davew> EnGarde uses RPM for its packaging format, both to take advantage of the wealth of existing packages that are available, as well as the ability to sign packages.
<davew> - what are its features?
<davew> EnGarde Finestra features integrated intrusion detection using the Linux Intrusion Detection System, Web-manageable Tripwire, tools from many Open Source security projects including Openwall, snort network intrusion detection system, and extensive host security improvements. EnGarde Secure Linux strives to be the most secure, yet functional, Linux distribution to date.
<davew> - why did we design it?
<davew> Often times our corporate customers are interested in a secure foundation for constructing their Web site, may not have an experienced Linux or security staff, and were looking for a robust and secure platform for presenting their corporate information to the world.
<davew> Guardian Digital was already a security consulting and Linux security engineering company, and we felt a Linux distribution designed from the ground-up would provide that foundation our customers were looking for.
<davew> - what is LIDS?
<davew> The Linux Intrusion Detection System implements an additional level of access control above and beyond what is normally included with the Linux kernel.
<davew> This Mandatory Access Control mechanism prevents at a kernel level users (including root) from accessing resources they have not explicitly been given permission to access.
<davew> This means that, for example, even the root user can't mount or unmount drives unless it has been granted by a trusted administrator.
<davew> Should the system be compromised, a malicious user with root privileges would have a much more difficult time of wreaking havoc on the system.
<davew> - how do I use the intrusion detection?
<davew> The host-based intrusion detection included with LIDS is pre-configured for your system.
<davew> Experienced Linux users can tweak the level of notification, control the level of access to system resources, as well as numerous other system parameters.
<davew> The network-based intrusion detection utilizing snort provides a commercial-quality system that can monitor network activity for not only the host on which it runs, but also entire networks.
<davew> Snort produces easy-to-read reports that can be used to alert an administrator to potential network probes and intrusions. Now used by thousands of people, snort is surely to become the de facto Open Source NIDS of the future.
<davew> - how do you set up a secure web server using it?
<davew> Using the Web-based management system, creating an SSL-enabled Web server, DNS server, or e-mail server for even thousands of domains is really a matter of navigating with your Web browser, entering in the appropriate information, and clicking "Submit".
<davew> Ryan is our WebTool designer. He would love to hear any comments you may have about its design, ideas for future versions, etc.
<davew> - Who is Guardian Digital?
<davew> Guardian Digital is the first complete Open Source security company.
* Mallory == Ryan
<davew> We are dedicated to the intelligent growth of Open Source security solutions for Linux.
<davew> Founded in early 1999, Guardian Digital has already developed a number of completely Open Source security projects, including EnGarde Secure Linux.
<davew> Guardian Digital provides support, development, and services for our EnGarde Secure Linux, network security scanning, and security design.
<dlewis> We will now open the floor to questions.
<Mallory> That's too bad because I was willing to answer.
<davew> heh s/not/now/g
<markbach> ok, i'll start out with a question...I'm a sysadmin, i know how to compile apache/ssl, setup BIND, secure my server, etc. Why should I use EnGarde over say, Debian
<Mallory> Good question, I'll let Dave talk then chime in with my own comments.
<davew> If you use debian, you don't even have to compile apache/ssl. It's not about whether or not you can compile something. It's about how apache and ssl integrate with your other applications, and the access control surrounding its implemention...
<Mallory> Exactly, and with EnGarde you get the power of the WebTool which is a "tool" that "even your mom can use".
<Mallory> You can do everything in one place, including generation of keys/certificates/CSRs.
<davew> It nearly eliminates the necessity to read through tons of "Securing Apache" documentation, because the WebTool manages it all for you, and makes sure it's correct every time.
<markbach> ok, fair enough, looks like you guys have a good product
<davew> Well, don't take our word for it. Give it a shot :)
<ZeeblebroX> how does this webtool work? i mean if the config specs for apache, or whatever package change?
<Mallory> Well it's written in perl so it's pattern matching abilities are above any other.
<Mallory> You can drop in an existing config and start off with that, which makes migrating web sites rather easy.
<bdthomas> Here are some screenshots: http://www.engardelinux.org/preview.html
<Mallory> If you want to change something like ServerAdmin, or an Option (CGIs/SSI), you just click on the site you want to edit and change it.
<ZeeblebroX> i hope it is something that works, noty like redhat's linuxconf(which i used as teh uber swiss knife when i installed RH first time)
<Mallory> Of course we encourage that as much of the functions be done through the WebTool as possible, since it does its own error checking, etc.
<Mallory> It's the same in concept (a systems adminsitration tool).
<davew> We believe we've found the right balance between command abstraction and functionality.
<bdthomas> You can always SSH if you must have the command line.
<Mallory> And when you do decide to SSH, you can create your SSH1 RSA keys in the WebTool. :)
<xeno42> is there anything 'special' about the apache package you use? ie. if you wanted to compile your own apache with your own extensions/patches/whatever, would that upset things?
<davew> That's another point in and of itself. It can generate and manage the SSH keys for you, control access, and monitor it as well.
<Mallory> It would not upset anything assuming everything is installed in the same places. If not, you'll need to tweak a config file or two by hand.
<Mallory> We include php and mod_perl.
<Mallory> (with mod_ssl, of course, and all the other "standard" apache modules)
<xeno42> did you start with another distribution as a 'base' for your own?
<davew> We took pieces from many different distributions, but it is entirely from scratch.
<davew> There were too many pieces of 'old cruft' from other distributions that prevented us from achieving the goals we set out to do.
<davew> We took PAM and RPM from Red Hat, configuration and network ideas from Debian, FHS compliance, etc...
<xeno42> so who would feel most comfortable using your distribution? what's it closest too? redhat?
<davew> Yes, probably Red Hat. Now that Debian has PAM, and people have created cross-distro package management programs, it's tough to say.
<ZeeblebroX> do you plan to add new modules to webtool?
<Mallory> Well from the package management perspective, probably Red Hat since it's RPM based. We took a lot of stuff from Debian too, suck as their networking setup.
<Mallory> ZeeblebroX: Yes, I have a few going in my head but would love to hear ideas.
<bdthomas> With the webtool everyone should feel comfortable, even Windows users. :)
<Mallory> Ideas and contributions are always more then welcome.
<ZeeblebroX> Mallory a module to install tar.gzs would be nice
<Mallory> That actually crossed my mind, but since the "default" EnGarde ships without compilers it would not do that much good.
<ZeeblebroX> Mallory ohh
<Mallory> But I was looking at some of those programs (as seen on freshmeat) that will track a "make install" into a package.
<Mallory> We do have a devel tree, along with instructions... getting URL
<ZeeblebroX> so for new packages, you either have to get a redhat or mandrake package?
<dlewis> I have sort of a "universal" question...
<Mallory> Yes, or build the package on another machine.
<Mallory> But not everybody has that luxury. :)
<dlewis> What are some features that you believe Engarde Linux will implement in the future that will make the distribution more "secure"?
<davew> That certainly is a wide question. Improved access control (smartcards/kerberos..), ssh2, further development of the mandatory access control,
<davew> complete key management, web-based management of filesystem access control...
<Mallory> My own personal todo list has apt+rpm on it, along with some "
<Mallory> very cool" crypto stuff
<davew> further development of the network intrusion detection system and integration with the WebTool...
<Mallory> And kernel work.
<ZeeblebroX> hm, iwas looking at the engarde rpms, what is tex doing there?
<Mallory> I'm actually working on some of that stuff right now ;)
<Mallory> In the devel tree?
<Mallory> It's a buildrequrement for some package... we thought it had been taken out but it turned out it wasnt :)
<Mallory> I want to say LILO, but I'm not 100%.
<Mallory> Back to future stuff, I'd like to see some sort of IPSec integration too.
<ZeeblebroX> what MTAs does the webtool support? like configuing sendmail/postfix/exim....or does it have to be done manually?
<Mallory> FreeS/WAN is the road we'll probably take.
<Mallory> Postfix configuration is all done through the WebTool.
<Mallory> You can manipulate alias and the 'virtusertable'.
<ZeeblebroX> good, i like postfix:]
<xeno42> Does EnGarde include some mechanism for keeping it's packages up to date automatically?
<Mallory> We abstract them into "mail domains", with "postmaster" (the @domain.com "default" catch-all address)
<ZeeblebroX> what about qmail?
<Mallory> xeno42: I'm going to defer to Dave re: your question.
<davew> Yes, and regarding postfix, we're working on webtool support for spam control, Paul Vixie's spam techniques, and more.
<Mallory> ZeeblebroX: Not at the moment, but you can install it as you wish and configure it by hand, of course.
<davew> qmail has an undesireable license. Plus, Venema has been highly regarded for decades, and we trust his motives.
<markbach> I've got another one...how easy is it to manage multiple users/domains/virtual hosts with Engarde? You keep plugging this webtool, but let's say I've got a really complex setup, like i want to generate some weird keys for a SSL site...is webtool going to do that for me, or am I going to end up having to do it myself?
<ZeeblebroX> well, the one time i installed qmail on a dialup, it was horrible..:)
<Mallory> Well one "future feature" is a nice "one click" feature that will do everything, from DNS to Mail to WWW.
<Mallory> Creating ssl keys/certs by hand is kinda a pain, and you have to remember crypti commands such as "openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem"
* ZeeblebroX shudders at what'll hapen underneath the "once click" setup
<markbach> i know :)
<Mallory> With the WebTool, you just type in all the information and the keys are automatically created and protected by LIDS so you can't even _see_ then when logged in.
<Mallory> ZeeblebroX: heh, yeah, the main reason it's not in right now is because it has to be well thought out or it'll take a half hour to run.
<Mallory> And the plus is that everything is it's own "object", so they work in a modular fashion totally independent of each other.
<Mallory> So if your BIND setup is broken, you can still get mail, of course. ;)
<davew> Another one of the features worth mentioning is our GD Update. This is a feature integrated into the WebTool that provides point-and-click access to security and system updates.
<davew> It can be configured to send an administrator an email when a security vulnerabiity has been found and patched, and after acknowledgement, will automatically update the system, add new features, and more.
<markbach> A secure server is a terrific idea, but the fact remains that most of the portscan i see are from rooted desktop boxes (mostly in dorms, but that's nother story). Any plans to create a user friendly, secure, workstation geared distribution?
<davew> markbach: No. No plans. Securing a workstation is quite a different story. A secure workstation contradicts the entire secure paradigm. Using something like ipchains to block incoming access is probably the best approach.
<Mallory> Yes, and there is nothing from stopping you from making all the "workstation" packages (Xfree, etc) work with EnGarde. If you ever do, send me a HOWTO and I'll put it up someplace ;)
<davew> markbach: once you have apache (or any other public service for that matter) running on your desktop, it's no longer a workstation....
<Mallory> It's not really recommended because like Dave said, it's a whole other can of worms.
<markbach> ok, just a suggestion :)
<davew> hehe, we take security a bit personally sometimes, I guess :)
<xeno42> How does EnGarde compare with say, Smoothwall?
<davew> Also, in the coming weeks, we should have a 2.4 kernel ready for public testing. It currently has all the userspace support for it.
<Mallory> Smoothwall is much more lightweight, and is meant to more of a firewall-like system.
<davew> xeno42: smoothwall is for more of a dial-up user rather than an organization or enterprise solution. Also, it is more of a firewall with internal remote administration capabilities.
<Mallory> EnGarde is intended to be more of an enterprise solution.
<Mallory> wow, buzzword collision. :)
<xeno42> are there plans to give EnGarde tools to let you use it as an effective firewall?
<Mallory> Those tools are already there. ;)
<techroam> xeno42: if it comes with binary iptables, you're okay ;-)
<xeno42> well, web managed tools I should say :-)
<davew> Yes, we include ipchains for the current version, and there are internal development efforts going on for a front end for firewall and proxy services.
<Mallory> It includes ipchains for masquerading/firealling, snort for NIDS, and Tripwire for HIDS>
<Mallory> There is a Tripwire module for the WebTool which can walk you through everything except the initial configuration/passphrase selection.
<davew> The proxy stuff is really awesome. It's by far the most powerful implementation available, and will be ready by the next release.
<Mallory> You can view reports, change it's cron entry, change the email addy that reports go to, and selectively update the database.
<techroam> davew: powerful by what specification?
<Mallory> snort works out of the box, all you need to do is plug in your ip/netmask.
<ZeeblebroX> will the webtol work with other distros,say RH/mdk?
<Mallory> Probably not, but it may.
<bdthomas> Also, the WebTool provides the ability to view log files, running processes, and system statistics.
<davew> techroam: the level of access control it provides using the web-based management, smut protection, ...
<Mallory> A lot of the paths and stuff are hardcoded (it's not very modular within itself).
<techroam> davew: k
<Mallory> But again, if somebody wanted to make it work, they could knock themselves out.
<ZeeblebroX> Mallory ok
<Mallory> Oh, it's also much more FHS compliant then something like RH 6.2.
<Mallory> ie, the initscripts strucure (/etc/rc.d/init.d vs. /etc/init.d)
<dlewis> Are there any final questions from ANYONE?
<dlewis> If not.
<dlewis> then we hear at Linux.Com would like to thank Dave, Ryan and Ben for joining us here.
<xeno42> sounds like a great distribution
<davew> Okay, thank you all. Please visit us at http://www.engardelinux.org and we'd love to hear from you.
<markbach> thanks, guys
<dlewis> This has been a GREAT Live! event.
<Mallory> Yeah, feel free to hop on our mailing lists and ask away if you should have any questions later.
* Mallory puts on his beard and tie dye shirt and goes back to the kernel patches...
<dlewis> I urge for ALL of you to do so...
<bdthomas> Also, don't forget to visit us at LinuxSecurity.com :)
<dlewis> LinuxSecurity.com is the GREATEST resource in Linux Security....
<dlewis> The article for this event will be up soon.
|Page 1 of 1|