First page Back Continue Last page Overview Graphics
Why?
Linux is used more and more in network appliances, routers and other critical systems.
Critical systems like these often cannot be upgraded and rebooted instantly when new security hole and fix is found.
Plain vanilla Linux kernel and system is very vulnerable compared to specialized router operating systems because of the basic Unix kernel security features.
Linux kernel has no encryption support for securing communications or data in plain vanilla kernel (at least yet)
Thus there is a need for hardened Linux kernel and security enhancements
Notes:
- Demanding users and environments:
- Nokia Networks has for example stated that their future All-IP network infrastructure will be based on Linux.
- Operators are all ready using Linux to build for example wireless networks (Radionet, Jippii Group) and replace VPN gateways and in general doing multi-purpose gateways
- 24/7:
- imagine upgrading a router or network appliance and something goes wrong, imagine this particular device is middle of nowhere and you're responsible for it
- major changes like upgrading kernel or routing services are not done lightly (or at least should not be done so)
- Linux has problems like other versions of *nix:
- all powerful root account: if you got root, you can do anything, be anyone, go anywhere and leave no traces at all (The NTFS example)
- thus a malicious user/intruder with root access can cause very much damage in very short time
- access control and integrity check for files and processes is just basic test of which user you are, what are the file access rights, there's no logging who has been the last one accessing file.
- often a network appliance based on Linux has shell and a lot of utilities that may be used in a malicious way => control to these must be limited