Is Linux secure enough?

Although proponents argue that Linux is at least as secure—and perhaps more secure—than Unix, Microsoft Corp.'s Windows NT or Novell Corp.'s NetWare, there is still concern at many federal agencies about the operating system's safety.

The idea that Linux is more vulnerable than other systems, however, "is absolutely a misconception," said Terry Bollinger, principal information systems engineer for Mitre Corp., a think tank that performs federally funded research.

"But because the genesis of Linux comes out of the hacker community — hacker in the good sense, where there's this international global effort to develop a source code that is fully open, fully visible to everyone—that immediately brings up all sorts of concerns and worries about what that means. Can people break in? Can people plan Trojan horses? It's almost a reflex action."

Reflex or not, concerns about security have kept many agencies at bay, especially the Defense Department. Incidentally, the efforts of an agency famous for its suspicious nature may eventually help the rest of government put aside its fears. This spring, the National Security Agency released a prototype of a security- enhanced Linux system and released it to the public.

The prototype boosts Linux with new, stronger protections against tampering and bypassing application security mechanisms and with greater limits on the damage that can be caused by malicious or flawed applications. Among the new features are much-needed access controls at the user level and within the software itself.

The fact that NSA is sharing the source code and technical documentation ensures benefits for industry and government, a spokesperson for NSA said. Some agencies, including a number of DOD service elements and their contractors, have expressed interest in using security- enhanced Linux. Commercial operating system providers are also looking at the prototype for ideas about how they can enhance their products.

"This is a big step toward enabling a really strong security infrastructure, and many organizations have never had such a thing, even with proprietary systems," said Michael Tiemann, chief technology officer for Red Hat Inc. "I would argue that security-enhanced Linux is taking Linux to a level that is comparable to what runs on IBM [Corp.] mainframes."

Still, the prototype has a long way to go before it reaches the status of a full-fledged security solution.

"We feel that this level of interest is appropriate [because] the current offering is a prototype that is complete and stable enough for testing and small pilot efforts," the NSA spokesperson said. "Additional work is needed to make it ready for widespread operational use."