Sunday, June 1, 2008

Review : EnGarde Secure Linux

There are hundreds of Linux distributions targeting a diverse sets of users. While quite a number of these Linux distributions - especially the main stream ones - position themselves as a universal solution to all your Linux expectations, there are some of them which take a specialist role of one form or other, catering to a specific set of Linux users.

One such specialized Linux distribution which is targeted specifically at servers is the EnGarde Secure Linux. As the name indicates, this Linux distribution lays stress on the security aspect because servers should by default be secure out of the box. And EnGarde Secure Linux goes the extra length and pulls all stops to make sure the server is indeed secure. More on that later.

EnGarde Secure Linux is released by its parent company Guardian Digital in two forms - one is the Community edition which is available for free download and the other is the commercial Professional edition. The community edition of EnGarde is full featured, secure and is built entirely from open source and it contain many of the capabilities of the Professional edition. Guardian Digital claims they have over 500 corporate clients across USA, Canada and the rest of the world who use EnGarde Secure Linux.

I decided to install the Community edition of EnGarde Secure Linux on my machine and take it for a spin.

One of the unique aspects of EnGrade Secure Linux is that it ships with only those packages that are absolutely necessary to function as a server. So you won't find software such as a X Windows server or other desktop utilities which is expected in any normal Linux distribution. But EnGarde ships with the necessary databases, web server, mail server and DNS server and you can configure EnGarde to function as any of those or all of them.

Installation of EnGarde Secure Linux
Installation of EnGarde Secure Linux is as such, a trouble free affair and is achieved via its text based installer. On the other hand if you are just interested in trying it out, that is also possible because the ISO also functions as a LiveCD and you can try out all the features that EnGarde has to offer without installing it on your hard disk.

Basically, These are the steps I had to go through in installing EnGarde on my machine.

Fig: Booting from the CD-ROM Check out all of them


Fig: Decide on the partitioning scheme.Check out all of them

  • Change root and webTool password - this is applicable only if you are using EnGarde as a LiveCD.
  • Decide on whether you want DHCP or static networking
  • Choose between running EnGarde in installation or LiveCD mode - Here I chose Installation mode as I wanted to install it on my machine.
  • Choose the language - English is default.
  • Decide on the partitioning of your hard disk. Here there are two choices. One is the automatic one where the installer will create the necessary partitions (usually /,/var and /home). And the other option is manual where you can decide to partition your hard disk as per your requirement. But either way, it is not possible to dual boot between OSes if you are installing EnGarde on your machine as it wipes out your whole disk. So backup your data before you proceed with your installation - you have been warned. I chose automatic partition option here.
  • Decide on the type of hard disk - whether IDE or SCSI.
  • Choose the packages - The packages are broadly classified into 6 sections namely Databases, DNS, Firewall, Mail services, Network Intrusion Detection and Web services. I selected all the packages and pressed OK and the installer started copying all the files to the hard disk.
  • Next I had to configure the network card and provide information such as the IP address, netmask, the default gateway and the network address.
  • Then it prompted me to provide a fully qualified domain name for my machine.
  • Lastly I had to enter the IP address of the primary and secondary name server.
That was it. EnGarde secure Linux was now fully installed on my machine.

By default around 220 packages are bundled with EnGarde and using the versatile webTool you can also install an additional 300 or so packages all of them cherry picked for use at the server end. EnGarde is available for i686 and x86 64 bit architectures and uses RPM packages managed by apt-get.

Security aspect of EnGarde secure Linux
Engarde implements security by following a number of rules.
  1. It locks down the box at the Host level by implementing a number of features such as TCP wrappers, implementing restricted user rights globally and running SELinux policies in enforcing mode.
  2. At the network level, EnGarde ships with a plethora of network tools which allow a system administrator to analyse the security level of his machine and take preventive measures. EnGarde ships with a unique webTool through which you can do any and all system administration tasks from a remote location including rebooting or shutting down the server. This means that after installation, you can safely place the server in a locked room and not worry about its physical security.
  3. Up to date security patches of software are released on a regular basis (more like every month) enabling system administrators to plug any security holes in the server software they run. This is automated to a certain level via the Guardian Digital Secure Network (GSDN). And you are prompted to register and create a GSDN account (for free) - it is not an option.
Webtool in Engarde Secure Linux
At the end of installation, you are notified that the most preferred way of administering the Linux box is via a web browser using the address https://:1023/.

I initially typed the address but missed the 's' in 'https' and was flummoxed but later figured out my mistake and correctly typed the address. That is right, the web tool is accessed via secure http (using SSL).

You log in to the webTool using two different passwords depending on whether you are using EnGarde as a LiveCD or if you have installed it on a machine.

For LiveCD :
The login name is 'admin' and the password is the root password you set while booting the EnGarde Linux CD.

When Installed :
The login name is 'admin' and the password is "lock&%box". And the first time you log into the admin section, you are confronted with an initial configuration screen.

Here the first thing you are prompted to do is register for a GSDN account which is free. EnGarde Secure Linux makes use of the GSDN account to provide up to date automated security fixes to your server. Then specify (or rather change) the root and webTool password, specify the NTP servers as well as your geographic location and lastly fine tune the services you would require to run on your remote server.

Fig: WebTool main page
More screenshots of webtool interface

The web interface can be viewed in three languages at present namely English, Spanish and Italian with work going on to support more languages.

WebTool is the pivot with which you can effectively administer the system remotely from within a web browser.

I was really amazed at the things you can achieve from within the web tool. For instance, you can manage users, manage database servers, manage the web server (Apache), implement DNS, view all the security logs updated in real time, manage mail servers, enable and disable system level services, enable and configure firewall, even run most of the security tools such as Snort bundled with EnGarde and view their output in the web browser. In short the web tool is a one stop shop for troubleshooting and managing your server from a remote location. A very powerful interface indeed.

I can already see the possibilities where choosing EnGarde Secure Linux at the server end could circumvent some hardware limitations. Here is a scenario - Say you are interested in hosting a website on a VPS (Virtual Private Server) account. Now a days, it is possible to get a VPS account for as low as $7/month. While the price is equivalent to any shared hosting price, there is a catch which is that, at that low price, the memory (RAM) allocated to your virtual machine is not more than 64MB and the % of CPU cycles allocated is also limited. You can't possibly run CPanel or Plex in this account as they require at least 256 MB memory be allocated to your server to function efficiently. Since the webTool is integrated with EnGarde Secure Linux and does not utilize much memory, EnGarde turns out to be a viable alternative solution to an automated server not to speak of the importance it gives to security and performance.

To sum up, I found EnGarde Secure Linux to be a unique blend of a robust Linux server topped up with loads of security features coupled with a very powerful webTool which aids in administering the server remotely, all from within a web browser.

No comments: