Tresys Nails 'Hardened Security' With Brickwall & Upcoming Razor
Making Security Less Complicated
After releasing Brickwall Security Suite in January, open source security specialist Tresys Technology is forging ahead on a user symposium slated for March, plus work with IBM around Razor, its second commercial product for smoothing implementation of the SELinux "hardened security" now included in the Linux kernel.
The graphical user interface (GUI)-enabled Brickwall suite is available in a free "Standard" version, as well as commercial "Professional" and "Enterprise" editions, noted Frank Mayer, Tresys' CTO, during an interview with LinuxPlanet.
Essentially, the suite is intended to broaden adoption of SELinux by making it simpler for IT (information technology) professionals across enterprise and SMB (small to medium-sized business) environments to configure and customize the emerging security technology.
"SELinux locks everything down," Mayer told LinuxPlanet. "But Linux can be kind of complicated, right? And SELinux can get really complicated."
Newly added in the Linux 2.6 kernel, SELinux was initially developed by the National Security Agency (NSA) for use in high security government implementations. The technology uses a role-based permission system made up of "mandatory access controls" in an effort to provide fine-grained security.
"But SELinux contains tens of thousands of rules, written in assembly language. We make implementation easier by turning that spaghetti code into reference code," he said.
Aside from government agencies, financial services and health care providers are in particular need of Linux "hardening," he suggested, attributing this need to the current regulatory climate.
Most Linux distributions--including Red Hat, Debian, Gentoo, and Ubuntu, for example--are "properly supporting" SELinux, according to Mayer, who is also the author of the book "SELinux By Example."
"The only exception to this is [Novell's] SUSE Linux," Mayer said. Instead of SELinux, SUSE Linux supports a security technology known as AppArmor.
"Novell's fundamental argument was that SELinux is too complex. But we took the approach that, to be comprehensive, you still need to have the underlying infrastructure--and that ease of use will come," he elaborated.
Red Hat, on the other hand, began to support SELinux through Fedora Core in Red Hat Enterprise Linux (RHEL) 4. Red Hat is expected to add further support for SELinux in the upcoming RHEL 5.
In place of the NSA's single "strict" security policy, the Fedora/Red Hat implementation supports a "targeted" policy that locks down specific daemons--especially those that are mission-critical or particularly prone to attack--while allowing the rest of the system to run exactly as it would under standard DAC security.
In its first release, the Brickwall suite supports the SELinux implementation in RHEL 4. In future releases of Brickwall, though, Tresys plans to add support for both RHEL 5 and IPV6.
In the forthcoming Razor offering, on the other hand, Tresys will deliver SELinux protection specifically designed for IBM's DB2 database and WebSphere middleware environments.
"DB2 and WebSphere are both built on Java, in J2EE. That provides good security," Mayer told LinuxPlanet. Still, though, attackers might be able to attack file systems or subvert an Apache Web server if they can manage to break through a firewall, he contended.
"What we're doing, basically, is to build firewalls around the applications. There'll be sandboxes around each one of them," Mayer said.
IBM and Tresys haven't quite decided yet about how to package Razor. "But it'll probably be delivered in software as a 'value-added' capability, for [IBM] customers running DB2 and WebSphere on RHEL," he said.
Although Brickwall represents the first commercial product from Tresys, the company was actually founded seven years ago by Mayer and Craig Sutherland. Sutherland is now Tresys' CEO. Mayer and Sutherland previously worked together at SAIC.
Beyond commercial products such as Brickwall and the future Razor, Tresys also sponsors a few open source projects, all related to SELinux. The projects include SELinux Reference Policy, Policy Management Server, and Certifiable Linux Integration Platform (CLIP), for instance.
Meanwhile, Tresys is also starting to work with outside OEMs around hardened security for embedded devices. "Let's say that you're building an avionics control system, and you want to enhance the security," according to Mayer. Other types of appliances that might benefit include DNS servers and financial monitoring systems, he illustrated.
Tresys plans to detail its open source projects and other activities around SELinux at its third annually Security Enhanced Linux Symposium, scheduled for March 12 to 16 in Baltimore.
Spearheaded by presentations from Tresys, IBM, Red Hat, and the NSA, the event will include two days of technical presentations and two days of optional tutorials. This year, Tresys has added an invitation-only developer track. "We're also trying harder to address users," Mayer told LinuxPlanet.
Available as a free download since January 16, the first release of Brickwall Standard Edition provides a GUI for local system management; standard RHEL targets; network security configuration extensions; optional SELinux Boolean management; and the ability to roll back security configurations to previous settings.
The Professional Edition of the suite--priced at US$249 per license--adds more targets beyond the standard RHEL targets, along with capabilities for modifying targets' file system access and creating new custom targets.
The Enterprise Edition of the product supports centralization management of multiple security systems across a network, the ability to apply security configurations to groups, and remote monitoring and management.
Tresys Brickwall Enterprise Edition is priced at US$4,999 for the first ten licenses and US$3,750 for each additional ten licenses.