Stay Ahead With Linux Security Features
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
cloud security security monitoring Linux rootkits are old, but they never really disappeared. They just stopped attracting the same attention. . Most malware wants to execute and spread. A rootkit wants to stay invisible long enough that nobody notices the compromise until the damage is already done, and on Linux systems, that still works more often than many teams are comfortable admitting. That difference matters because modern infrastructure runs heavily on Linux underneath. Cloud workloads, ESXi hosts, telecom appliances,...
Jun 01, 2026
access control open-source A production Linux server gets rebuilt from an old image. A contractor leaves. A CI/CD job is retired. Months later, the same SSH public keys are still sitting in authorized_keys, silently trusted by root or a service account nobody owns anymore. . That is how SSH key sprawl usually happens. It rarely stems from one obvious failure. Instead, it accumulates through years of small access decisions that never expire. For attackers, those forgotten keys are not clutter; they represent silent SSH...
May 27, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -1 articles for you...
102
security insightssecurity trendsLinux advocacyExplore LinuxSecurity.com: Your Premier Resource For Open Source Security
Welcome to LinuxSecurity.com - the community's central source for information on Linux and open source security since 1996. Whether you’re a new visitor or a long-time community member, this article will provide you with insight into the mission behind our site, our history and the content we provide. . Who We Are & What We Provide LinuxSecurity.com has served as the community's go-to resource for information on Linux and open source security for over two-and-a-half decades. We follow the latest open source security news , trends and advisories as they affect the community, and produce content that appeals to administrators, developers, home users, and security professionals. Having created a site that satisfies the needs of both IT professionals and those individuals seeking to learn more about security and Open Source, LinuxSecurity.com has grown to encompass not only this website but also two industry leading email newsletters , Linux Security Week and Linux Advisory Watch, which represent yet another opportunity to help further the advocacy and adoption of Linux by users worldwide. Just recently both the LinuxSecurity site and newsletters underwent a major redesign. We now offer the ability to create a user profile and customize your advisories based on the distro(s) you use. LinuxSecurity.com is owned and maintained by Guardian Digital . As a proud member of and contributor to the Linux community, Guardian Digital devotes the LinuxSecurity.com advertising revenues to covering the costs of maintaining the site to ensure access to LinuxSecurity.com will always be freely available to everyone. Our History LinuxSecurity.com was first launched in 1996 by a handful of Open Source enthusiasts and security experts who recognized a void in the availability of accurate and insightful news relating to open source security issues. Led by Dave Wreski, who currently serves as chief executive officer of Guardian Digital, this group has grown into a global network of collaborators whodevote their time to gathering and publicizing the latest security news, advisories and reports relevant to the Linux community. The LinuxSecurity.com editorial and web development staff also creates feature articles , commentaries and surveys designed to keep readers informed of the latest Linux advancements and to promote the general growth and adoption of Linux worldwide. As Dave founded LinuxSecurity.com and established the site as the Linux community’s central resource for security news, updates and information, he was simultaneously contributing to the foundation of the Linux community at a time when it was just getting started with his work on the revolutionary Linux Security HOWTO, a comprehensive overview of the security issues that Linux system administrators face, which also covers general security philosophy and a number of specific examples of how to improve the security of a Linux system. Dave reflects on the mission of LinuxSecurity.com, “I founded LinuxSecurity.com to serve as the authoritative voice of Linux and Open Source security news with content driven by the security needs expressed by this vibrant, up-and-coming community. Over two decades later, LinuxSecurity.com still strives to provide objective, helpful information and thought leadership content about security as it relates to the rapidly growing, revolutionary open-source product that Linux is.” Let’s Get In Touch! Community involvement is one of our core values, and we love to hear from LinuxSecurity community members. If you have a question, suggestion, or feedback, send us an email here:
Jan 17, 2022
•
102
security advisorycyber threatsmalwareExploring Linux Security Trends and Challenges Ahead for Cyber Threats
Hi, and welcome back. Today in Hacks From Pax we're going to shift gears a little, step back for a higher level view and talk about the year in security from a Linux standpoint, both the good and the bad, and have a brief discussion of trends for the coming year. . The holidays are over, the New Year has begun, and Santa (or someone much more sinister) has brought a late present for our Windows using colleagues in the form of a 0 day vulnerability exploiting a flaw in the WMF windows media file format. Luckily we Linux users are mature enough not to gloat. Most of us, anyway. The Good It's much the same story as last year, Windows worms and viruses continually propagate, crossbreed, and multiply while Linux remains above the fray. Sober and the other "newsmaking" viruses all infect and attack Windows while all Linux admins get out of it are a few hits to our Snort rulesets. Yes, there are worms attacking Linux, and Linux, like any other system, is certainly not immune. Linux is, however, more resistant. One reason is made clear when the internet is compared to a biosphere. Linux is a mutt. Every Linux distribution does things slightly differently, Linux runs on very varied hardware, many Linux users compile their own software. Things just aren't as standardized in the Linux world, which is viewed as a flaw by many pundits, though it has many benefits when it comes to security. A Linux security flaw may only affect a certain distribution or application, and most distributions and applications lack the massive marketshare to provide enough sustenance for a worm to really get going. Meanwhile, the applications that do possess large marketshare, such as Apache, tend to be generally secure due to their source code availability. Windows, on the other hand, lacks this genetic diversity. One copy of Windows XP is exactly like the next, and the source is closed so previously unknown flaws are discovered all the time. Yes, Windows does have agreater marketshare making it a bigger target, but I'd wager that if the marketshares of Windows and Linux were even Windows would still have more vulnerabilities. In nature, populations that lack genetic diversity run the risk of being decimated by a virulent disease, and the internet is no different. There's a reason we use biological metaphors like "worm" and "virus" to describe malware. Linux also benefits by tending to not be a primary target for malware authors because they have such a juicy target in Windows. Of course, keeping systems patched has been and will remain key, luckily most Linux distributions available today tend to be very polished in this area, with tools such as apt-get, yum, and portage providing easy application and system upgrades. The Bad and the Ugly So much for the good. Looking to the future, things go from bad to beyond ugly. We Linux users should realize how good we have it right now and recognize that the current security situation will not remain so benevolent for us. In an environment of dumb worms and viruses targeted at the least common denominator, Linux is well prepared to hold fast and remain generally secure. However, sinister trends are developing now that may end this state of complacency and need to be addressed. Crime related to spam, spyware, and other online illegalities is said by some experts to have recently passed international drug trafficking in dollars earned , and malicious hacking that used to be performed for fun is now a big business. Websites once hacked only so the culprit could deface them and show off are now penetrated in order to steal customer data and engage in identity theft. Botnets of more than a million compromised hosts are not unknown, used to send spam, host child pornography, and perform distributed DoS attacks. An underground market for botnets has made the creation of viruses and trojans into a thriving business opportunity for the unscrupulous. Extortionattempts threatening denial of service are becoming commonplace in the "gray markets" of internet pornography and online gambling, and this may lead to similar threats to more mainstream online businesses. Other schemes involving penetrating a system, encrypting important files and holding the decryption key hostage for payment have also occurred and may spread in the future. The spread of targeted attacks is another major threat on the horizon. A major scandal in Israel this year involved targeted trojans sent to major corporations on behalf of their competitors for the purposes of industrial espionage. These targeted attacks make existing signature-based virus scanning technology worthless, since the software is specific to its target, and in the Israeli case firewalls and IDS systems were bypassed by sending the trojan disguised as marketing material on a CD-ROM. Targeted attacks like this expose the flaws in our existing signature based security software, and show the need for a "default deny" philosophy and implementation of mandatory access control systems. This growing professionalism among the ranks of the malicious hackers and malware authors is alarming and will affect Linux users as well as Windows users. As more people move off of a Windows platform deemed vulnerable to Linux, our juiciness as a target grows larger. Targeted attacks aimed at Linux are simply a matter of time, and as the profit potential for compromising Linux systems grows so will the number of attackers focusing on the platform. Windows functions as our canary in the coal mine, the specific methods attackers will use to attack will change but their motives will remain. The days of "hacker curiosity" and penetrating systems "for fun" are over, the new breed of attacker has more material goals in mind, and while a more secure platform can help deflect attacks it may no longer help prevent Linux from being a target as it has in the past. -- Pax Dickinson has over ten years of experience in systemsadministration and software development on a wide variety of hardware and software platforms. He is currently employed by Guardian Digital as a systems programmer where he develops and implements security solutions using EnGarde Secure Linux. His experience includes UNIX and Windows systems engineering and support at Prudential Insurance, Guardian Life Insurance, Philips Electronics and a wide variety of small business consulting roles. . The holidays are over, the New Year has begun, and Santa (or someone much more sinister) has brought. welcome, today, hacks, we're, going, shift, gears, little. . Brittany Day
Jan 17, 2006
•
102
network securitysecurity trendsopen sourceInsights from Avi Fogel on Linux and Open Source Security Trends
In this interview, Avi Fogel, CEO of Network-1, offers his perspective on the state of Internet security, his experience with Windows and security, and the advantages and disadvantages to Open Source security. . R ecently I got an opportunity to speak with Avi Fogel, CEO of Network-1 Security Solutions, Inc., an industry-leading developer of distributed firewalls and other security products primarily for Windows platforms. I thought it would interesting to speak with an established security expert that addresses Internet security from the Windows and closed-source perspective, and see what his views are on topics including Open Source, Linux, and the current state of security in general. LinuxSecurity.com: Can you describe a bit about your background? How did you get involved with security? What did you do prior to becoming the CEO of Network-1? Avi Fogel: Like many in the security industry, I grew up in a security conscious environment -- in Israel. I graduated from Technion, the Israeli Institute of Technology, with a degree in Electronic Engineering and served as technical officer in the Israeli Defense Forces. I have come to network security from computer networking in which I've been involved since 1980. Prior to coming to Network-1, I was president, CEO and co-founder of CommHome Systems Corporation, a residential networking startup. I also held positions as vice president of global marketing at Digital Equipment Corporation - Network Products, executive vice president of global marketing with LANNET, Data Communications, Ltd., a LAN switch manufacturer and president and CEO of LANNET America. When my startup company, CommHome Systems, was acquired by the investors of Network-1, I was brought aboard as President and CEO of Network-1. LinuxSecurity.com: Can you give us a brief overview of the products and services you offer at Network-1? How does your packet filtering firewall differ from other firewalls? Can you explain some ofthe basic concepts of packet filtering? Avi Fogel: Our strategic products and the ones that give us the greatest market differentiation are distributed, host-resident firewalls for servers, enterprise-wide personal computers and workstations. These are CyberwallPLUS-SV (for servers) and CyberwallPLUS-WS (workstation), respectively. Presently, we address the Windows NT/2000 market, but do plan to expand into other platforms. In an unpublished report by one of the major market analysis firms they indicate that distributed host firewalls will become a $250M market by 2004. Network-1 believes that it has advantages in depth of security, especially in server environments, in performance and in management abilities vs. other players in this area. To round out our product offering and to offer protection for other platforms, we offer CyberwallPLUS-IP as a perimeter firewall and CyberwallPLUS-AP as an internetworking firewall for LANs. Although these too are for Windows NT/2000 servers, they offer protection for heterogeneous networks. To manage it all we provide CyberwallPLUS - Central and CyberwallPLUS - Remote, for remote monitoring and control of the distributed firewalls in a network. LinuxSecurity.com: What do you see as the most significant trends or developments in computer security in the next few years? Avi Fogel: The emergence of the distributed, host-resident firewall for open, e-business networks is making headway. Analysts are investing in researching the size of this market and industry pundits are writing about this area as the next generation of Firewalling technology. We recently announced an enterprise-wide sale of our workstation product, the WS edition, to BMC Software and have had an important subsequent one to a major government agency. We are seeing similar enterprise-wide opportunities come up for Windows workstations and servers in many segments - government, industry, education and financial institutions.These are better able to secure all the various access points in the open environment presented by e-Business, than the traditional packet-filtering router and perimeter firewall approach. They also scale upward in growing networked environments predictably without the performance degradation you are likely to get from traditional approaches. LinuxSecurity.com: What do you think of Linux as a viable platform for developing security products? Has Network-1 given any thoughts to developing security software for Linux? Avi Fogel: While there are some differences in vulnerabilities between OS's and the availability of shareware to address these - Linux, like Windows and traditional Unix suffers from the lack of granular Network Access Controls and built in Intrusion Detection and Prevention capabilities and capabilities for extensive logging of network transactions. Network-1 sees Linux as a very important platform that we want to be able to address in the future as part of a full host-resident distributed firewalling solution. LinuxSecurity.com: Do you think Linux has a place in the data center as a secure platform for commerce in the state that it's currently in? Avi Fogel: Due to the greater availability of applications for Windows and Unix today they may be better suited for these services today. I see Linux as a great candidate for a future capture of market-share on the desktop away from Microsoft. It is also a great tool environment for infrastructure software and hardware solutions - for appliances and for all-in-one SME solutions (Firewalling, VPN, management, VoIP, etc.). The investments of the big system vendors (IBM, Dell) and Sun Micro (with Cobalt) will make Linux a major contender in the data center, down the road. LinuxSecurity.com: What are some of the biggest challenges you face when dealing with security? Avi Fogel: It's an organic situation. The hackers represent everything from the genuinelyintellectual curious to undisciplined script kiddies. The only constant is that their threats are constantly changing to overcome network defenses as they grow more numerous. The major problem with network security in general is the fact that it is still considered by many IT managers as a fringe issue - and is still in the category of black magic - a little understood phenomena of IT systems and networks. The nature of network security is also about continuous discovery of new holes and bugs that pose security threats. Thus the general problem is that of a need for continuous education by the network security vendors to get high enough on the attention span of IT decision makers. LinuxSecurity.com: What do you think can be done about denial of service and distributed denial of service attacks? What do you think is the most significant threat to the general Internet community today? What will it take to resolve these issue? Avi Fogel: Enterprises need to step up and show due diligence in implementing sound security for their networks. If for no other reason -- to keep from getting sued when their sites are used as launch pads to bring down an eBay or Amazon. The threat will focus on the lowest common denominator -- those sites with high speed connections and limited or no protection will be hit first and most often. Diligence on the part of enterprise web site owners and even the home user with high speed connections is a good start for the overall security of the Internet. Adding egress filtering technology and mandating its use on hosts, firewalls and routers would prevent the use of machines as zombies of DDoS or Trojans. LinuxSecurity.com: Can you make any comparisons between security of UNIX versus the security of Windows? How much do you think the maturity UNIX has an effect on its overall security? Avi Fogel: UNIX and Linux have slightly better network address filtering capabilities than Windows and Unix hasbetter online help as it relates to network security. Unix and Linux also have more shareware tools to address some of the issues that host-resident firewalling addresses, such as logging tools. Generally though all OS's lack network access controls and intrusion detection capabilities. LinuxSecurity.com: Do you believe the open source nature of Linux provides a superior vehicle to making security vulnerabilities easier to spot and fix? Avi Fogel: Definitely yes. On the other hand open source means easier to crack through well known bugs and deficiencies and a lot of free code that could itself be a tool made available by hackers. Users need to be aware of the latter threats and closely and timely monitor vulnerability notifications and carefully check the source of code they use. LinuxSecurity.com: I'd like to thank you for your time today, and sure appreciate the opportunity to speak with you. We look forward to hearing of new developments on your work in the Linux security market! . Avi Fogel, CEO of Network-1, shares insights on security evolution, emphasizing Linux's vital role in countering adaptive cyber threats through advanced measures. Network Security, Open Source Insights, Firewall Development, Linux Security Trends. . Brittany Day
Sep 21, 2000
•
102
network securityintrusion detectionrisk managementInsights from Marcus Ranum on IDS and Security Challenges
An interview with Marcus Ranum CEO of NFR on Intrusion Detection, Linux, and Security. . R ecently I got an opportunity to speak with Marcus Ranum, Founder and Chief Technical Officer for Network Flight Recorder, developers of network intrusion detection products. He has specialized in Internet security since he built the first commercial firewall product in 1990. He has acted as chief architect and implementor of several other notable security systems including the TIS Firewall Toolkit, TIS Gauntlet firewall, whitehouse.gov, and the Firewalls FAQ. Marcus frequently lectures on Internet security issues, and is co-author of the "Web Site Security Sourcebook" with Avi Rubin and Dan Geer. LinuxSecurity.com: How did you get started with security? What were some of the bigger challenges you faced as you tried to be one step ahead of your black-hat adversaries? Marcus Ranum: I got started when I was working in sales support for Digitial Equipment Corp, and my boss made me take over management of one of our corporate Internet gateways. It wasn't really a firewall, in those days, but over the course of a couple years I evolved it into a pretty tough firewall which later became a commercial product (the DEC SEAL). My interest was always in building large-scale distributed systems and doing network management. Security was just something that snagged me, sucked me in, dragged me under, and has never let me go. To me the biggest challenge has always been keeping up with what the bad guys are doing while keeping my hands clean. There are a lot of security folks who play on both sides of the fence; their excuse is that they need to do that to learn what the enemy is doing. In reality, I think that's just a pose they adopt that lets them have the benefits of being a hacker without the downside of getting in trouble if they get caught. I've tried all my career to be living proof that you can be a security professional without having a background as a "blackhat" or "gray hat" hacker but it still boils my blood that I get 2 or 3 e-mails a week from hotmail.com addresses asking for hints how to break through firewalls, etc. It's very disappointing, especially now that some conferences ( SANS , Interop , etc.) are teaching "how to hack" classes and promoting hacking as something that's fun and cool. LinuxSecurity.com: Can we start with having you explain what an intrusion detection system actually is, and a mention of the various types? What is the difference between misuse detection and anomaly detection? Host-based and network-based? Marcus Ranum: An intrusion detection system is a security system designed to detect unauthorized accesses (or suspicious activity) within a system or a network. Host-based intrusion detection systems tend to focus on what's happening within the host itself. Network-based intrusion detection systems generally operate at an IP level, trying to infer attacks against the network from traffic and its contents. The host-based approach tends to focus on logs, application states, and kernel information for its data sources, while the network-based approach tends to focus on packets. Of course, there is always some crossover: some network-based systems look for host problems, and some host-based intrusiond detection systems latch the bottom of the host's IP stack and look at packets. Anomaly detection and misuse detection are the two primary approaches for analyzing the data the intrusion detection system deals with. In the misuse detection approach, the intrusion detection system has a knowledge base of "signatures" that represent known attack patterns. The system matches events against the signature database, as it sees them. This is a very predictable approach - if your knowledge base is good, and your pattern matching ability is good, then you will reliably detect known problems. On the other hand, if you don't know what a particular attack looks like, you can't detectit. So misuse detection systems may miss a new attack; they're much like antiviral software in that regard. Just like antiviral programs, misuse detection systems are easy to deploy, and very effective. Anomaly detection systems are based on statistical analysis - they try to determine what looks "unusual" based on the types of events seen in the network beforehand. Anomaly detection approaches often emphasize training, neural networks, statistical margins of error, etc. This approach is less predictable than misuse detection, since it depends on learning what's going on - and the system makes "inferences" about the significance of events. One of the biggest problems with statistical methods is that they can tell you if something is "unusual" but they can't tell you what it means . That's left as an exercise for the user. For that reason alone, many network administrators find misuse detection to be more valuable: it tells you what things mean because it's got that knowledge base to compare against. In real life, most intrusion detection systems use both anomaly detection and misuse detection, since neither approach is perfect in itself - you can get pretty good coverage by trying a bit of everything. I've been predicting for a long time that eventually the host-based versus network-based paradigm will break down as well: there are some things that each type of system is especially good at, and an intrusion detection system designer would have to be a fool to ignore that. LinuxSecurity.com: The phrase "defense in depth" describes a method of providing multiple layers of security to a system in an effort to reduce the risk of compromise should any one of those layers become subverted. My experiences have been that many of those not familiar with this concept, or have been deluded by marketspeak, think especially that an IDS is a panacea. Once it's implemented, it may be the case that a guy that previously worked in the tech support group isthe one responsible for monitoring the GUI-based point-and-click front-end and calls someone when he thinks there's a problem. Can you explain what role an IDS should play in an organization? Marcus Ranum: I hate the picture you portray: of an organization that is deluded by marketing and which doesn't take security seriously enough that their staff have the time and wherewithal to understand and pay attention to what's going on in the network. I know that there are a lot of sites out there like that, but it's awfully depressing to contemplate. Where would intrusion detection fit in an organization? Well, if they're concerned about security and want to do things right, they'll be monitoring traffic for unusual signs on the interior of their firewall, and on critical interior segments. Mission critical machines will also be running intrusion detection. Typically, all of the intrusion detection systems will report to a central console that is staffed by someone who can make the first approximation of what's significant and who will have the ability to call in the troops if something is clearly amiss. This means that the organization will have to have an incident response plan, a call tree for emergencies, and sufficient training to know whether or not a particular attack represents, as Captain Nemo says, "an accident or an incident." LinuxSecurity.com: What are the hurdles that must currently be overcome with today's IDS boxes? What are some of the new features coming in the next revisions of IDS's? Marcus Ranum: The main hurdles have to do with reducing the number of false positives (false alarms) while successfully handling greater and greater data rates. Some of our customers are running sustained throughputs of 500+mb/sec - it's hard to collect that kind of traffic and examine it closely. So one of the new features I think most IDS will have is tight coupling between network-oriented traffic capture and host-basedsecurity analysis. LinuxSecurity.com: How and why did you design the NFR operating system as a derivative of OpenBSD , the BSD distribution reportedly developed explicitly with security as a focus? Marcus Ranum: We really wanted to move away from operating systems entirely, but it's difficult. To us the choice of OpenBSD was one of convenience - one of my staff has a good relationship with some key members of the OpenBSD team so we just naturally gravitated in that direction. But in today's world, you can't assume that things will stay the same: we use virtually none of OpenBSD in our appliance - only the bootstrap loader, some device drivers, and the kernel/file system. We wanted to be able to swap operating systems any time. We think we could replace the operating system in a matter of a month or so, if we had to. LinuxSecurity.com: I understand you have a few sound reasons why your product doesn't run using Linux as a base. Can you explain why that is, and why you're only now revisiting Linux? Will we have IDS administrative console access soon on Linux? Marcus Ranum: The main reason is that we don't really care about operating systems; since our product comes with its own operating system built into it, we're very happy in the operating system department. There's no reason to switch or support another operating system other than if we wanted to be trendy. Since our users have no access to operating system features, they can't tell if it's BSD or Linux or whatever - they shouldn't care. Of course, you always run into die-hards who are disgruntled when you're not supporting whatever it is they particularly like. From our perspective, that's like complaining that your car's microcontrollers aren't running Linux. Who cares what they're running? We've got command line tools for accessing the IDA from UNIX or Windows machine; they work fine under Linux. We keep exploring the idea of writing an X-Window based GUI, but ourexperience is that UNIX users are happy with command line, and Windows users are happy with GUI only. So we think things are pretty well covered in that department. LinuxSecurity.com: What do you think about the concept of having the IDS box interact directly with the firewall, and provide the ability to block off the offending address as it's happening? Obviously this could cause a denial of service in and of itself, but is this type of proactive measure being worked on? Marcus Ranum: That kind of thing has always made me nervous, but our customers ask for it all the time. I still believe that passive approaches are the only ones that are truly viable (interfacing with a router/firewall is "passive" while sending reset packets and network unreachables, etc, is "active"). The trend I believe we'll see in the future is centralizing of information into places where a human can react/manage the process as an intelligent participant. That's going to be an interesting and active area of research in the future, I predict. LinuxSecurity.com: What do you think of the idea of incorporating the intrusion detection software directly into the network router, instead of a dedicated device for this purpose, such as NFR? Marcus Ranum: I think it's a neat idea in principle but it doesn't and won't work very well in practice. The reasons are a little subtle, but let me explain a few of them: To do intrusion detection "right" at a network layer, you have to do TCP stream reassembly. The fact that many of the commercial IDS out there don't do it now is an embarrassing little secret they'd like to keep, but it's really important since the bad guys know lots of ways around IDS that don't reassemble streams. But stream reassembly is hard (which is why some of the products out there don't do it) and it's also CPU and memory intensive. Router makers are extremely sensitive to things that are going to require extra RAM or a bigger CPU, so they'vegot a problem if you want to push IDS into that platform. My guess is that the IDS capabilities will be minimal (mostly for marketing purposes) or you'll see something that is really an IDS that also happens to know how to route - and it'll be a lot slower than a "real" router or switch. Let me give you an example: if you're trying to capture and reassemble an 80% saturated FDDI, you're looking at about 17,000 packets/sec - they won't all come in sequence so you're going to have to buffer packets. You can eat 100MB of RAM in no time at all and I don't see a lot of routers with that kind of spare real estate. Another problem with the idea of putting an IDS into a router or switch is log retention. IDS like to keep records of what they saw; hard disks are the only reliable way to do that. I don't see a lot of routers with ultra-wide SCSI disks in them. If I did, I'd be building IDS on them! :) LinuxSecurity.com: I understand you no longer make the source code available to your product. Wouldn't it be possible to release the source code under an Academic Source License, as well as provide a binary-only commercial evaluation copy for those who are interested in purchasing it? Marcus Ranum: We actually have (under limited circumstances) made source available for researchers in the community, gratis. The whole issue is painful for me because I come from an "open source" background (as a friend says, "I was 'open source' when 'open source wasn't cool.') but I've had too much intellectual property ripped off. There's already one product on the market that I believe is highly derivative of NFR - some chump's going to make a lot of money on that product, without so much as a "thank you" to the real innovators. I know a lot of people think I'm "anti open source" (which is silly, since I was posting source code before most of them had even heard of the Internet) but really I've had some nasty experiences with rip-offs that has soured me on the concept.There are a couple of guys who made tens of millions of dollars by ripping off the firewall toolkit (another of my 'open source' products) - after a while it gets irritating. Another problem I had with making source code available was that we had a lot of people who refused to read the README files, and ate a ton of our time with questions that we'd already expended considerable effort to answer. That made it hard for us to get work done! To top it off, people would ignore the README that explained that our commercial product was a whole different (and much more well-rounded!) solution, and they'd compare our source code "do it yourself" toolkit against our competitors' commercial offerings. I hate to say it, but being 'open source' hurt us really badly in a number of ways. So we're careful now. LinuxSecurity.com: I read your new column in the last issue of ;login, the USENIX and SAGE magazine, where you talked about how protocols and technologies are becoming more and more complex, yet seem to have increasingly less security, as a tradeoff for ease-of-use. Set-top boxes, xDSL, and cable modems are all adding to this fertile environment for attackers. What do you think our future is like? How can we design secure systems, yet make them easy enough for the uninitiated to use? Marcus Ranum: I don't think so. I think things are going to get infinitely worse before they get better (if they ever do) There's just too much shovelware out there. I saw a great example a few months ago: a web-cam that's a completely "hands off" appliance. Turns out it runs Linux inside, and a web server and a little FTP server. The web server has buffer overruns and the FTP server allows FTP bounce attacks. Of course the guys who built it were trying to make a camera, not a secure system, but I wonder how many of those are sitting out on people's DMZ networks... LinuxSecurity.com: It's been said that the only way we are going to resolve the distributeddenial of service is for upstream providers to perform source address IP spoof protection, as well as diligent, educated administrators to do their part in preventing their systems from becoming compromised. In the bandwidth consumption attacks such as smurf, it's often difficult to determine legitimate from illegitimate traffic. What role do you see intrusion detection systems playing in the prevention and reporting of on-going attacks? I believe that one of the important roles IDS will fill is by increasing the level of accountability on the Internet. We've already had customers catch hackers that were using their sites as jump-off points. Consistently, the hackers were surprised to find out that someone was watching who did what, and when. Well, it's unfortunate, but I think the days of anonymous Internet use are numbered. LinuxSecurity.com: Many of today's commercial firewall products include hooks to perform virus scanning, LDAP authentication and other "conveniences" that certainly seem to be more than a firewall should be responsible for. This ultimately resulted in a buffer overflow, of all things, on a firewall recently reported to bugtraq. Do you think these add-ons provide value-add to the consumer, or are an inexcusable attempt by the firewall vendors to create "the only security device you'll ever need"? What do you think the eventual polymorphism of firewalls will be in the next few years? Marcus Ranum: I think that was one of my old products. :( The hole was added after I'd left over managing the product, though. I tend to be extremely fussy about having anyone else's code on my products, for exactly that reason. I don't believe security can be built piecemeal through acquisition: it has to be consistently designed, by someone who is familiar with the system and who is interested in making the most secure product, not the most feature-rich. Firewalls are an interesting problem. There are some fundamental problems withthe entire firewall concept which, fortunately, the bad guys have not taken advantage. I believe that within the next few years, they will. Then I'm not sure what happens to the idea of firewalls. It bugs the hell out of me since I don't have a solution, either. It's one reason I got out of the firewall business back in '95 when I did. Marcus, I'd like to thank you for having this interview. We all very much look forward to seeing the projects you're working for the future, and hope to see you at the next computer security conference! . Marcus Ranum has been a leading voice in network security, focusing on intrusion detection systems and the challenges of monitoring complex digital threats. Marcus Ranum, Network Security, Intrusion Detection. . Brittany Day
Jun 11, 2000
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Explore top 10 tips to secure your open-source projects now. Read More