LJ Archive

EnGarde Secure Linux Professional 1.2

Jose Nazario

Issue #102, October 2002

Marketed as an office security product, EnGarde Secure Linux is a small office server distribution with a number of security features. These include a secure mail server, a secure web server supporting virtual hosts, a file server, DNS capabilities and a small office firewall.

With web administration capabilities and services for Microsoft client OSes, EnGarde offers a powerful setup in an easy-to-use box, and it accomplishes most of this using free software.

Installation and Setup

These days, one of the biggest things I look for with Linux distributions is how well they have solved the installation process. The installation of EnGarde was quite easy to accomplish. The text-based installer is much like the old Red Hat installations used to be. During the installation, you select what type of machine you would like to build (you can, of course, build combinations). You can choose from a firewall, a network intrusion detection system (using Snort), a database server (running MySQL), a secure mail (SMTP, POP, IMAP) server, a VPN appliance, a DNS server or a secure web server. The proper components and only the proper components are installed, meaning you have a trimmed-up system on the network installed with a reasonable set of defaults.

Configuration is done via the WebTool interface, though you can always access the system via the command line. X is not installed. After your initial reboot, you configure a few parameters on the host via a web browser, and then reboot again. From there you can configure various server parameters, including the certificates for your secure web or mail servers, firewall parameters, or the like.

The WebTool UI is also an easy-to-use system interface, allowing you to check on your system, control services and view system parameters. As an example, you can control access to the SSH dæmon via the UI, controlling the addresses, users and groups who can connect. System logs and backups also can be controlled from the WebTool interface.

Several server components that can be installed and managed using EnGarde Secure Linux are worth noting. One of the features of the secure e-mail server is SquirrelMail, a web-based e-mail solution. SquirrelMail can provide a well-sized workgroup or user base with a feature-rich and platform-independent e-mail solution that is managed on a secure platform. The WebTool UI can be used to configure the e-mail system, including the SSL enhanced POP3 and IMAP servers and the Postfix SMTP server.

An additional component is BIND 8.2.5 used as a DNS server. This can provide a rich set of DNS features, including split and dynamic DNS, all of which are configurable by the WebTool UI. Furthermore, the web server, along with virtual hosts and SSL certificates, is managed by the WebTool UI, giving users a powerful interface for a complete server. Lastly, the UI can be used to configure the firewall and port redirection rules, but at this time this feature isn't as mature as it could be.

Security in the Core

As part of the default installation, EnGarde installs a number of components that many administrators wind up installing later. The first is the OpenWall patch, which provides a non-executable stack. This works well to prevent a number of the common buffer-overflow exploits typically seen, but it doesn't stop exploits such as heap exploits, format string attacks or configuration problems.

Secondly, the Tripwire host-based intrusion detection system is installed in the base installation. Tripwire builds a database and monitors files for changes, keeping track of several characteristics for each file. This method goes well beyond the MD5 sums and dates monitored by the RPM tool in verify mode, and it provides a rigorous monitor of your host's filesystem.

Lastly, the LIDS access control system is installed with the default kernel. You can also boot a standard kernel lacking the LIDS system, should you need to. LIDS provides a way to minimize the impact any attacker could cause.

Best practices are also in play, as you would expect. Connections via FTP are disabled by default, Telnet is not installed, and SSH connections are controlled via private key authentication. The UI generates and downloads a private SSH key that you can then use with your SSH client to connect to the EnGarde server.

Updates Are Easy

Commercial Guardian Digital customers are allowed to use the Guardian Digital Secure Network to keep their system current. As new packages are released you can install them via the UI, making it easy to stay up-to-date with the patches as they're released.

One concern I typically have with an automatic update system is lost configurations or the use of a new one. As an example, OpenSSH moved from /etc/sshd_config to /etc/ssh/sshd_config as its dæmon configuration file. During an update it's not clear if the configuration file is being respected or not, so when something breaks you're left to fix it via the CLI. This can, of course, break the UI interaction and spiral downward quickly if you're not careful. Still, Guardian seems to have managed this pretty well; I was able to update my OpenSSH installation using this mechanism without any errors or loss of connectivity.

Appearances Aren't Everything

When I initially began to poke around the system, I was startled to find software with somewhat vintage version numbers. This includes the OpenSSH package and the 2.2.19 kernel.

To more thoroughly understand the reasons for this, as well as ensure that Guardian Digital knew what they were doing, I spoke with a company representative during the course of this evaluation. We had a productive conversation and many of my concerns were addressed.

Guardian Digital chose to use the 2.2 kernel series due to the company's concerns about the stability and security of the 2.4 kernels. The 2.4 kernel series was less mature during the development and engineering of EnGarde Secure Linux. As such, the Engineering team decided to go with proven technology, a wise move for a security product. Key features and fixes were back-ported.

Furthermore, the OpenWall kernel patch, which provides privacy enhancements and a non-executable stack, is production quality only for the 2.2 kernel series. So choosing security and stability over being cutting edge, EnGarde ships with a 2.2.19 kernel.

Similarly, the choice of having OpenSSH remain at version 2.3 was based on the principle of “if it isn't broken, don't fix it”. Again, this is a wise move for a security product or any core infrastructure product. Although features and enhancements have been integrated, there was no need to upgrade to a newer version until the recent remote hole was detected in OpenSSH. At that time, EnGarde quickly issued an OpenSSH 3.3p1 package and introduced the privsep capability in their version of OpenSSH.

All of these concerns were addressed in this conversation with a Guardian Digital representative. I agree with their choices to pick known security concerns and fixes over unknowns in both security and stability.

Room for Improvement

During the course of my testing EnGarde, I found several areas for improvement. Although some of these areas are addressed by other products or may not be appropriate for the nature of EnGarde Secure Linux 1.2, their inclusion would strengthen an otherwise leading-edge product.

An ability to modify the Tripwire database settings, such as where to store it and an improved UI for reports, would be nice. While the UI does do text reports, slogging through pages of flat text with no highlighting or coloration makes it difficult to spot changes. A different, write-once storage location for the database greatly would improve the security of the system as well.

Similarly, a configuration tool for the LIDS system also would be a wise addition. LIDS can be powerful, but the ability to change it requires a fairly in-depth understanding of capabilities. A simple UI to grant or revoke such capabilities would be useful for the the EnGarde system, much like the one IRIX offers. It wouldn't have to be complex, but enough to ensure that the LIDS features were being used in a manner consistent for the site.

Password management on EnGarde also could be improved. Several of the suggestions for passwords, useful for the mail server, for example, are rather weak and easily guessable. The integration of a password suggestion tool, one that does much stronger suggestions, would have been a welcome finding.

The firewall services are based on ipchains, which is a stateless firewall tool. This means it cannot understand connections, only flags on a per-packet basis, something that the 2.4 firewall package Netfilter can do. The addition of a tool such as SPF, which can add this capability to ipchains, would make their firewall more robust.

Lastly, a small office most certainly could use a robust web proxy service. The firewall configuration tool can allow you to use the built-in ipchains application assistants, but they're no equal to a solid proxy.

Some of these concerns cannot be addressed in the corporate product that EnGarde is aiming to be. However, some of them only can enhance what is shaping up to be a class leader.

Conclusions

Guardian Digital is making great strides with their EnGarde Secure Linux Professional distribution. With the 1.2 release of their product, they demonstrate how well a Linux solution can fit into a Windows-based organization. Furthermore, their solution is easy to set up and use, meaning you can secure your network without having to become an expert at everything. A recommended product.

Product Info/Good/Bad

email: jose@monkey.org

Jose Nazario is a Biochemistry graduate student nearing the completion of his PhD. Side projects include Linux and other UNIX variants, software and security-related matters and hobbies outside his office, including fly-fishing and photography.

LJ Archive