Debating the relative levels of security in Linux and Windows is a favorite parlor game among open-source advocates, software executives and security experts. Each side bolsters its argument with numbers showing that there are more vulnerabilities in the other operating system or that their favorite OS has this or that security certification. But, just as in baseball, you can manipulate statistics to prove any point.
What cannot be argued, however, is that the number of attacks against all operating systems is rising at an alarming rate and showing no signs of slowing. Whats also painfully clear is that most enterprise IT staffs are overwhelmed by the sheer number of attacks, intrusion attempts and worms, not to mention the vulnerabilities that they must patch.
All of this has given rise to the movement toward proactive security technologies such as intrusion prevention. Most of this has been limited to the Windows environment, but on Monday Immunix Inc. is releasing its Application Firewalling Suite, a host intrusion prevention solution for the Linux 2.6 kernel. The new offering is the first of its kind for the 2.6 kernel and represents a re-launch of sorts for Immunix.
Until recently, the company had concentrated on selling its own hardened Linux distribution. But that market never panned out the way company executives had hoped, and in January, the company hired a new CEO, Cheryl Traverse, a software industry veteran. Immunix is now focusing on selling security solutions for the Linux community.
The Application Firewalling Suite works in much the same way as sandboxing does, in that it contains applications and limits the actions they are permitted to take. This is done through the use of the companys proprietary SubDomain access control technology, which uses privilege confinement to prevent attackers from using malicious programs on the protected server or even using trusted applications in unintended ways.
The SubDomain technology allows users to access the applications they need and perform a prescribed set of tasks, but anything outside of the explicitly allowed activity is prevented. This could allow enterprises to set up mail and Web servers on the same machine without worrying that an attacker who compromised one server would also get control of the other.
Immunix officials said that despite the solutions clear focus on security, the developers also had a mandate to ensure that the Application Firewalling Suite worked with legacy applications and existing security systems.
“The worst kind of security is the stuff thats never used because its too hard,” said Crispin Cowan, chief technology officer and co-founder of Immunix, based in Portland, Ore., and one of the more respected Linux security authorities in the industry. “This lets you get access and do what youre supposed to do, but nothing else.”
Cowan said the company decided to go with the application firewalling approach after looking at and rejecting the way existing host IPS systems used system-call interception to halt malicious application behavior.
“System call interposition is a pain in the [neck],” Cowan said. “It doesnt give you enough information. All it tells you is that some weird sounding process tried to do something bad and was stopped. We tell you what the process was doing.”