Red Hat Stresses Security, Rolls Out Certificate System

by Timothy Prickett Morgan

Commercial Linux distributor Red Hat will today complete its Netscape hat-trick, which instead of the expected three wins will only have two. That would be the re-commercialization and open sourcing of the former the Netscape Directory Server, which was released in June as Red Hat Directory Server, and today's re-launching of the Netscape Certificate Management Server, which makes its debut at the LinuxWorld trade show as the Red Hat Certificate System.

According to Mike Ferris, director of identity and security solutions at Red Hat, Certificate System is the centerpiece of a brand new and more intense security strategy that the company is rolling out in conjunction with the software. This security initiative, dubbed "Security in a Networked World," aims to beef up security at a platform level, as all operating system vendors are focused on these days, but also to extend security and identity verification out into the networks that link end users, suppliers, partners, and customers into the back-end, middleware, and front-end systems that are running Red Hat Linux. Certificate System will be a key part of Red Hat's security strategy at all levels in the network.

At the core of Red Hat Enterprise Linux 4 and Red Hat's security strategy is, of course, the new Security Enhanced Linux (SE Linux) variant of the Linux 2.6 kernel. SE Linux is a hardened variant of Linux that has kernel tweaks and other mandatory access controls built into kernel and network services features that makes Linux suitable for security-sensitive applications; the SE Linux specification and modifications were made by the open source community, IT vendors, and the National Security Agency. The access controls give every application and service the minimum amount of access to the Linux kernel and other Linux services that is necessary for them to perform this function. There is a slight performance penalty when running in the SE Linux mode, and Red Hat only allows customers to activate SE Linux if they buy a set of implementation services from Red Hat because it is not simple and it has ramifications on how a network and its applications work.

While Red Hat, like other operating system vendors, has pursued various Common Criteria certifications for its implementation of Linux running on specific server iron, Ferris says that Red Hat will be looking beyond Common Criteria EAL security ratings to other areas. One prominent example is the Homeland Security Presidential Directive 12, which is directive from the White House to develop and implement a common identification standard for federal employees and contractors. The Federal Information Processing 201 Standard (FIPS) was developed to meet this directive, which, among other things, requires the integration of smart card technology and digital certificates to uniquely verify the identity of an employee or contractor as they move around government buildings and computer systems. The Department of Defense, just as an example, has 4 million employees equipped with smart cards already. Red Hat will be seeking to address as many of the FIPS 201 requirements as it can, says Ferris, and some of the features in Red Hat Enterprise Linux 4 already meet FIPS 201 specs.

Ferris also says its Red Hat Network system, which is used for provisioning, updating, and patching its Linux operating systems at commercial sites, is being tweaked to allow Red Hat Network to provide rudimentary performance and security monitoring of the systems it is linked to. He was quick to point out that this was not an intrusion detection or prevention system, and he did not want to discuss the possibilities that this might be Red Hat's next move (although it is a pretty obvious one). In fact, Sourcefire's Snort intrusion prevention system was mentioned as a product to fill this gap in Red Hat's defenses. Acquiring Sourcefire or another competitor might make sense.

But the new Certificate System is clearly one of the cornerstones (along with SE Linux) of Red Hat's broader security strategy. For instance, Ferris says that Red Hat is working with the Mozilla Foundation to automate the detection of smart cards in systems that are equipped with the Firefox Web browser and the Thunderbird email client. The idea is to have Certificate System create and manage a unique digital certificate for each user and then only allow access to the appropriate Web and email files that the certificate says the user is authorized to see.

Rather than price Certificate System based on the server, Red Hat is being smart and pricing it based on the number of unique digital certificates that an organization generates and manages. The price is $6 per certificate per year, and customers have to buy them in blocks ahead of time, not individually, because Red Hat did not want to build a subscription system that tracks the deployment and usage of individual certificates. Moreover, customers have to set up their own trusted server to be the authority behind the digital certificates that they use; Red Hat has no plans to distribute digital certificates on behalf of clients through the Red Hat Network, although this is an interesting possibility that Ferris did not want to discuss. The Certificate System server to deploy the certificates is free, and presumably Red Hat will put the Certificate System out as an open source project, much as the commercial Directory Server is backed by the Fedora Directory Server project.

Certificate System runs on RHEL 3 and 4 in 32-bit mode and on Sun Microsystems's Solaris 9 on Sparc processors in either 32-bit or 64-bit mode. Presumably Red Hat will get Certificate System ported to HP-UX 11i (as Directory Server has already been for both PA-RISC and Itanium processors) as well as to Solaris 10 on X64 iron. Red Hat is undoubtedly working on 64-bit Linux versions of both Directory Server and Certificate System, but these have not been announced as yet. When Red Hat bought the Netscape products in September 2004 for $23.5 million, it promised to get them out the door in six to 12 months, and to its credit, it has done so. But the software has a few more ports that need to be done.

Directory Server and Certificate System have a decade-long history, and have been passed from company to company since Netscape through in the towel in November 1998 to be acquired by America Online for $4.2 billion. As part of that deal, Sun Microsystems and AOL agreed to sell and support the Netscape server products, which included a Web server and various other pieces of middleware. Sun paid AOL $500 million for systems and services to run the Netscape products on its own site, and Sun bought $350 million in advertising, so the net Netscape money from Sun to AOL was $150 million. Sun and AOL sold the Netscape servers as part of its iPlanet partnership, which Sun absorbed in October 2001. Sun was able to get its hands on the Netscape software because AOL had started hemorrhaging in the wake of the dot-com bubble bursting. In January 2000, AOL paid $182 billion in stock to acquire Time Warner, and the Netscape software was the least of its worries, which is why it never attained the market penetration that was possible. While Sun has used the Netscape servers as the basis of its Java Enterprise System middleware suite for Solaris, Linux, HP-UX, and Windows, AOL-Time Warner had retained the rights to Netscape Directory Server and Netscape Certificate Management Server.

RELATED STORIES

Directory Server Dons a Red Hat

Red Hat Buys Netscape Server Code from Time Warner