How do open source enterprises handle security?

How do open source enterprises handle security?

Summary: Security may be one of the biggest challenges facing the open source enterprise.When I say enterprise, of course, I mean enterprise -- hundreds of servers, thousands of desktops, and truly heterogenous environments.

SHARE:
TOPICS: Open Source
9

Security may be one of the biggest challenges facing the open source enterprise.

When I say enterprise, of course, I mean enterprise -- hundreds of servers, thousands of desktops, and truly heterogenous environments.

Because of Microsoft's desktop dominance it has made important early moves. (And let's not get into how much more secure Linux is than Windows. Patches even in the Linux world are no longer questions of if but when and how.)

Virtualization, an important facility for security because it lets you test patches without buying extra machines,  is being moved into Microsoft's operating system, starting with Virtual Server 2005 and then moving on to Longhorn. EMC's VMWare may be a more powerful product (and it's out now) but it, too is closed source, and the only desktop version requires Windows.

Microsoft's quick response to demands for better patch management resulted in Software Update Services (SUS), which gives enterprises back control of the patch process by putting patches on a server that can be tested and staged as an enterprise sees fit. Even if there were an equivalent open source product, it might not scale, and which license would it be under -- CDDL, BSD, GPL, or something else entirely? Most of Microsoft's enterprise customers won't care to find out, and will be quite glad they don't have to.

The big story out of Microsoft for five years now is that it has been evolving into what IBM was, an all-embracing enterprise-level solution provider, in other words Big Iron. There is no better case study for that proposition than the area of security.

IBM understands all this. That's why it bought Corio. That's why it has a virtualization engine for its servers. But if we're depending on IBM for enterprise level capabilities, have we really gained that much in moving from Windows?

While open source too can run Big Iron, it's tough for most developers to create truly scaled solutions quickly, in the absence of a business model. And when it comes to security, that can be fatal.

So here's a question for you open source shops out there, the bigger the better. How are you handling things like scanning, patching, and management of vulnerabilities? How do the open source tools in these areas match up against what Windows is delivering, and Microsoft is promising?

Inquiring enterprises want to know.

Topic: Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Thought-provoking point

    [i] But if we?re depending on IBM for enterprise level capabilities, have we really gained that much in moving from Windows?[/i]

    IBM is also a company that is oriented around satisfying specific customers, namely the enterprises that buy IBM products. That speaks to the notion that proprietary companies have an advantage over the "scratching and itch" model that motivates most open source. In one model, the goal is to satisfy other people, in the other model, it is to satisfy the people who are donating code.

    Which is more likely to satisfy real world customers? I think companies, and that means companies are critical to the success of open source, however much it's proponents would like to believe otherwise.
    John Carroll
    • The difference

      The difference in this case is that the companies must remain on a level playing field, because they have to show one another the resulting code, risk forks, etc.

      IBM has accepted reduced power in the marketplace as it has moved off the 360 operating system to Linux. Remember it had a multi-decade anti-trust drama of its own. The first IBM anti-trust agreement was, I believe, in 1956.
      DanaBlankenhorn
  • Some things that i have observed being done in Open Source development.

    This article presents some interesting questions regarding enterprise computing. Some of the questions have easy answers (via companies like SGI, IBM and HP), others it get's more complicated. Someof this si just observations based upon what clients were doing and what has evolved since that time.

    [i]Virtualization, an important facility for security because it lets you test patches without buying extra machines, is being moved into Microsoft?s operating system, starting with Virtual Server 2005 and then moving on to Longhorn. EMC?s VMWare may be a more powerful product (and it?s out now) but it, too is closed source, and the only desktop version requires Windows.[/i]

    Regarding virtualization, this was done some years ago. You can create virtual systems (at least with Linux, have not checked the work being done via BSD) though I am not sure of per processor virtualization (as done by IBM, HP, etc.) One effort for virtualization is Xen (http://www.cl.cam.ac.uk/Research/SRG/netos/xen/) and further work can be found at: http://www.osdl.org/cgi-bin/osdl_development_wiki.pl?Virtualization
    No comment on the current state of this, but there is work being done there.

    [i]Microsoft?s quick response to demands for better patch management resulted in Software Update Services (SUS), which gives enterprises back control of the patch process by putting patches on a server that can be tested and staged as an enterprise sees fit. Even if there were an equivalent open source product, it might not scale, and which license would it be under ? CDDL, BSD, GPL, or something else entirely? Most of Microsoft?s enterprise customers won?t care to find out, and will be quite glad they don?t have to.[/i]

    Patch and change managementhas been around for a while, one example of a tool for this is cfengine (http://www.cfengine.org/) that is also documented on Infrastructures.org (http://www.infrastructures.org/) along with versioncontrol and change management among other topics.

    [i]So here?s a question for you open source shops out there, the bigger the better. How are you handling things like scanning, patching, and management of vulnerabilities? How do the open source tools in these areas match up against what Windows is delivering, and Microsoft is promising?[/i]

    Some of this really depends on how much of the system is automated (say via Nagios (http://www.nagios.org/ and cfengine (http:/www.cfengine.org/) as through Naginator (http://madstop.com/naginator/) which automates the process of network management and patch management) This is just one example of projects that contribute to enterprise level tasks done in Open Source.

    This does not mean that you should jump to Open Source tools in the enterprise, just that work has already been done there if you take the time to do the research.

    As to security, this gets tougher. To make something secure, you have to either leave services off or turn them off (as with OpenBSD (http://www.openbsd.org/). An alternative is to use hardened systems in your enterprise (not really user friendly) such as employing MAC (Mandatory Access Controls), RBAC (Role Based Access Controls) and TE (Type Enforcement) which came out of the NSA SELinux project (now integrated into both Linux 2.6 and FreeBSD 5.x)

    Another thing that enterprises tend to need is intrusion detection (distributed, not just on a few hosts). This gets into telecommunications (networks) and how things are reported (say by using Nagios, OpenNMS (http://www.openNMS.org) or some other network management tool. These are just a few things that are going on.

    Ths commentary should not be taken as grounds to use any given product or metehdology, though following Best Practices is a good thing to do (most enterprise jocks know about these). Best to do your homework and find what works for you and your enterprise.
    B.O.F.H.
    • Outstanding!

      Great links, and great thoughts. Thanks so much, on behalf of everyone here.
      DanaBlankenhorn
  • Answer:Mostly without help from the same vendors

    How do open source [i]deploying[/i] enterprises handle security?

    With a large enough enterprise, as in [i]hundreds of servers, thousands of desktops, and truly heterogenous environments.[/i], major savings can be gained from avoiding the required per seat licensing that vendors mentioned in Dana's article.

    This is why major deployments such as Munich have gone with Debian, and why a lot of large educational deployments have adopted Redhat clones such as Whitebox and Centos. It is cheaper for these large enterprises to develop in house or tender for the design of the deployment. There are plenty of open sourced alternatives to the products Dana mentions that can be adapted to the particular deployment.

    However, some of the products mentioned by Dana can be very suitable for medium to largish scale deployments.


    that there are three distinct task in both managing and securing ANY enterprise IT.

    A) System Deployment : Designing, configuring and deploying a combination of services, servers and networks.

    B) System Management : Keeping the systems uptodate and managing resources, users, devices etc.

    C) Incident Handling : Monitoring, trouble shooting, tracking down problems to source, recovery.

    System Deployment with Linux can require a lot of skills, but it is a job that can be outsourced.
    For a little extra effort on the part of those implementing the deployment, and with tools such as Webmin, the resulting Linux combination need not be difficult to manage on a day to day basis.

    See "System Deployment Vs System Management"
    http://www.linuxjournal.com/comment/reply/8114/15651

    Also read "Linux on the Desktop at work and worth it"
    http://techrepublic.com.com/5208-6230-0.html?forumID=5&threadID=165827&start=0
    The above link describes an actual deployment history for a smaller scale setup, but the security handling techniques can be scaled into the thousands and applied to servers.

    [i]In comparison to Win98,Win2k and XP, keeping the Linux desktops up to date is a breeze. We maintain a read-only NFS'ed public directory that, after testing, we drop RPMs packages into. A cron job on each desktop inspects the directory for new files and then runs yum and updates the system. We stagger the start times to prevent overloading the network or file server. In most cases, the update takes place entirely transparent to the user.[/i]

    One of the better solutions mentioned in "Linux on the Desktop at work and worth it" is the ability to reduce/eliminate desktop downtime by dual booting desktops as a LTSP X-terminal while performing forensic examinations and recloning.

    As for managing hundreds of servers and services, my advice is the same for those managing one server : Take the services offline and do a backup before major changes, allowing enough time to do a restore -- The best system administration takes place after work hours and overnight.
    David Mohring
  • Answer: Do the opposite of what Microsoft does.

    And you can't go wrong.
    Xunil_Sierutuf
  • VMWare Supports LINUX Host Operating Systems

    I've been using Gentoo LINUX (currently 2005.0) as my primary desktop operating system and just wanted to point out that VMWare Workstation is fully supported on LINUX host operating systems. The following is a list of the LINUX host operating systems that the latest revision of their product, version 5.0, officially supports:

    * Mandrake Linux 10 ? stock 2.6.3-7
    * Mandrake Linux 9.0 ? stock 2.4.19
    * RHEL AS/ES/WS 4.0 ? stock 2.6.9-5, 64-bit
    * RHEL AS/ES/WS 3.0 ? stock 2.4.21, update 2.4.21-15.EL, 64-bit
    * Red Hat Enterprise Linux 2.1 ? stock 2.4.9-e3
    * Red Hat Linux Advanced Server 2.1 ? stock 2.4.9-e3
    * Red Hat Linux 9.0 ? stock 2.4.20-8, upgrade 2.4.20-20.9
    * Red Hat Linux 8.0 ? stock 2.4.18
    * Red Hat Linux 7.3 ? stock 2.4.18
    * Red Hat Linux 7.2 ? stock 2.4.7-10, upgrade 2.4.9-7, upgrade 2.4.9-13, upgrade 2.4.9-21, upgrade 2.4.9-31
    * SUSE Linux 9.1 ? stock 2.6.4-52
    * SUSE Linux 9.0 ? stock 2.4.21-99
    * SUSE Linux Enterprise Server 9.0 ? 32-bit, 64-bit, SP1(listed versions also supported with no service pack)
    * SUSE Linux Enterprise Server 8 ? stock 2.4.19, 64-bit
    * SUSE Linux 8.2 ? stock 2.4.20
    * SUSE Linux 8.1 ? stock 2.4.19
    * SUSE Linux 8.0 ? stock 2.4.18
    * SUSE Linux Enterprise Server 7 ? stock 2.4.7 and patch 2
    * SUSE Linux 7.3 ? stock 2.4.10

    While it isn't officially supported on Gentoo LINUX, VMWare works just fine. I've been a happy user of the product for a couple of years now. Unfortunately there are a few products that I use in my daily work that don't have FOSS alternatives, so VMWare gives me the Windows environment I need to get my job done.
    derek.berube9
  • human protocol first

    Security may be one of the biggest challenges facing the open source enterprise.

    When I say enterprise, of course, I mean enterprise — hundreds of servers, thousands of desktops, and truly heterogenous environments.

    Because of Microsoft’s desktop dominance it has made important early moves. (And let’s not get into how much more secure Linux is than Windows. Patches even in the Linux world are no longer questions of if but when and how.)

    First of it's people in charge of these environments and the understanding they have of the security appliances and applications being used today. Lazy and ego are the biggest holes in systems. secure is secure by example.

    So here’s a question for you open source shops out there, the bigger the better. How are you handling things like scanning, patching, and management of vulnerabilities? How do the open source tools in these areas match up against what Windows is delivering, and Microsoft is promising?

    Microsoft has never lived up to it's promises yet. Open source is doing what it has always done. 1000's of people testing the code and sending bug reports. Patching and making it a stronger product. It's up to "someone" to run and maintain the applications. Open source can't do as much as it could for closed source products.. the source is not accessable. Even more to the point, Big Irons insure security though it's clams. When it fails who still pays the price? Security should not be certified by the Big Iron Software giants who market the product. It should be certified by Open system security standards.
    xstep
  • You may wish to check out...

    Trustifier. It is proprietary, but value laden. It ramps up security on any Linux system, does not interfere with any running open source app, and is suitable for enterprises.
    praetorpal9