Why Do We Need Specialist Security Distros?

Many popular distributions, community-oriented and otherwise, take security very seriously. They have dedicated security teams that go over individual packages before they're rolled into a final release. To make sure you don't have any loose ends, these distributions and many other individual Open Source projects also publish an endless stream of security advisories and updates. Add to this security mechanisms like SELinux, AppArmor, and the upcoming TOMOYO Linux, and SMACK, and you know they mean business. So what room does this leave for specialist security distros?

I talk with Ryan Berens, from Guardian Digital makers of EnGarde Linux, to understand their role in the Linux distribution space. EnGarde is distributed in two flavors -- one of which can be had for gratis. EnGarde is what you'd call a minimalist distribution that you'd install on your server to run critical services. It's also popular for its one-stop WebTool remote administration tool.

Mayank Sharma: Why do we need a specialist security distro? Why is this better than the 'adding security apps to an existing distro on the server' approach?

Guardian Digital: These platforms exist to fulfill a significant need in the market. Many users want a hardened platform because locking down a system can be both difficult and time-consuming. The challenge of creating a secure foundation requires a holistic view over all of system resources, not only at default settings, but as configurations need to change. Hardened platforms, designed and built with security from the ground up, create a much more streamlined, integrated system that ensures a system can stay secure. Bloated distro's can be very insecure by default and overcoming that initial state won't be as effective as building security in from the ground up to ensure that tools all work together to minimize access to and control over resources. Simply adding a couple applications doesn't mean they necessarily 'play' well with other apps or the OS in order to perform as securely as needed.

MS: What is involved in packaging a secure distro? Is there more to it than just packaging firewall and network monitoring apps?

GD: So much more. As I said in the previous answer, a strong focus is on integration and default security. There are processes that could be left open to abuse, that would otherwise get overlooked. One simple example is that EnGarde sets the ls command to have the least privilege, and doesn't allow write access to /bin/ls. Ubuntu, for example, allows write access to the command ls by default. If a user isn't aware of this, it could be a hole in their system that can be compromised. The point is that adding apps that provide some kind of security process doesn't by any means address the internal security of the platform and how it interacts with other processes and applications. Sure they help, but using them, and using them securely are two different things. How does the system treat passwords? What tools does it use for ordinary, "non-security" apps? How does it integrate them? Does it use best-practices for secure remote access? So on and so on...

MS: What are the main differences between the free Community and the commercial Enterprise releases?

GD: Our free community platform is really more of a "bleeding edge" platform. It is a great way for users to set up a secure server and incorporate new and secure functionality, but it isn't always in the kind of stable development that is demanded for a corporate environment. Also, EnGarde Professional comes with our portfolio of secure, business-critical applications - SMS (Secure Mail Suite) for routing and securing email from Spam/Virus's for tens of thousands of users - SurfSecure, our web enforcement filter for corporate networks, and so on. These applications aren't available for the community (and most of the time, they wouldn't need to be, not at that level of scalability). And lastly is the service and support for all users. All implementations of EnGarde Professional are fully supported by our dedicated staff of security specialists, with service options for Installation, Remote Monitoring, custom development and much more.

MS: Who would be the Community Edition's primary users? Can I use it as a secure desktop OS?

GD: The primary users for our Community Edition are really administrators interested in providing a secure server foundation. EnGarde Community (as well as EnGarde Professional) is solely engineered for server operations. This is not a desktop OS for running spreadsheets or playing music - this is about secure, usable functionality for your servers. Even though the corporate version is recommended, there have been numerous examples where EnGarde Community was implemented in a small office environment.

MS: What Package management does EnGarde have? Do you maintain your own repository of software?

GD: We utilize RPM and yes we do maintain our own repository. The platform is engineered from the ground up, and this means that we choose secure packages, and then integrate and develop them expressly with security in mind.

MS: Thank you for your time Ryan and wish you luck for the future.

• Zen Gift of Education
• Making a Complete yet Small Linux Distribution