LinuxWorld Focus Turns to Security

Updated: Red Hat and HP are giving the battle against vulnerabilities top billing at this week's show.

Looking to counter Microsoft Corp.s claims of security superiority, open-source software vendors are giving the battle against vulnerabilities top billing at this weeks LinuxWorld Conference & Expo in San Francisco.

Red Hat Inc., of Raleigh, N.C., will announce an initiative dubbed Security in a Networked World, designed to address security issues across an enterprise network environment.

Hewlett-Packard Co., meanwhile, will announce its HP Virus Throttle for Linux. Virus Throttle spots viral behavior and thwarts virus attacks in real time without the need for specific signatures, according to officials of the Palo Alto, Calif., company. The new versions will work with RHEL (Red Hat Enterprise Linux) and Novell Inc.s SuSE Linux distributions, among others, and is expected to be priced at around $79 a server, Efrain Rovira, HPs worldwide director of Linux marketing in Houston, told eWEEK.

An anomaly-based technology, Virus Throttle identifies unwanted behavior on a given network and then chokes off traffic generated by the anomaly, which could be a virus, worm or other kind of attack. This prevents the malicious traffic from reaching end-user machines.

/zimages/3/28571.gifClick here to read more about Virus Throttle.

HP will also use the LinuxWorld show to announce that its Integrity NonStop servers now support 200 of the most popular open-source technologies, including Java, the Apache Web server, the Zope application server, the Jabber enterprise instant messaging platform and the Samba file server, Rovira said.

The move follows the broad hints dropped by Martin Fink, HPs vice president of Linux and NonStop, at the Red Hat Summit earlier this year that the company was considering porting Linux to its NonStop fault-tolerant server line.

"Customers have been asking us to do this for some time now because they are integrating an environment that has NonStop servers with industry standard servers. They will now be able to do that," Rovira said. HP plans to add support for an additional 300 technologies by the end of the year, he said.

The Red Hat initiative, meanwhile, comprises several pieces, most notably an enhanced security response capability. Although details of the response effort are still being finalized, Red Hat looks to be moving in the direction of adding more responsibilities and capabilities to its existing Red Hat Security Response Team. The team is responsible for responding to reports of vulnerabilities in Red Hat software and working to produce patches and workarounds.

Microsoft, of Redmond, Wash., has had its own Security Response Center, which performs similar tasks and also works with researchers and customers on security issues, up and running for several years.

The Red Hat plan includes a key piece of technology, the Netscape Certificate Management System, that Red Hat acquired from America Online Inc.s Netscape Security Solutions division in September. Red Hat also has been developing a smart-card technology and will be discussing at LinuxWorld how the technology applies to application security and user authentication and how it is being integrated into key pieces of the companys open-source software.

The initiative would not be Red Hat-centric and would involve others in the open-source community and their partners. "We will be talking more about partnerships in and around the community to make open-source security much more well known and to address much of the FUD [fear, uncertainty and doubt] being spread about open source security," said Mike Ferris, Red Hats director of product marketing.

A recent report by The SANS Institute, of Bethesda, Md., found that RHEL subscribers are less susceptible to network security holes than users of other platforms. Of the top 20 Internet security vulnerabilities identified in the report, just two affected RHEL subscribers, and patches for those have already been issued.

"Security has always been part of the open-source development model, and Linux itself was created in the age of the Internet and so open-source software is a technology and process that has security at its core," Ferris said.

"This is a platform around a concept of security in the enterprise environment. The proliferation of network devices and the increase in connection points, like self-service Web portals for customers, are all creating areas where entry in a network environment must be protected, must be secure," he said.

"The goal certainly is to build security into that from the start so that it is a proactive rather than reactive, inclusive set of technologies, processes and procedures and content that surrounds us from the start," Ferris said.

The security plays by Linux vendors are in part designed to address ongoing claims by Microsoft, which maintains that research shows open-source software such as Linux is far less secure than Windows and other proprietary software products.

Still, an increasing number of enterprise customers, such as mFormation Technologies Inc., of Edison, N.J., a provider of mobile device management software, are looking for help developing an open-source strategy that also addresses their security needs and concerns.

"HP supported us with the port of our carrier-grade mobile device management software platform to Linux, which we were able to do quickly. Once the port was completed, we used the HP Solution Center in Houston for benchmarking and high-availability tests to prove the scalability and reliability of our solution," said Upal Basu, mFormations co-founder and vice president.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest open-source news, reviews and analysis.