Features Category

Loading...

network securitysecurity trendsopen source

Insights from Avi Fogel on Linux and Open Source Security Trends

In this interview, Avi Fogel, CEO of Network-1, offers his perspective on the state of Internet security, his experience with Windows and security, and the advantages and disadvantages to Open Source security. . R ecently I got an opportunity to speak with Avi Fogel, CEO of Network-1 Security Solutions, Inc., an industry-leading developer of distributed firewalls and other security products primarily for Windows platforms. I thought it would interesting to speak with an established security expert that addresses Internet security from the Windows and closed-source perspective, and see what his views are on topics including Open Source, Linux, and the current state of security in general. LinuxSecurity.com: Can you describe a bit about your background? How did you get involved with security? What did you do prior to becoming the CEO of Network-1? Avi Fogel: Like many in the security industry, I grew up in a security conscious environment -- in Israel. I graduated from Technion, the Israeli Institute of Technology, with a degree in Electronic Engineering and served as technical officer in the Israeli Defense Forces. I have come to network security from computer networking in which I've been involved since 1980. Prior to coming to Network-1, I was president, CEO and co-founder of CommHome Systems Corporation, a residential networking startup. I also held positions as vice president of global marketing at Digital Equipment Corporation - Network Products, executive vice president of global marketing with LANNET, Data Communications, Ltd., a LAN switch manufacturer and president and CEO of LANNET America. When my startup company, CommHome Systems, was acquired by the investors of Network-1, I was brought aboard as President and CEO of Network-1. LinuxSecurity.com: Can you give us a brief overview of the products and services you offer at Network-1? How does your packet filtering firewall differ from other firewalls? Can you explain some ofthe basic concepts of packet filtering? Avi Fogel: Our strategic products and the ones that give us the greatest market differentiation are distributed, host-resident firewalls for servers, enterprise-wide personal computers and workstations. These are CyberwallPLUS-SV (for servers) and CyberwallPLUS-WS (workstation), respectively. Presently, we address the Windows NT/2000 market, but do plan to expand into other platforms. In an unpublished report by one of the major market analysis firms they indicate that distributed host firewalls will become a $250M market by 2004. Network-1 believes that it has advantages in depth of security, especially in server environments, in performance and in management abilities vs. other players in this area. To round out our product offering and to offer protection for other platforms, we offer CyberwallPLUS-IP as a perimeter firewall and CyberwallPLUS-AP as an internetworking firewall for LANs. Although these too are for Windows NT/2000 servers, they offer protection for heterogeneous networks. To manage it all we provide CyberwallPLUS - Central and CyberwallPLUS - Remote, for remote monitoring and control of the distributed firewalls in a network. LinuxSecurity.com: What do you see as the most significant trends or developments in computer security in the next few years? Avi Fogel: The emergence of the distributed, host-resident firewall for open, e-business networks is making headway. Analysts are investing in researching the size of this market and industry pundits are writing about this area as the next generation of Firewalling technology. We recently announced an enterprise-wide sale of our workstation product, the WS edition, to BMC Software and have had an important subsequent one to a major government agency. We are seeing similar enterprise-wide opportunities come up for Windows workstations and servers in many segments - government, industry, education and financial institutions.These are better able to secure all the various access points in the open environment presented by e-Business, than the traditional packet-filtering router and perimeter firewall approach. They also scale upward in growing networked environments predictably without the performance degradation you are likely to get from traditional approaches. LinuxSecurity.com: What do you think of Linux as a viable platform for developing security products? Has Network-1 given any thoughts to developing security software for Linux? Avi Fogel: While there are some differences in vulnerabilities between OS's and the availability of shareware to address these - Linux, like Windows and traditional Unix suffers from the lack of granular Network Access Controls and built in Intrusion Detection and Prevention capabilities and capabilities for extensive logging of network transactions. Network-1 sees Linux as a very important platform that we want to be able to address in the future as part of a full host-resident distributed firewalling solution. LinuxSecurity.com: Do you think Linux has a place in the data center as a secure platform for commerce in the state that it's currently in? Avi Fogel: Due to the greater availability of applications for Windows and Unix today they may be better suited for these services today. I see Linux as a great candidate for a future capture of market-share on the desktop away from Microsoft. It is also a great tool environment for infrastructure software and hardware solutions - for appliances and for all-in-one SME solutions (Firewalling, VPN, management, VoIP, etc.). The investments of the big system vendors (IBM, Dell) and Sun Micro (with Cobalt) will make Linux a major contender in the data center, down the road. LinuxSecurity.com: What are some of the biggest challenges you face when dealing with security? Avi Fogel: It's an organic situation. The hackers represent everything from the genuinelyintellectual curious to undisciplined script kiddies. The only constant is that their threats are constantly changing to overcome network defenses as they grow more numerous. The major problem with network security in general is the fact that it is still considered by many IT managers as a fringe issue - and is still in the category of black magic - a little understood phenomena of IT systems and networks. The nature of network security is also about continuous discovery of new holes and bugs that pose security threats. Thus the general problem is that of a need for continuous education by the network security vendors to get high enough on the attention span of IT decision makers. LinuxSecurity.com: What do you think can be done about denial of service and distributed denial of service attacks? What do you think is the most significant threat to the general Internet community today? What will it take to resolve these issue? Avi Fogel: Enterprises need to step up and show due diligence in implementing sound security for their networks. If for no other reason -- to keep from getting sued when their sites are used as launch pads to bring down an eBay or Amazon. The threat will focus on the lowest common denominator -- those sites with high speed connections and limited or no protection will be hit first and most often. Diligence on the part of enterprise web site owners and even the home user with high speed connections is a good start for the overall security of the Internet. Adding egress filtering technology and mandating its use on hosts, firewalls and routers would prevent the use of machines as zombies of DDoS or Trojans. LinuxSecurity.com: Can you make any comparisons between security of UNIX versus the security of Windows? How much do you think the maturity UNIX has an effect on its overall security? Avi Fogel: UNIX and Linux have slightly better network address filtering capabilities than Windows and Unix hasbetter online help as it relates to network security. Unix and Linux also have more shareware tools to address some of the issues that host-resident firewalling addresses, such as logging tools. Generally though all OS's lack network access controls and intrusion detection capabilities. LinuxSecurity.com: Do you believe the open source nature of Linux provides a superior vehicle to making security vulnerabilities easier to spot and fix? Avi Fogel: Definitely yes. On the other hand open source means easier to crack through well known bugs and deficiencies and a lot of free code that could itself be a tool made available by hackers. Users need to be aware of the latter threats and closely and timely monitor vulnerability notifications and carefully check the source of code they use. LinuxSecurity.com: I'd like to thank you for your time today, and sure appreciate the opportunity to speak with you. We look forward to hearing of new developments on your work in the Linux security market! . Avi Fogel, CEO of Network-1, shares insights on security evolution, emphasizing Linux's vital role in countering adaptive cyber threats through advanced measures. Network Security, Open Source Insights, Firewall Development, Linux Security Trends. . Brittany Day

Sep 21, 2000 •

Brittany Day

security solutionsaccess managementembedded systems

Secure Computing: Linux Security Insights And Type Enforcement Overview

In this interview, two principals from Secure Computing, Inc. offer their thoughts on the state of Linux and security, its place in the data center as a secure platform for business, and their work with the National Security Agency to create a Type Enforced version of Linux. . R ecently I had a conversation with Carr Biggerstaff, Senior Vice President of Marketing, and Thomas Haigh, Vice President and Chief Technologist for Secure Computing, Inc. about their work with Linux and security. Carr has worked as the senior IT executive for both services and manufacturing companies, a consulting manager with Arthur Andersen, the senior technical marketing manager for emerging technologies in the Enterprise Server Group at Intel and the vice president of a sales and marketing agency. Thomas is responsible for the development of product evolution strategies and technology roadmaps across the company's product divisions. Prior to his current position, Haigh was Vice President and Director of Research at Secure, where he focused on developing acquisition plans, and planning and implementing contract and independent research and development programs. LinuxSecurity.com: Would you give us a brief overview and background of Secure Computing? Tom Haigh: We started out as an R&D center at Honeywell in the mid 80s. At that time we were focused on operating systems security and database systems security doing research for the Dept of Defense and the Air Force. Our main contract was to develop an A1 level operating system for the NSA. There was a series of contracts culminating in a system that was actually fielded a multi-level guard called the Secure Network Server . It was to be placed between two networks of differing classification levels and filtered the traffic between them. And it was on this series of contracts that we developed the type enforcement. Because we had been working on a secure network guard, it was natural to go build a firewall. So wetook that same technology that we developed on that contract and rolled it forward into our Sidewinder firewall. The type enforcement is there; the strong mail filtering is there. We went public in 1989, and in 1995 acquired four companies. We refocused ourselves on e-business opportunities. The mission of our company is to be recognized as the leading provider of safe-secure extranets for e-business. LinuxSecurity.com: And your firewall is a primary piece of that? Tom Haigh: I think it would be overstating to say that it is the primary piece. Basically the products we have are great components for this. SafeWord has grown into an access management product. It does authentication and authorization. So it controls what each user is authorized to do on the system or through the firewall. Then it does the audit as well so you can hold each user accountable. In the old days a firewall was all you needed. You let email in and outsiders out and let insiders do anything they want. As we move more toward e-business, now we are letting an awful lot of outsiders in as well. All your partners are coming in. You have to know who your partners are, and when they're on the inside. That's when access management becomes crucial. Carr Biggerstaff: It's a lot more than access management. Because in e-business in particular, those customers and suppliers are being granted access to business applications that are traditionally internal applications. And so the trick now is not just to provide firewall functionality which keeps unknown and untrusted people out or VPN type of gateway capability which lets people in and have an encrypted protected session but more importantly to escort them, if you will, to the few applications that they are allowed to use. If I'm a supplier of yours I am may be able to come in and check my inventory levels, etc, for replenishment, but I shouldn't be able to go all over your manufacturing system, for example. So that's the accessmanagement piece of it that becomes so important, particularly important in business-to-business segment of the market, which is the market segment that is expanding so dramatically, and where the revenue dollars are being generated. As opposed to the consumer-to-business dot-com stock. LinuxSecurity.com: Do you view Linux as being a viable platform for developing security products? Carr Biggerstaff: Linux is not only very important for us, but we've been doing work on the Linux platform for some time now. The only other comment I'd make is the thing that people need to remember about Linux is that it represents not only a platform in the traditional computing space, but also for embedded systems. LinuxSecurity.com: What are the most important topics or issues in your industry, and why? Carr Biggerstaff: The most important topics that we have to deal with today is the full-disclosure of issues surrounding security today. I talk to people and Tom talk to people all the time from the commercial and government sector and nobody talks about their security problems. Nobody shares the information as to how it happened, what happened, etc, and in fact if they say anything at all they tend to whitewash it. They do so for a couple of different reasons. One is the obvious - they don't want to talk about their dirty laundry. Two is that they don't want law enforcement activity in many cases. Three they don't want insurance issues. But, as I said earlier, that is going to change. It needs to change because we have an education issue in the industry. If we don't better understand as vendors of security solutions, if we don't better understand what is going wrong, we can't provide the product. Another issue that weighs heavily, at least for me, is that as security vendors, the security industry itself doesn't do a good job of disclosing all the vulnerabilities. There is, for example, a perception, which our market fuels that a firewall is it. The reality isthat very few people understand that a firewall in front of a web server, which is arguably coming with a de-facto, ubiquitous access method for e-commerce and e-business and everything else, it's a web server. Very few people will sit down and tell a customer "No, you don't understand, if you put a firewall in front of a web server, and you open up a port in that firewall to let http traffic through, then you run the risk of that web server being compromised." And it happens all the time. You can't successfully screen out the malicious code in the http connection. So there needs to be a little more honesty on the part of everybody in order to fix what I think is going to be a growing problem. Just because of the law of large numbers effect, as we go from letting a few hundred people into our systems across the public Internet to letting thousands of people into our system, the odds say the probabilities are there that we are going to have more and more breaches, whether they are insider breaches or from unknown intruders, and the only way we are going to scale our solutions to solve these problems is to have more honesty in the industry. And that will come if customers and suppliers, vendors like ourselves, begin to mature a little bit and recognize that like every other business solution we've had to deploy over the past 25 years. So we'll get better at telling each other what we need to know, but that's a key issue. LinuxSecurity.com: You've touched on the SideWinder firewall. Would you like to talk a bit further about it, and explain your Type Enforcement Technology? Tom Haigh: Absolutely. The SideWinder firewall is an application layer gateway. At this point it's actually become a hybrid. We give users the ability to enforce security at the application layer, not just at the IP layer. The Type Enforcement Technology is one of the really important features in there. There is a paper published this past week that is available now on our TypeEnforcement Technology. We've made a number of modifications to the operating system kernel and wherever access is enforced, we have to add hooks to Type Enforcement access control. So basically rather than go checking the Unix ACLs, the NT ACLs, you've got to go check the type enforcement Domain Definition Tables, Type Enforcement Tables for now. What the type enforcement does is compartmentalize the applications that run above the operating system. So each application runs in it's own compartment. Think about the hold of a ship - if one compartment is compromised, the ship doesn't go down, the damage is contained to one space. And with type enforcement the same thing happens. We build walls between the application and walls between the operating system itself. So if a hostile user or more likely these days malicious code gets in, causes a compromise in one subsystem, that compromise can't spill over into other subsystems. It's very very powerful. If a user manages to mount an HTTP overrun attack, or a stack overrun attack of any sort, they can't use that to break out of the application they're in and get down into the operating system to gain root access to take over the entire system. We've absolutely eliminated that. And what's really powerful about that is that the last collated data I've seen for 1998, CERT documented 13 major firewall attacks, 9 of them were stack-overrun attacks. So with this mechanism we're eliminating a very high percentage of the firewall attacks. That in itself is important. That's a huge discriminator. LinuxSecurity.com: Recently it was announced that Secure Computing has been awarded a sole source contract by the National Security Agency to develop a Secure Linux operating system. What is the status of this project? What applications will it be suitable for? Will the changes be released to the open source community? Tom Haigh: The work we are doing with NSA is to implement Type Enforcement in Linux. We are in development on thisright now, and we expect to deliver it this summer. The objective here is to release all of this to the open source community, and for us, that's crucial because we of course would really like to make SideWinder available on Linux as well as the BSD version we have today. As Carr said, with embedded Linux beginning to appear, and the growth of firewall appliances there's a real nice match there. Since NSA has not authorized us to make the code public yet, we have to keep it on the shelf for right now. We see Linux with Type Enforcement as suitable for a broad range of applications. Certainly for a firewall, but once we have a version we can distribute, then we would like to get SafeWord running on that as well. And beyond that, we've implemented some prototype e-commerce suites in a Type Enforce environment as well. Basically taking Netscape Enterprise server and protecting it with Type Enforcement. Then putting some of the back office and supporting services around it. So we see this ultimately as being suitable for a wide variety of e-business applications. PC Week had their 'PC Hack' where they had a Linux server, but with Type Enforcement technology on it, it wouldn't have been broken into. Because of NSA's restrictions on the code, I can only describe the changes in fairly general terms. Basically, we have to modify each kernel entry point by adding a hook to make a Type Enforcement check. Then we have to modify a small number of modules to make the checks. We estimate that there are changes to less than 5% of the base Linux code. There are actually two technical teams working on this project, our team and a team at NSA. The two teams have worked together for over six years now, adding security mechanisms like Type Enforcement to a number of experimental operating systems, most notably Mach. The NSA team began their work last fall, before we signed the contract with NSA, so they developed the majority of the code. All in all, it has been a good partnership, a winfor us, a win for the government, and once NSA approves release of the code, a win for the Linux community. LinuxSecurity.com: How do you expect the marketplace to change over the next two to three years? Carr Biggerstaff: I'll tell you, and as you'll hear from both of us, the biggest deployment trend in the industry today worldwide is e-business, or business-to-business. When you look at revenues generated in e-business systems, they all track amazingly identically. The trends are all focused on doing e-business because there are very tangible benefits to them. What's interesting about that model is that if you take yourself out two to three years, and you think about what an e-business system really is, where I've got customers and suppliers that have a protected, private communications link into my back office system, such as manufacturing, accounting, inventory, whatever, and they are being granted access just as if they were an employee of my company, when you think about that model, and you overlay something like Forrester says over the next couple of years the average number of discrete e-business links (customer to supplier, or supplier to customer) is going to be something like 700. You think about that, you've got hundreds of people, if not thousands, that are going to be operating in each other's systems as if they were employees. From a security point of view, what we always think of are insiders. We think there's somebody who's already inside, who has been granted the rights and privileges to be in our proprietary information systems and 99.9% are normal people who are going to do normal things, but there's always a bad apple. If you go and look at the FBI statistics and reports that they've put out annually, and what private industry reports are put out, the biggest risk from our data security point of view for years has been the insider. LinuxSecurity.com: And it's probably one of the least recognized threats, too. Carr Biggerstaff: It's because we've weaned ourselves from it over the past decade. When Tom and I got into this business, it was host terminal computing and we didn't really have Internet to speak of. Back when Tom was hardening operating systems for Honeywell and before that, our concern was the insider because we never let outsiders into our system. And then along comes client-server computing, and in particular the Internet, then bang! People are being granted access whether they are remote employees from home or from a hotel room, EDI-connected partners, little by little they are being granted access. And now that trend is growing exponentially. You used to just let remote access for employees and a few partners through an EDI or proprietary EDI solutions. We're now talking about letting larger and larger numbers of customers and suppliers in across the public Internet to do business in our arguably most valuable asset today in any business. So that's an issue for us. And we've been worrying about that now for about 18 years as a company. We started back in the days of guarding against the insider and we've survived and lived through the different changes in security, but that's never left our mind. We continue to architect solutions that are designed to protect against the insider as much as the outsider. And I think that's the biggest single trend we'll see in security segment of the industry besides the obvious, which is more people using more systems means more security breaches. We will continue to see more and more reports of systems that have been breached. As people become desensitized, the reporting will become better. Today not a lot of people report breaches, but over the next three years people will become more forthcoming about being breached, what happened, and getting help to solve the problem. We'll have more information, you'll see more information, you'll see more security problems surface. That said, the biggest issue that people will have to deal with would be insider orientedissues because they will have a bunch of "insiders" in their system. And it's going to be real tough to deal with them unless they intelligently manage that access, and I think that's the key thing that we see coming. LinuxSecurity.com: How do you think your industry will change in the future? What new products can we look forward to seeing from your company? Carr Biggerstaff: What you will see from our company pretty quickly is the ability to provide the next layer of access management and protection. Today we stop everything at the perimeter, at the boundary of the business, at the extranet, for example. But as we talk more about the insider situation and the proliferation of "insiders" it's going to become important to protect the individual hosts themselves from access. We're in the process of putting together a product that we'll be announcing the next quarter. I'll let Tom address the other points - those are the key points from my perspective. I think the biggest - it may seem simple to state it this way, but probably the biggest issues that our industry and information technology industry is going to face more than anything else is going to deal with scale. The fact that more and more users are going to be connected to your systems than ever before, and you're going to be connected to more and more people's different systems than ever before by a variety of different devices. It introduces a level of complexity and sophistication that we've never dealt with. It's always been pretty easy. First it was host terminal within our own business, then it was client-server within our own business. Then we added the Internet. And now we're talking about people getting to you by phone, PDA, and they can get in your systems, looking at your data, making decisions in your software, by buying things, selling things, whatever. And that's going to introduce an opportunity for all of us in the industry to either put-up or shut-up. When it comes to providing theapplications and capabilities to provide a healthy environment. That's going to be the ultimate challenge for all the companies. A single-point solution isn't going to do it. You can't just put a firewall on the edge of the network. If you go and look at Gartner and Forrester and all those guys you're going to begin to see a trend as they move away from the firewall as being essential but not enough. They're talking now about access management and access control. The challenge is letting the right people in to do precisely what they're allowed to do, no more, no less. And that's a huge shift that's going to a challenge for us all. We've been looking at this for at least two years. Tom Haigh: To elaborate on what Carr had to say... It's not just the number of users; it's the kinds of things they're doing as well. When everyone was doing email and accessing static web pages, security policies were pretty simple. We didn't think they were, but in retrospect they were pretty simple. So now we've got a whole lot more users. Some of them are true employees of the enterprise, and others are partners of various flavors, and each of them needs to do certain things to get their jobs accomplished. But then there are other things that they shouldn't be able to do. So the problem is not just one of one dimension - we've got growth in multiple dimensions. A combinatoric explosion of possibilities that have to be controlled. And so the ability to manage this security fabric on a point-by-point basis just isn't going to cut it anymore. Customers are going to have think holistically. How do they secure the enterprise? And we have to start giving them the tools they need to do that. It has to be an integrated set of tools. LinuxSecurity.com: Can you describe SafeWord and SmartFilter in a bit more detail? Are there plans to port these to run on Linux? Tom Haigh: Both of these already do in fact run on Linux. SmartFilter is a web-filtering product that runs as a plug-into standard proxy servers. It controls where people inside the enterprise can go and surf on the Internet. So what we do is, we've got a service where we categorize sites on the Internet into one of 27 categories. Things like sports, entertainment, sites with sexual content, job search sites, sites with violent content, that sort of thing. The enterprise can enable and disable these categories on a 24x7 basis. Corporate bandwidth is precious, particularly during working hours, so this product gives the ability to keep this bandwidth available during working hours. Another reason for this software is to provide a non-hostile work environment. Some clown downloading images from playboy.com, this becomes an uncomfortable work environment. The latest Computer Security Institute and FBI survey they do every year shows 79% of companies identify improper use of the Internet being a major problem for them. LinuxSecurity.com: So does the corporation have the ability to add specific URLs to the list? Or is it updated weekly, or? Tom Haigh: Both are possible. The enterprise can add URLs to the list of prescribed sites. We've got about a half a million sites on there now. Customers can also send us other sites to check out, and we do that. It turns out that 80% of Internet accesses go to a relatively small number of sites, so we've got pretty good coverage. LinuxSecurity.com: The opponents of products such as yours say there are an infinite amount of illicit sites, and it may be better off going the other way around, excluding everything and including a select few that people are interested in going to. You don't find that in your experience? Tom Haigh: The problem with that is there are going to be the specific sites that individuals have to get to in order to do their job. It's much more of a maintenance hassle. This eliminates that maintenance hassle for them. Our product has a couple of notable features. One, it runs on the server, not on thedesktop, so it's not something that an individual user can go in and reconfigure to get rid of the restriction. The other thing about it is that it can be configured in a 'hard deny' mode and there are also some softer modes. One way to do this is to configure SmartFilter so that it runs very slowly when a user attempts to access a non-work related site. Another is to configure SmarFilter to coach a user, suggesting to him that the selected url may not be work related and asking the user to confirm that he wants to go to the site. LinuxSecurity.com: Is there work being done on developing intelligence in that it can detect specific keywords or things of that nature? Or even keywords in the URL itself? Tom Haigh: We've got some automated tools to help us with the classification service. But we have not put those into the system to do filtering in real-time. The reason is that it is easier to do a fast lookup, so it's better to use those tools in the background to populate the categories than to try to do this in real-time. SafeWord is a much more complex product. It does user authentication and authorization. So SafeWord maintains a user database and in that database you talk about what authentication methods the user uses; it could be a fixed password, or it can be a dynamic password, such as one-time password-generating tokens. We have our own, and we also support other people's tokens. Also associated with that is the ability to assign specific access rules to that user on a specific system. So when you authenticate, you authenticate to a firewall or to a web server, or to a database server, and what we can do is download specific access rules for that user or we can simply download a 'role' or a 'group' for that user and then use that as an index into access rules that are already hosted on that system, which is my preferred way to do it. So we bind a user to a role, or set of roles that state that "This user is authorized to play these roles" and thenthe web server or the firewall has it's group ACLs and it simply maps the role to a group that states that this user is a reseller, for example, which controls which web pages to allow him access to. SafeWord also has audit capabilities. What's really interesting is what's going on behind the scenes. We have the ability to replicate the user database on multiple copies of the SafeWord server. So that means if one SafeWord server dies, the others keep going - the enterprise keeps going and people can still authenticate. Pushing behind that, we have the ability to have multiple clusters of replicated servers, so we could have a cluster of three servers in California handling authentication for the California users, and a cluster of servers in London handling authentication for the European users, and these are all fully replicated. We have the ability to proxy authentication requests among the clusters. So, if I ordinarily work here in Minnesota, use the SafeWord servers in California for authentication, and I go to London or anywhere in Europe, when I do my authentication it goes to the servers in London, but those automatically point it back to the California servers. So this gives us reliability and scalability that we need. Our largest customer is a financial institution that has 400,000 SafeWord users authenticating 400 billion dollars of transactions per day! We recently released SafeWord Plus, which adds support for public key-based authentication as well as very easy user enrollment and something we call a virtual smartcard. The virtual smartcard provides smart card functions and strength of security without having to install smartcard readers on everyone's desktop. SafeWord Plus is a new product, and will be available on Linux in a future release. LinuxSecurity.com: Are you currently working on any other security products for Linux market? Tom Haigh: Not right now. We currently have two of our four products running on Linux now. The plan is to move theother products to Linux as opportunity presents itself.. LinuxSecurity.com: Do you think Linux has a place in the data center as a secure platform for commerce in the state that it's currently in? Tom Haigh: Yeah, I do, and I think that with the enhancements that are going on in the Linux community, it will become even more attractive. So yes, I think there's definitely a place for it in the data center. I think a lot of security vendors are going to be moving to Linux for their security products. Certainly we are, and there are already vendors that have implemented their products on Linux. There are some firewall appliances that run on Linux now. I think there will be growth in this area. The growth in Linux security products will parallel the growth of Linux server market in general. As more and more Linux servers are used in the data centers, it's going to have to be secured, and security means a number a different things. A lot of times people say "secure web server", and people think it supports SSL. There's a lot more to a secure web server than that in our opinion. The SSL is the first piece. The next piece is good forms of authentication, something more than passwords. Once you've got the secure authentication, you've got the secure communications; you've got to worry about authorization inside the system. How do you control what users do, how do you control what code might end up there. How do you control whether someone can install a CGI script, and what it does. Being able to host stuff for two competitors on the same server and keep them from hacking each other is a good canonical example that I think Linux with Type Enforcement can do. When Carr talked about when all the outsiders become insiders, being allowed legitimate access through the firewall into the corporation, it's not just the users themselves, it's the code of theirs that might also be permitted access. Such programs are JavaScript, Visual Basic, and all the other horrible things. Youhave to ask how you are going to control that. This is another great use for Type Enforcement. LinuxSecurity.com: Thank you all for your time, and we sure appreciate the opportunity to speak with you. We look forward to hearing of new developments on the port of Type Enforcement to Linux in the future! . An in-depth dialogue featuring executives from SafeNet Systems, delving into the intricacies of Unix defense mechanisms and their advancements in Role-Based Access Control.. Linux Security Solutions, Type Enforcement Technology, Access Management Solutions. . Brittany Day

Jul 26, 2000 •

Brittany Day

Stay Ahead With Linux Security Features

Refine features

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending Features

Top Linux Vulnerability Scanners in 2026: A Guide to Open-Source Security Tools

How Linux Pentesting Improves Network Security

Understanding Log Management and Analysis Tools for Linux Systems

What is Nmap? How To Use It Effectively for Network Security

Explore Latest Linux Security features

Insights from Avi Fogel on Linux and Open Source Security Trends

Secure Computing: Linux Security Insights And Type Enforcement Overview

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending Features

Top Linux Vulnerability Scanners in 2026: A Guide to Open-Source Security Tools

How Linux Pentesting Improves Network Security

Understanding Log Management and Analysis Tools for Linux Systems

What is Nmap? How To Use It Effectively for Network Security

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Stay Ahead With Linux Security Features

Refine features

Topics

Authors

Published Date

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending Features

Explore Latest Linux Security features

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending Features

Search Topics

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!