News Stay informed about the latest enterprise technology news and product updates.

Commentary: Addition of IPsec locks down 2.6 kernel expert adviser Kenneth Milberg comments on the security upgrades in the 2.6 Linux kernel, in particular the addition of IPsec.

Enterprise administrators need not fear that 2.6 kernel developers have compromised security in exchange for enterprise benchmarks. While vulnerabilities may be found -- for example, a serious flaw was recently discovered in the mremap memory management features in 2.4 and 2.6 -- the open source community reacts and patches quickly. I haven't seen security compromises in Linux, and I don't expect to see them.

Linux gets stronger with every kernel upgrade. And performance, reliability and security improvements lead every kernel wish list. Security, in fact, is at the top of most -- and 2.6 won't disappoint, as many of the strong features of Linux 2.4 have been improved in 2.6.

IPsec puts Linux on security par with Unix

The addition of IPsec (IP Security) support is the most important improvement in 2.6's overall security outlook. Support for this protocol (IPv4 and IPv6) brings Linux on a par with Unix. IPsec provides security for the transmission of sensitive information over unprotected networks, like the Internet.

Using cryptographic security, IPsec acts at the network layer protecting and authenticating IP packets among participating IPsec devices (such as routers, servers and so forth). The critical element is that, because security is at the protocol level, your applications do not have to be explicitly aware of it. It works at a much lower level than SSL and other tunneling-type protocols. Supported in-kernel encryption includes SHA (Secure Hash Algorithm) and DES (Data Encryption Standard).

IPsec not only offers encryption, but authentication as well. It provides the ability to authenticate the remote partner, making it a secure version of IP. IPsec supports AH (Authentication Header) for this purpose, though the customer can decide not to configure it.

What's really important is that IPsec is designed for interoperability, which means that any compliant device can exchange certificates with products from multiple vendors that support this, whether they are Cisco routers (3com, Bay and Ascent all have supported devices), HP9000 Unix systems (Sun Microsystems and IBM also have supported products) or Linux servers.

Even Microsoft supports IPsec, in Windows 2000 and XP. Those implementations are based on standards developed by the Internet Engineering Task Force (IETF) IPsec working group.

Before you say, "Hey, wait a sec! I'm already using IPsec and Linux, even though I don't have the 2.6 kernel," hang on a minute. While you may in fact be using some form of IPsec, it is not tied to the kernel, and the methods of its integration have known issues.

The most popular method of adding IPsec to 2.4 is FreeS/WAN (available in Linux kernel 2.2 and higher), which was the first major implementation of IPsec for Linux. It is an add-on that had not been merged with the mainline kernel. Some of the reasons for this were political in nature, though there were many folks that were concerned with the quality of the code. People that know will tell you that it does not integrate too well with the Linux kernel.

The importance of putting IPsec in the kernel cannot be overstated. Without kernel support, Linux would have continued to be perhaps the only enterprise-wide platform that could not do IPsec out of the box -- a definite shortfall. Not only will it increase the overall reliability and performance of the product, but it also adds to the overall perception that Linux is truly an enterprise-ready platform for the future.

Netfilter tweaks for the better

Netfilter, a packet filter, is one of the best security features in 2.4. Some deficiencies were addressed in 2.6, including improvements to bridging firewall code where bridged packets can now be seen by Netfilter.

Netfilter/iptables was a major advancement to the 2.4 kernel's filtering code. The addition let administrators establish and configure packet-filtering rules. Now, you might say, "What's so great about Netfilter?" Essentially, it is a rewrite of other packet-filtering systems that Linux has had for quite some time.

Linux has had packet-filtering capabilities since 1994, starting with ipfw. Ipfwadm was in the kernel until the late 1990s, when ipchains was introduced in the 2.2 kernel. But pfwadm and ipchains were simple tools that did not really meet complex corporate network needs.

Both lacked OS support for NAT (Network Address Translation) and protocols like Real Audio. What Netfilter did, then, was provide a raw framework for packet manipulation as packets moved through the kernel. With 2.4, that framework had support for packet filtering and IP masquerading. It also provided improved support for load-balancing requests for servers behind the corporate firewall. Additionally, it gave administrators a choice of either stateless or stateful capabilities and provided support for NAT.

Some other issues with 2.4 included problems with code replication, dynamic rule sets and solutions for API to GUI. (In his document, The future of Linux packet filtering targeted for kernel 2.6, Harald Welte discusses specific areas to be addressed.)

Other features lock down 2.6

There are other security features that bolster the 2.6 kernel as an enterprise-ready technology. One area is Posix Access Control List support. Though some versions of Linux have ACL-type systems in place, Linux 2.6 has actual kernel support out of the box for Posix ACL.

With this feature, the corporate world can now feel more comfortable with overall host security, in the sense that they can define ACLs similarly to how they do so with their Unix servers. This is very important to managers who need to really tighten overall file-sytem and directory security within their hosts.

FEEDBACK: What security shortcomings do you want addressed in 2.6?
Send your feedback to the news team.

Dig Deeper on Linux servers

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.