Open sourcing programming code is not a security panacea, as some would have enterprises believe. The basic tenets of information security apply as much to Linux as they do to proprietary operating systems: namely, secure development and proper implementation must happen for a system to be safe.
The same applies in reverse. Closing the drapes on source code alone doesn't make it secure.
Attendees at the recently concluded LinuxWorld conference heard the pros and cons of using open-source for perimeter defense mechanisms like access control, authentication, secure remote access, content security, traffic encryption and monitoring and alarming.
The conclusion: open-source security is not a myth, and it does have many advantages over proprietary systems, like Windows and many versions of Unix. But there are drawbacks that must be considered when outlining a company's Linux strategy.
Jan Hichert, a devotee of Linux security for five years and, since 2000, the CEO of German Internet security firm Astaro Corp., recommends that enterprises focus on issues like code reliability, ease of use and update, and whether an open-source product takes an all-in-one approach before concentrating on features, price, performance and security.
He also warns enterprises not to fall into the trap of bringing Linux in-house to secure the perimeter solely on the basis of its being free and readily available. While that may be true on the surface, there are staffing and development issues to consider over a two- to three-year period that could drain an IT budget, if Linux expertise does not already exist.
"It's no longer a total cost of ownership issue, but a total cost of acquisition issue," he said.
In comparing Linux with proprietary systems, Hichert points out that Linux products can handle access control, authentication, remote access and traffic encryption. The only area where Linux is lacking is in content security. While there are many content-scanning products available, most require a commercial virus-scanning engine to succeed.
Linux does top traditional operating systems in reliability, he said. Open-source code is shared, so vulnerabilities are quickly and constantly identified and fixes rapidly available. There is very little security by obscurity with open-source, something most in the community despise about Microsoft.
However, Linux does come up shy against proprietary systems in crucial areas like ease of use and ease of update, Hichert said. Commercial vendor research-and-development engineers are paid handsomely to develop attractive interfaces that are user-friendly and which update seamlessly. Open-source programmers, on the other hand, are less likely to write a nice GUI (graphical user interface) in their spare time.
Features, in other words, are customer driven in traditional operating systems, while in open-source, they are techie-driven, Hichert said. As for price and performance, traditional systems are expensive, and with performance comes additional expense. Open-source, meanwhile, is free (though, again, enterprises must consider training and staff issues) and performance is usually optimal.
Hichert also cautions that, though Linux code is there for all to see and nurture, "eyes that look do not always see." Vulnerabilities do creep up in Linux. The high complexity of the code often prevents in-depth audits. Also, code "hotspots" are often reviewed, while others are not, and that can be a problem, Hichert said.
Noted bug finder David Litchfield of Next Generation Security agrees.
"Information is like guns. When it's in the hands of bad people, they can do harm," Litchfield said. "But if they are in the hands of good guys, like cops, then they can be used to prevent crime."
FOR MORE INFORMATION:
- FEEDBACK: Is Linux more secure than a proprietary operating system?
Send your thoughts to News Editor Michael S. Mimoso.