Don’t Leave the Gate Open: Essential Advice for Securing Your Linux Server Environments

A look at how you can ensure that your Linux enterprise servers are always secure and robust. Open Source doesn’t have to mean complex management of highly customised systems.

Don’t leave the gate open: secure Linux

People often wrongly think that Open Source software like Linux is inherently insecure because:

• It provides an open gate to miscreants like malevolent hackers
• It is so highly customisable that there is no standardisation
• There are no best practice standards for secure architectures and systems management

The truth is that with the right security measures in place, Linux is more secure than any operating system or software solution. The National Security Agency (NSA) even provides guidelines on securing Linux as one of the most secure operating systems.

It’s a case of not locking all the windows and then leaving the front door open. And there is a maturing approach to security management supported by enterprise ready systems management tools.

What does securing Linux include?

• Designing and configuring Linux builds with security front of mind
• Evolving and maintaining optimal security configuration
• Applying support patches and security updates promptly
• Monitoring and reporting on security configuration variances
• Tightening networking and user access
• Defining and following appropriate systems management methodologies
• Using centralised management and authentication services
• Using logging and auditing to deliver quality assurance and standards compliance, e.g. ISO 27001 and PCI DSS
• Reviewing policies and procedures at regular intervals
• Selecting systems management tools like Puppet and Satellite Server for core build configuration management and deployment, Centrify for user authentication and Nagios for monitoring

Make security your default option

Mike Curtis, Executive Director – Service Delivery Director at Linux consulting firm LinuxIT, says: “Linux has all the attributes to make it an extremely secure operating system. The problem is that because there has been little access to best practice architectures and systems management, Linux is rarely designed and configured to be ‘secure by default’”.

When you add to that the inevitable configuration variances that arise as Linux is deployed by different teams, at different times for various purposes across the data centre, implementing and maintaining the appropriate security measures becomes incredibly complex. At best this results in operational inefficiencies but more often than not it also renders organisations vulnerable. That’s risky, particularly in today’s IT infrastructures which often reside on widely distributed networks that are commonly linked to the internet, providing intruders with readily available entry points to corporate systems and data.

How is ‘Linux security by default’ achieved?

The key is standardisation. A way of ensuring security standards are consistently applied in the design, deployment and maintenance of Linux. Linux is configured with security in mind and that security is continually improved and maintained against a backdrop of ever evolving threats.

There are three fundamental facets to achieving this standardisation:

• A Standard Operating Environment (SOE) – Core Linux builds that ensure it is designed and configured against standards that include ‘security by default’.
• A Standard Operating Environment Management Platform (SOEMP) – Systems management tools that maintain quality assurance through consistent and efficient deployment and maintenance of Linux.
• Best practice systems management processes – Establishing proper governance through policy, process and associated tools to efficiently manage the security of existing and future builds.

Standard Operating Environment (SOE)

An SOE is a carefully defined core build specification. The goal of the Linux core build is to help organisations develop a repeatable process for implementing secure and optimised Linux system builds across their diverse hardware platforms, business applications and workloads.

The core build is designed specifically for each system architecture so that all required security configuration is automatically performed in order to integrate the system into an existing IT infrastructure such as, for example, authentication services.

The configuration is then dynamically modified for specific hardware profiles and network and security services depending on what and where the system is. A core build essentially allows systems to be deployed rapidly and consistently in a secure manner.

Mike Curtis says: “The core build is designed to eliminate unnecessary software packages and services, thereby reducing vulnerabilities and exposure to risk.”

Standard Operating Environment Management Platform (SOEMP)

An SOEMP is a set of different technologies such as Red Hat’s Satellite Server and Puppet that gives system administrators the power to easily automate repetitive tasks and quickly deploy and proactively manage the SOE and its security.

It is used to drive operational efficiencies and maintain security standards by reducing configuration variances.

Specifically, they enable systems administrators to:

• Manage and efficiently deploy the SOE core builds from a centralised management platform.
• Deploy errata and configuration changes to core build installations.
• Simulate configuration changes to the core builds before enforcing them.
• Enforce the deployed desired state automatically, correcting any configuration variances.
• Report on the differences between actual and desired states and any changes made enforcing the desired state.

An SOEMP significantly reduces the cost of maintaining a core build’s security, quality assurance, deployment and maintenance cycle.

Best practice systems management processes

In order to maintain the security of your Linux systems, security management must form a key component of a holistic Linux systems management methodology such as FCAPS.

Security management of the Linux estate is concerned with:

• Maintenance of optimal security configuration within each of the core builds
• User identity management
• User activity monitoring
• Security alarm and event reporting
• Data privacy
• Audit trail management
• Virus and malware management
• Denial of service management

Alongside the SOEMP, technologies like Centrify provide an organised approach to identity and access management that results in stronger security, improved compliance and reduced operational costs. Centrify can help you manage and enforce fine-grained control over user access and privileges on Linux systems eliminating the security risks associated with too many users having root permissions.

Getting ‘best practice’ advice and assistance

LinuxIT helps organisations across all industry verticals, from SMBs to global blue chips, to apply Linux security best practices so as to mitigate risk and drive operational efficiencies. “By integrating best practice Linux architectures and security management methodologies with enterprise tools such as Red Hat’s Satellite Server, Puppet, Centrify and Nagios, LinuxIT delivers instant and repeatable value to any Linux estate,” says Mike Curtis. “But don’t just take our word for it, let us prove it with an unobtrusive assessment of your current configurations and practices that will at least deliver real peace of mind and very likely knowledge and best practices that will strengthen your security and keep it that way.”

Find out more – download our eGuide: Top Tips for Preserving Choice – A Fundamental Component of Any Linux Strategy now!