In this interview, two principals from Secure Computing, Inc. offer their thoughts on the state of Linux and security, its place in the data center as a secure platform for business, and their work with the National Security Agency to create a Type Enforced version of Linux.

Recently I had a conversation with Carr Biggerstaff, Senior Vice President of Marketing, and Thomas Haigh, Vice President and Chief Technologist for Secure Computing, Inc. about their work with Linux and security.

Carr has worked as the senior IT executive for both services and manufacturing companies, a consulting manager with Arthur Andersen, the senior technical marketing manager for emerging technologies in the Enterprise Server Group at Intel and the vice president of a sales and marketing agency.

Thomas is responsible for the development of product evolution strategies and technology roadmaps across the company's product divisions. Prior to his current position, Haigh was Vice President and Director of Research at Secure, where he focused on developing acquisition plans, and planning and implementing contract and independent research and development programs.

LinuxSecurity.com: Would you give us a brief overview and background of Secure Computing?

Tom Haigh: We started out as an R&D center at Honeywell in the mid 80s. At that time we were focused on operating systems security and database systems security doing research for the Dept of Defense and the Air Force. Our main contract was to develop an A1 level operating system for the NSA. There was a series of contracts culminating in a system that was actually fielded a multi-level guard called the Secure Network Server. It was to be placed between two networks of differing classification levels and filtered the traffic between them. And it was on this series of contracts that we developed the type enforcement. Because we had been working on a secure network guard, it was natural to go build a firewall. So we took that same technology that we developed on that contract and rolled it forward into our Sidewinder firewall. The type enforcement is there; the strong mail filtering is there.

We went public in 1989, and in 1995 acquired four companies. We refocused ourselves on e-business opportunities. The mission of our company is to be recognized as the leading provider of safe-secure extranets for e-business.

LinuxSecurity.com: And your firewall is a primary piece of that?

Tom Haigh: I think it would be overstating to say that it is the primary piece. Basically the products we have are great components for this. SafeWord has grown into an access management product. It does authentication and authorization. So it controls what each user is authorized to do on the system or through the firewall. Then it does the audit as well so you can hold each user accountable. In the old days a firewall was all you needed. You let email in and outsiders out and let insiders do anything they want. As we move more toward e-business, now we are letting an awful lot of outsiders in as well. All your partners are coming in. You have to know who your partners are, and when they're on the inside. That's when access management becomes crucial.

Carr Biggerstaff: It's a lot more than access management. Because in e-business in particular, those customers and suppliers are being granted access to business applications that are traditionally internal applications. And so the trick now is not just to provide firewall functionality which keeps unknown and untrusted people out or VPN type of gateway capability which lets people in and have an encrypted protected session but more importantly to escort them, if you will, to the few applications that they are allowed to use. If I'm a supplier of yours I am may be able to come in and check my inventory levels, etc, for replenishment, but I shouldn't be able to go all over your manufacturing system, for example. So that's the access management piece of it that becomes so important, particularly important in business-to-business segment of the market, which is the market segment that is expanding so dramatically, and where the revenue dollars are being generated. As opposed to the consumer-to-business dot-com stock.

LinuxSecurity.com: Do you view Linux as being a viable platform for developing security products?

Carr Biggerstaff: Linux is not only very important for us, but we've been doing work on the Linux platform for some time now. The only other comment I'd make is the thing that people need to remember about Linux is that it represents not only a platform in the traditional computing space, but also for embedded systems.

LinuxSecurity.com: What are the most important topics or issues in your industry, and why?

Carr Biggerstaff: The most important topics that we have to deal with today is the full-disclosure of issues surrounding security today. I talk to people and Tom talk to people all the time from the commercial and government sector and nobody talks about their security problems. Nobody shares the information as to how it happened, what happened, etc, and in fact if they say anything at all they tend to whitewash it. They do so for a couple of different reasons. One is the obvious - they don't want to talk about their dirty laundry. Two is that they don't want law enforcement activity in many cases. Three they don't want insurance issues. But, as I said earlier, that is going to change. It needs to change because we have an education issue in the industry. If we don't better understand as vendors of security solutions, if we don't better understand what is going wrong, we can't provide the product. Another issue that weighs heavily, at least for me, is that as security vendors, the security industry itself doesn't do a good job of disclosing all the vulnerabilities. There is, for example, a perception, which our market fuels that a firewall is it. The reality is that very few people understand that a firewall in front of a web server, which is arguably coming with a de-facto, ubiquitous access method for e-commerce and e-business and everything else, it's a web server. Very few people will sit down and tell a customer "No, you don't understand, if you put a firewall in front of a web server, and you open up a port in that firewall to let http traffic through, then you run the risk of that web server being compromised." And it happens all the time. You can't successfully screen out the malicious code in the http connection. So there needs to be a little more honesty on the part of everybody in order to fix what I think is going to be a growing problem. Just because of the law of large numbers effect, as we go from letting a few hundred people into our systems across the public Internet to letting thousands of people into our system, the odds say the probabilities are there that we are going to have more and more breaches, whether they are insider breaches or from unknown intruders, and the only way we are going to scale our solutions to solve these problems is to have more honesty in the industry. And that will come if customers and suppliers, vendors like ourselves, begin to mature a little bit and recognize that like every other business solution we've had to deploy over the past 25 years. So we'll get better at telling each other what we need to know, but that's a key issue.

LinuxSecurity.com: You've touched on the SideWinder firewall. Would you like to talk a bit further about it, and explain your Type Enforcement Technology?

Tom Haigh: Absolutely. The SideWinder firewall is an application layer gateway. At this point it's actually become a hybrid. We give users the ability to enforce security at the application layer, not just at the IP layer. The Type Enforcement Technology is one of the really important features in there. There is a paper published this past week that is available now on our Type Enforcement Technology. We've made a number of modifications to the operating system kernel and wherever access is enforced, we have to add hooks to Type Enforcement access control. So basically rather than go checking the Unix ACLs, the NT ACLs, you've got to go check the type enforcement Domain Definition Tables, Type Enforcement Tables for now. What the type enforcement does is compartmentalize the applications that run above the operating system. So each application runs in it's own compartment. Think about the hold of a ship - if one compartment is compromised, the ship doesn't go down, the damage is contained to one space.

And with type enforcement the same thing happens. We build walls between the application and walls between the operating system itself. So if a hostile user or more likely these days malicious code gets in, causes a compromise in one subsystem, that compromise can't spill over into other subsystems. It's very very powerful. If a user manages to mount an HTTP overrun attack, or a stack overrun attack of any sort, they can't use that to break out of the application they're in and get down into the operating system to gain root access to take over the entire system. We've absolutely eliminated that. And what's really powerful about that is that the last collated data I've seen for 1998, CERT documented 13 major firewall attacks, 9 of them were stack-overrun attacks. So with this mechanism we're eliminating a very high percentage of the firewall attacks. That in itself is important. That's a huge discriminator.

LinuxSecurity.com: Recently it was announced that Secure Computing has been awarded a sole source contract by the National Security Agency to develop a Secure Linux operating system. What is the status of this project? What applications will it be suitable for? Will the changes be released to the open source community?

Tom Haigh: The work we are doing with NSA is to implement Type Enforcement in Linux. We are in development on this right now, and we expect to deliver it this summer. The objective here is to release all of this to the open source community, and for us, that's crucial because we of course would really like to make SideWinder available on Linux as well as the BSD version we have today. As Carr said, with embedded Linux beginning to appear, and the growth of firewall appliances there's a real nice match there. Since NSA has not authorized us to make the code public yet, we have to keep it on the shelf for right now.

We see Linux with Type Enforcement as suitable for a broad range of applications. Certainly for a firewall, but once we have a version we can distribute, then we would like to get SafeWord running on that as well. And beyond that, we've implemented some prototype e-commerce suites in a Type Enforce environment as well. Basically taking Netscape Enterprise server and protecting it with Type Enforcement. Then putting some of the back office and supporting services around it. So we see this ultimately as being suitable for a wide variety of e-business applications. PC Week had their 'PC Hack' where they had a Linux server, but with Type Enforcement technology on it, it wouldn't have been broken into.

Because of NSA's restrictions on the code, I can only describe the changes in fairly general terms. Basically, we have to modify each kernel entry point by adding a hook to make a Type Enforcement check. Then we have to modify a small number of modules to make the checks. We estimate that there are changes to less than 5% of the base Linux code.

There are actually two technical teams working on this project, our team and a team at NSA. The two teams have worked together for over six years now, adding security mechanisms like Type Enforcement to a number of experimental operating systems, most notably Mach. The NSA team began their work last fall, before we signed the contract with NSA, so they developed the majority of the code. All in all, it has been a good partnership, a win for us, a win for the government, and once NSA approves release of the code, a win for the Linux community.

LinuxSecurity.com: How do you expect the marketplace to change over the next two to three years?

Carr Biggerstaff: I'll tell you, and as you'll hear from both of us, the biggest deployment trend in the industry today worldwide is e-business, or business-to-business. When you look at revenues generated in e-business systems, they all track amazingly identically. The trends are all focused on doing e-business because there are very tangible benefits to them. What's interesting about that model is that if you take yourself out two to three years, and you think about what an e-business system really is, where I've got customers and suppliers that have a protected, private communications link into my back office system, such as manufacturing, accounting, inventory, whatever, and they are being granted access just as if they were an employee of my company, when you think about that model, and you overlay something like Forrester says over the next couple of years the average number of discrete e-business links (customer to supplier, or supplier to customer) is going to be something like 700. You think about that, you've got hundreds of people, if not thousands, that are going to be operating in each other's systems as if they were employees. From a security point of view, what we always think of are insiders. We think there's somebody who's already inside, who has been granted the rights and privileges to be in our proprietary information systems and 99.9% are normal people who are going to do normal things, but there's always a bad apple. If you go and look at the FBI statistics and reports that they've put out annually, and what private industry reports are put out, the biggest risk from our data security point of view for years has been the insider.

LinuxSecurity.com: And it's probably one of the least recognized threats, too.

Carr Biggerstaff: It's because we've weaned ourselves from it over the past decade. When Tom and I got into this business, it was host terminal computing and we didn't really have Internet to speak of. Back when Tom was hardening operating systems for Honeywell and before that, our concern was the insider because we never let outsiders into our system. And then along comes client-server computing, and in particular the Internet, then bang! People are being granted access whether they are remote employees from home or from a hotel room, EDI-connected partners, little by little they are being granted access. And now that trend is growing exponentially. You used to just let remote access for employees and a few partners through an EDI or proprietary EDI solutions. We're now talking about letting larger and larger numbers of customers and suppliers in across the public Internet to do business in our arguably most valuable asset today in any business. So that's an issue for us. And we've been worrying about that now for about 18 years as a company. We started back in the days of guarding against the insider and we've survived and lived through the different changes in security, but that's never left our mind. We continue to architect solutions that are designed to protect against the insider as much as the outsider. And I think that's the biggest single trend we'll see in security segment of the industry besides the obvious, which is more people using more systems means more security breaches. We will continue to see more and more reports of systems that have been breached. As people become desensitized, the reporting will become better. Today not a lot of people report breaches, but over the next three years people will become more forthcoming about being breached, what happened, and getting help to solve the problem. We'll have more information, you'll see more information, you'll see more security problems surface. That said, the biggest issue that people will have to deal with would be insider oriented issues because they will have a bunch of "insiders" in their system. And it's going to be real tough to deal with them unless they intelligently manage that access, and I think that's the key thing that we see coming.

LinuxSecurity.com: How do you think your industry will change in the future? What new products can we look forward to seeing from your company?

Carr Biggerstaff: What you will see from our company pretty quickly is the ability to provide the next layer of access management and protection. Today we stop everything at the perimeter, at the boundary of the business, at the extranet, for example. But as we talk more about the insider situation and the proliferation of "insiders" it's going to become important to protect the individual hosts themselves from access. We're in the process of putting together a product that we'll be announcing the next quarter. I'll let Tom address the other points - those are the key points from my perspective. I think the biggest - it may seem simple to state it this way, but probably the biggest issues that our industry and information technology industry is going to face more than anything else is going to deal with scale. The fact that more and more users are going to be connected to your systems than ever before, and you're going to be connected to more and more people's different systems than ever before by a variety of different devices. It introduces a level of complexity and sophistication that we've never dealt with. It's always been pretty easy. First it was host terminal within our own business, then it was client-server within our own business. Then we added the Internet. And now we're talking about people getting to you by phone, PDA, and they can get in your systems, looking at your data, making decisions in your software, by buying things, selling things, whatever. And that's going to introduce an opportunity for all of us in the industry to either put-up or shut-up. When it comes to providing the applications and capabilities to provide a healthy environment. That's going to be the ultimate challenge for all the companies. A single-point solution isn't going to do it. You can't just put a firewall on the edge of the network. If you go and look at Gartner and Forrester and all those guys you're going to begin to see a trend as they move away from the firewall as being essential but not enough. They're talking now about access management and access control. The challenge is letting the right people in to do precisely what they're allowed to do, no more, no less. And that's a huge shift that's going to a challenge for us all. We've been looking at this for at least two years.

Tom Haigh: To elaborate on what Carr had to say... It's not just the number of users; it's the kinds of things they're doing as well. When everyone was doing email and accessing static web pages, security policies were pretty simple. We didn't think they were, but in retrospect they were pretty simple. So now we've got a whole lot more users. Some of them are true employees of the enterprise, and others are partners of various flavors, and each of them needs to do certain things to get their jobs accomplished. But then there are other things that they shouldn't be able to do. So the problem is not just one of one dimension - we've got growth in multiple dimensions. A combinatoric explosion of possibilities that have to be controlled. And so the ability to manage this security fabric on a point-by-point basis just isn't going to cut it anymore. Customers are going to have think holistically. How do they secure the enterprise? And we have to start giving them the tools they need to do that. It has to be an integrated set of tools.

LinuxSecurity.com: Can you describe SafeWord and SmartFilter in a bit more detail? Are there plans to port these to run on Linux?

Tom Haigh: Both of these already do in fact run on Linux. SmartFilter is a web-filtering product that runs as a plug-in to standard proxy servers. It controls where people inside the enterprise can go and surf on the Internet. So what we do is, we've got a service where we categorize sites on the Internet into one of 27 categories. Things like sports, entertainment, sites with sexual content, job search sites, sites with violent content, that sort of thing. The enterprise can enable and disable these categories on a 24x7 basis. Corporate bandwidth is precious, particularly during working hours, so this product gives the ability to keep this bandwidth available during working hours. Another reason for this software is to provide a non-hostile work environment. Some clown downloading images from playboy.com, this becomes an uncomfortable work environment. The latest Computer Security Institute and FBI survey they do every year shows 79% of companies identify improper use of the Internet being a major problem for them.

LinuxSecurity.com: So does the corporation have the ability to add specific URLs to the list? Or is it updated weekly, or?

Tom Haigh: Both are possible. The enterprise can add URLs to the list of prescribed sites. We've got about a half a million sites on there now. Customers can also send us other sites to check out, and we do that. It turns out that 80% of Internet accesses go to a relatively small number of sites, so we've got pretty good coverage.

LinuxSecurity.com: The opponents of products such as yours say there are an infinite amount of illicit sites, and it may be better off going the other way around, excluding everything and including a select few that people are interested in going to. You don't find that in your experience?

Tom Haigh: The problem with that is there are going to be the specific sites that individuals have to get to in order to do their job. It's much more of a maintenance hassle. This eliminates that maintenance hassle for them. Our product has a couple of notable features. One, it runs on the server, not on the desktop, so it's not something that an individual user can go in and reconfigure to get rid of the restriction. The other thing about it is that it can be configured in a 'hard deny' mode and there are also some softer modes.

One way to do this is to configure SmartFilter so that it runs very slowly when a user attempts to access a non-work related site. Another is to configure SmarFilter to coach a user, suggesting to him that the selected url may not be work related and asking the user to confirm that he wants to go to the site.

LinuxSecurity.com: Is there work being done on developing intelligence in that it can detect specific keywords or things of that nature? Or even keywords in the URL itself?

Tom Haigh: We've got some automated tools to help us with the classification service. But we have not put those into the system to do filtering in real-time. The reason is that it is easier to do a fast lookup, so it's better to use those tools in the background to populate the categories than to try to do this in real-time.

SafeWord is a much more complex product. It does user authentication and authorization. So SafeWord maintains a user database and in that database you talk about what authentication methods the user uses; it could be a fixed password, or it can be a dynamic password, such as one-time password-generating tokens. We have our own, and we also support other people's tokens. Also associated with that is the ability to assign specific access rules to that user on a specific system. So when you authenticate, you authenticate to a firewall or to a web server, or to a database server, and what we can do is download specific access rules for that user or we can simply download a 'role' or a 'group' for that user and then use that as an index into access rules that are already hosted on that system, which is my preferred way to do it. So we bind a user to a role, or set of roles that state that "This user is authorized to play these roles" and then the web server or the firewall has it's group ACLs and it simply maps the role to a group that states that this user is a reseller, for example, which controls which web pages to allow him access to. SafeWord also has audit capabilities. What's really interesting is what's going on behind the scenes. We have the ability to replicate the user database on multiple copies of the SafeWord server. So that means if one SafeWord server dies, the others keep going - the enterprise keeps going and people can still authenticate. Pushing behind that, we have the ability to have multiple clusters of replicated servers, so we could have a cluster of three servers in California handling authentication for the California users, and a cluster of servers in London handling authentication for the European users, and these are all fully replicated.

We have the ability to proxy authentication requests among the clusters. So, if I ordinarily work here in Minnesota, use the SafeWord servers in California for authentication, and I go to London or anywhere in Europe, when I do my authentication it goes to the servers in London, but those automatically point it back to the California servers. So this gives us reliability and scalability that we need. Our largest customer is a financial institution that has 400,000 SafeWord users authenticating 400 billion dollars of transactions per day! We recently released SafeWord Plus, which adds support for public key-based authentication as well as very easy user enrollment and something we call a virtual smartcard. The virtual smartcard provides smart card functions and strength of security without having to install smartcard readers on everyone's desktop. SafeWord Plus is a new product, and will be available on Linux in a future release.

LinuxSecurity.com: Are you currently working on any other security products for Linux market?

Tom Haigh: Not right now. We currently have two of our four products running on Linux now. The plan is to move the other products to Linux as opportunity presents itself..

LinuxSecurity.com: Do you think Linux has a place in the data center as a secure platform for commerce in the state that it's currently in?

Tom Haigh: Yeah, I do, and I think that with the enhancements that are going on in the Linux community, it will become even more attractive. So yes, I think there's definitely a place for it in the data center. I think a lot of security vendors are going to be moving to Linux for their security products. Certainly we are, and there are already vendors that have implemented their products on Linux. There are some firewall appliances that run on Linux now. I think there will be growth in this area. The growth in Linux security products will parallel the growth of Linux server market in general. As more and more Linux servers are used in the data centers, it's going to have to be secured, and security means a number a different things. A lot of times people say "secure web server", and people think it supports SSL. There's a lot more to a secure web server than that in our opinion. The SSL is the first piece. The next piece is good forms of authentication, something more than passwords. Once you've got the secure authentication, you've got the secure communications; you've got to worry about authorization inside the system. How do you control what users do, how do you control what code might end up there. How do you control whether someone can install a CGI script, and what it does. Being able to host stuff for two competitors on the same server and keep them from hacking each other is a good canonical example that I think Linux with Type Enforcement can do. When Carr talked about when all the outsiders become insiders, being allowed legitimate access through the firewall into the corporation, it's not just the users themselves, it's the code of theirs that might also be permitted access. Such programs are JavaScript, Visual Basic, and all the other horrible things. You have to ask how you are going to control that. This is another great use for Type Enforcement.

LinuxSecurity.com: Thank you all for your time, and we sure appreciate the opportunity to speak with you. We look forward to hearing of new developments on the port of Type Enforcement to Linux in the future!