Guarding Your Systems With Guardian Digital

By: Rob Reilly
Thursday, May 8, 2003 10:47:20 AM EST
URL: http://www.linuxplanet.com/linuxplanet/reports/4789/1/

Constructing The Fortress

The recent release of EnGarde Secure Linux Community Edition reminds us that there are all sorts of Linux flavors out there for the enterprise to sample. From the heavy-duty clustering distros to the sleek one-purpose versions of Linux, there is quite possibly a distribution for any specific task you might want to tackle as an administrator.

EnGarde Secure Linux, designed to be a massively secure Linux platform, definitely falls towards the more specialized end of the distribution spectrum. Its Guardian Digital makers have consistently maintained their focus on this purpose for the product, and so far, the results are coming along nicely.

But how did their idea of a single-purpose distribution take root?

"Early on, we received a call from one of our colleagues at a customer's location implementing a Windows server for their public Web services," said Dave Wreski, CEO of Guardian Digital. "Their trouble was that they hadn't taken the necessary precautions to protect themselves against the security vulnerabilities at the time. The server was hacked just thirty minutes after it was installed. The consultant for the company informed the customer, and they both chose to bring in Guardian Digital immediately," Wreski said.

Guardian Digital was started in early 1999 as an Internet security and services company. It focused on finding out what kind of problems companies were having regarding security and then addressing those problems using existing products. Sometimes products were customized to meet a client's specific requirement.

"Today we remain committed to solving business problems using open source with specific focus on security and ease of management. The Internet is evolving rapidly and new methods to manage security risks must evolve just as rapidly," he said

Many of the company's 500 customers were small businesses with very tight budgets and no IT staff. Business owners were concerned about strangers reading their email, defacing their web sites and falling victim to the same types of attacks that took down Yahoo! and Amazon.

The security improvements [over standard distribution packages] in Guardian Digital's products not only reduce the risk of cracker attacks, but also the financial risk and business downtime. The software's ease-of-management techniques also reduces the support costs, provides a consistent configuration every time and enable businesses with limited staff and experience to manage their Internet presence.

The Linux Security HOWTO and Guardian's Founders

You may have recognized the name of Dave Wreski if you've ever looked at the Linux Security HOWTO. Some of you may also know of him as the senior architect for UPS Worldwide where he designed the security for the company's data centers and partner communications with internal UPS systems. He also managed and directed the UPS security staff and oversaw Internet Systems security policy for the company.

The rest of the Guardian Digital team is a mix of experienced Linux and security experts and seasoned industry professionals many of whom have been involved with Linux since its inception.

Guardian Digital also runs LinuxSecurity.com, the authoritative Internet source for information on Linux and open source security. They are a major Packetstorm mirror, covering information on new software exploits and the latest hacker tools.

The company's flagship product, EnGarde Secure Linux, is engineered from the ground up to provide security and ease of management. "We have certainly benefitted from work done by both Red Hat and Debian, including package management from Red Hat and some of the networking from the Debian project," said Wreski.

He continued, "Everything we do is open source. We analyzed the best the open source community had to offer when we made our decision and concluded that starting with a blank hard disk was the best way to achieve a secure foundation, instead of 'bolting on' security as an afterthought. We also understand the importance of maintaining compatibility with existing Linux software. EnGarde uses the RPM data format."

The customer can choose between two editions of the EnGarde product.

The Community edition of EnGarde was designed to support features suitable for students, security enthusiasts, and those wishing to evaluate the level of security and ease of management available in the Enterprise products. Its development is driven not only from requests in the community, but also their continued participation. The Community edition is a dynamic, rapidly-evolving product that exhibits the best-of-breed applications currently under development within the EnGuard system.

The Enterprise products provide support for advanced hardware, a more sophisticated upgrade path, features suitable for the corporate data center environment and support for other enterprise applications. EnGarde Secure Linux customers, running the Enterprise edition, have installed top-tier software from 3rd. party vendors including IBM, Network Associates, Oracle, Veritas and so on, without difficulty.

Support And Security Remain the Focus

Support is always dependent on what the customer feels is necessary. All Guardian Digital products include an annual subscription to the Guardian Digital Secure Network, which is a complete Internet software delivery system designed to distribute software and services directly to the customer's server.

All too often customers have the impression that their business is too small to be of concern to an attacker or they would rather try and secure some other Linux instead of starting with an integrated system that's engineered to be secure. You may recall the opening example of the Windows server that was hacked thirty minutes after it was installed.

Wreski pointed out that methods are available to improve the security of off-the-shelf Linux distributions, but it's often time-consuming, prone to error, inconsistent, and dependent on the specific skills of the person configuring the system. By engineering applications to be secure, instead of 'bolting on' the security, customers can better focus on their core business.

"To date we are not aware of a single server that has been compromised. In fact, we have many servers that are directly Internet-facing, without being protected by any type of firewalling. The sophisticated levels of access control, replacing 'legacy' applications with more secure alternatives, auditing and reporting, as well as threat mitigation should an attack succeed, allows our customers to sleep well at night," Wreski commented.

"Security is about defense, in depth. Every customer's requirements are different and Guardian Digital is constantly working with customers both prior to the sale and afterwards to develop contingency plans for their particular environment. This may include building a replica datacenter, better enforcing corporate security policies and assisting them with deploying intrusion detection," he said.

Some Guardian Digital customers had very strict security and support requirements.

NY Spinal Care used EnGarde and several other enterprise products to address the HIPPA health care requirements recently imposed by the U.S. government. They were able to securely communicate between their branch offices and mobile users including using email encryption.

Implex Corp. (a large orthopedics company) used EnGarde, along with other products, to secure their entire Internet infrastructure. They had stringent FDA requirements that included user data and privacy concerns. Guardian Digital provided network monitoring and intrusion detection services, as well as email and firewalling functions.

Case studies can be found on the Guardian Digital web site at http://www.guardiandigital.com/company/casestudies/.

Adding To The Fortress

"We have upgraded every component of the system. This is a major new release, and certainly represents the best Community Edition to date," Wreski said.

In summary, the improvements in this release include:

• Integrated network and host intrusion detection using Snort and Tripwire.
• Guardian Digital Secure Network to provide easy access to security and system updates.
• Mandatory Access Control (MAC) using the Linux Intrusion Detection System to provide sophisticated access control and prevent Trojan horse attacks.
• Hardened kernel and user tools providing highly resilient protection from intruders.
• Gateway firewalling using stateful packet inspection.
• Security Control Center to monitor system activity.
• Upgraded core components including Linux kernel 2.4.20, iptables-1.2.7a, and development tool chain.

Guardian Digital continues to develop products that address small business as well as multinational enterprise security and application requirements. Their most recent launch of a companion product, Secure Mail Suite, provides secure remote access, antivirus and antispam protection, group collaboration tools, WebMail, and integrates into existing mail systems easily.

Their complete line of products and services can be seen at http://www.guardiandigital.com/.

Rob Reilly (aka: "Dr. Torque") is a professional writer and senior technology consultant, whose work includes Linux, business systems integration, innovation training and occasional hot rodding excursions. He frequently writes and speaks about these and other topics. He has 17 years experience in the high technology, manufacturing and the utilities industries. He is always 'on-the-lookout' for stories and projects that focus on Linux, business and the cutting edge. Send him a note or visit his web site at http://home.cfl.rr.com/rreilly.