Caldera ramps up security in server OS

OpenLinux Server 3.1 is the latest release of Caldera's server-optimized Linux distribution.

OpenLinux Server 3.1 is the latest release of Caldera's server-optimized Linux distribution. OpenLinux Server (OLS) 3.1 is a veritable "one-stop server shop" that includes just about every Internet server you might want to implement on a network, including Apache Web server, Squid proxy server, a DHCP service (dhcpd), and the Samba file and print sharing service. This release meets the needs of companies seeking a Web server platform, a file and print server solution, or a network infrastructure support platform (Sendmail, DNS, DHCP, and so on.)

Under the hood
The distribution is based on the Linux 2.4.2 kernel. Kernel 2.4.2 provides advanced features such as support for the new IPv6 standard, which lets OLS interact with sophisticated Internet hardware. OLS 3.1 also supports multi-processor systems--up to 32 processors in one machine--for situations where more computing horsepower is required.

We installed OLS 3.1on a Dell PowerEdge 1400 server with dual 1GHz Pentium III processors. Caldera's installation wizard (LIZARD) streamlines the installation process by letting you choose from several different preset configurations; you can also select either a GUI or text-based user interface. We opted to install all modules, including the KDE GUI.

Increased security
Mindful that Internet-connected systems are often subjected to attack from the outside, Caldera has taken significant steps to harden security in OLS 3.1. For example, to aid in preventing DoS (denial of service) attacks, Caldera has created its own server-side RPC (remote procedure call) library, which prevents hackers from disabling a Web site running on OLS. Dialup security is likewise tightened with a Caldera-specific PPP application and support libraries. Furthermore, at system startup the product launches only the system services it deems essential--additional system services to run at system startup must be enabled manually. For example, by default OLS runs SSH (secure shell) but enables neither the FTP server (ftpd) nor the Telnet server (telnetd).

Building upon its security-conscious approach, OLS includes firewall tools for preventing security breaches. To accomplish this, OLS uses a packet manipulation component called Netfilter, which works in conjunction with the iptables firewall module in addition to NAT (Network Address Translation), effectively giving you the ability to determine, at the network packet level, exactly which traffic is processed by the server.. (It will also work with older firewall utilities like ipchains and ipfwadm.) You configure Netfilter by choosing one of three default control levels: relaxed, cautious, or paranoid. OLS 3.1 also includes version 7.6 of TCP Wrapper, a module that lets you block specific network services by hostname, username, or IP address.

Three useful intrusion detection tools come with the OLS 3.1 package. Tripwire lets you take a snapshot of a system's critical software executables and configuration files and later compare it with a snapshot of the current running system. The PortSentry module automatically monitors for port scans and unauthorized access attempts. And LogCheck digests large system log files and points out log entries that may indicate that a system has been compromised.

File systems
OLS 3.1 also adds support for the Reiser file system, which offers better disk space utilization, with a maximum of 4.2 billion files. Reiser is a journaling file system, which means that critical update points are periodically logged, making quick work of file system recovery after an improper shutdown. By default, OLS still uses the ext2 file system, so if you want to use Reiser you'll need to create and format a file system specifically for its use.

Administration
System administrators will surely appreciate OLS's Webmin administration tool. This browser-based, SSL-enabled configuration interface lets you access and update virtually every aspect of OLS's configuration remotely, using any networked system that has a Web browser (including MS Windows clients). It features 48 administration modules classified into four categories: System, Server, Hardware, and miscellaneous. The System modules let you modify items such as startup parameters and NFS-exported file systems. The Server modules let you configure the system's server daemons, including the DHCP, DNS, Samba, and Web servers. The Hardware and miscellaneous categories let you modify parameters such as the network time, Linux RAID parameters, printers, and partitions on local disks; it even provides access to a command prompt for executing shell commands remotely.

Keeping a Linux system up to date with the latest patches and updates can be difficult. In particular, security vulnerabilities in the OS are routinely uncovered and patched, and application updates are released continually. Fortunately, OLS 3.1 includes a 6-month subscription to Caldera's Volution Online. Volution is a separate product that lets you manage Caldera Linux desktop systems remotely through an in-house Volution server. Volution Online provides a similar service for OLS 3.1, by employing intelligent analysis and decision-making to evaluate the potential impact of applying system patches prior to actual installation. This process helps ensure that other critical systems dependent on specific versions of other modules will not be adversely affected.

Bottom line
Caldera OLS 3.1 is an optimized, stable and secure Internet server distribution. OLS 3.1 offers the flexibility to perform with equal facility in an intranet setting as a file and Web server, or as an external Internet gateway offering Web and mail services. It features a solid selection of server daemons, supports many encryption tools and protocols, and includes the 2.4.2 kernel, making it well-suited for business environments using complex networking equipment. The de facto alternative to this Linux-based solution--Windows 2000 Server with IIS--is not only a more costly option, but also possibly a riskier one, considering current security issues surrounding IIS.