Coming Next Year: The First 'Trusted' Linux OS
Red Hat, with help from IBM and Trusted Computing Solutions, said Tuesday that it plans to put its Red Hat Enterprise Linux operating system through the paces of the National Information Assurance Partnership's Common Criteria evaluation program in a move to create the first "trusted" Linux operating system. When the next iteration of Red Hat Enterprise Linux, version 5, is released in late 2006, it's expected to have a rating of Evaluation Assurance Level 4, or EAL4, and achieve "trusted" status by including labeled security protection profile, controlled access protection profile, and role-based access control protection profile security capabilities.
"The big thing here is that it makes Red Hat Enterprise Linux 5 the only other trusted operating system in the world, beyond Trusted Solaris," says Ed Hammersla, chief operating officer of Trusted Computer Solutions, a provider of security software and services. "It's a big milestone in the maturity of Linux."
A trusted operating system is valuable for government agencies and businesses because it allows system administrators to deliver different levels of security on the same system. For example, an intelligence agency can manage access to secret and top-secret data on a single system, even if users have different security clearance levels. This is useful in the business world as well, as companies seek to provide access to different types of information to different users, whether they're employees, customers, or business partners.
The trusted version of Red Hat Enterprise Linux will build upon the Security Enhanced Linux, or SELinux, guidelines the NSA developed to make the operating system more secure. The Linux community in 2003 included SELinux's mandatory access control capabilities in version 2.6 of the kernel, upon which Red Hat built version 4 of its Red Hat Enterprise Linux.
Red Hat rival Novell has taken a different route to security with its SuSE Linux operating system. SuSE Linux Enterprise Server 9 has since February held an EAL4+ certification and was likewise built around the 2.6 Linux kernel. Novell, however, hasn't been as vocal an advocate for SELinux, saying the technology's features are too complicated for users to fully implement. Instead of pursuing a trusted operating system, Novell's strategy has been to encourage the combination of multiple layers of security beyond the operating system.
Novell in May acquired Immunix Inc. and its AppArmor software, saying at the time that, while EAL certification is a reflection of the operating system's access controls and password protections, AppArmor is used to build a shield around applications operating in the Linux environment that prevents them from being co-opted by viruses, worms, and other malware into doing things they shouldn't. Using application containment technology, AppArmor is designed to keep applications from "masquerading," or using ill-gotten permissions to do malicious things.
The main problem with trusted systems has been their cost. The most common trusted operating system to date has been Trusted Solaris, which is more expensive than a normal Unix operating system and in the past ran only on more expensive RISC-based servers. Trusted Linux, by contrast, would be open source and run on less expensive X86-based servers. "That's a huge driver for customers as they try to find ways to take these trusted applications to commodity hardware," says Paul Smith, Red Hat's VP of government sales operations. The greatest expense would be for support services, particularly for government agencies that require their service providers to hire pricey consultants with high levels of security clearance.
In fact, trusted Linux stands apart from other trusted operating systems developed over time because it won't raise operating-system licensing or hardware costs. Red Hat is able to provide improved security functions to the operating system without adding to the cost because Red Hat didn't have to invest significantly in trusted Linux R&D. Instead, Red Hat contributed about 20% of the new code to improve the operating system's security while IBM and the open-source community did the rest. "With that collaboration, we can produce a better, faster, cheaper model," Smith says. "This will open up trusted Linux to more mainstream customers in more industries, including health care and financial services, anywhere an organization has multiple layers of users needing access to different types of data."
The work to qualify Red Hat Enterprise Linux as a trusted operating system will be done in October on IBM x86-based eServers at an Austin, Texas, lab run by Atsec Information Security Corp., an independent consulting company. Red Hat Enterprise Linux 5 will be evaluated on IBM xSeries, pSeries, zSeries, and BladeCenter servers. The government's formal recognition of EAL4 status will take place sometime over the next 15 months.
Although trusted Linux will formally debut with Red Hat Enterprise Linux version 5, more-industrious users will by the end of next month be able to access a portion of the enhanced security capabilities through Red Hat's Fedora project, a Linux code repository run by the open-source community.
Trusted Computer Solutions partnered with Red Hat in order to avoid having to create its own secure distribution of Linux. "Red Hat also embraced SELinux more than another provider of Linux," Hammersla says. Trusted Computer Solutions plans to port all of its products to run on Linux by the time Red Hat Enterprise Linux 5 is ready next year.
"This makes a trusted operating system essentially mainstream, which is something the NSA has wanted for a while," Hammersla says, noting that the NSA in 1998 published a paper entitled "The Inevitability Of Failure: The Flawed Assumption Of Security In Modern Computing Environments", which called for the development of secure mainstream operating systems.