Start-up banks on hack-proof Linux

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-959319.html?tag=fd_top

By Stephen Shankland 
Staff Writer, CNET News.com
September 24, 2002, 6:15 PM PT

Start-up Guardian Digital has launched an effort to sell a version of
Linux that's less vulnerable to attack, a niche the company hopes will
gain it a foothold in the market for the Unix-like operating system.

The Allendale, N.J.-based start-up released its EnGarde Secure
Professional product Tuesday, a version of Linux that comes with
management tools and server software designed to thwart attacks. The
product costs $549, plus $219 per year for a mandatory software update
service.

Linux, like the Unix operating system on which it's based and other
operating systems, has had its share of security problems, but often
the problems come with higher-level software such as the SNMP service
for letting administrators manage servers or the Apache program for
sending Web pages to browsers. Guardian Digital aims to stomp out many
of those problems by what software is used, testing it with the other
software and in some cases writing new programs, said Chief Executive
Dave Wreski.

For example, the company wrote management software that substitutes
for SNMP. It's not as vulnerable to attack, Wreski said, though widely
used management software such as IBM's Tivoli can't control it.

"It's a viable niche for a select group of customers," said Giga
Information Group analyst Stacey Quandt of Guardian Digital's product.  
But it's not easy to find a place at the Linux table where revenue is
sparse and Red Hat dominates.

Competition is plentiful. Red Hat is billing better security as one
advantage of its Advanced Server edition. The Cyberspace Security and
Policy Research Institute, a technology think tank at George
Washington University, is pushing for Linux to be certified under the
Common Criteria, a standard that must be met before the United States
and other countries can use products for sensitive government
applications. Hewlett-Packard is working on its own Secure Linux
version.

Perhaps the most direct competitor is WireX, which sells a secure
Linux version called Immunix. WireX has sales partnerships with HP and
Dell Computer.

Those sales partnerships are crucial, Quandt said. "It's not going to
be successful unless they have a relationship and alliance with a
hardware vendor," Quandt said.

Guardian Digital is "working with large hardware companies" on
partnerships, Wreski said, but declined to say which companies. His
company also is working on partnerships with software companies to
have EnGarde used as the foundation for specific tasks such as
screening out viruses and unwanted spam e-mail.

Guardian Digital has a start, though. The 20-person company is
profitable, in part because of consulting services it sells. Its
EnGarde customers include Sony, Hong Kong University, AT&T New Zealand
and Piedmont Natural Gas.

Because of the cooperative nature of the open-source community, the
company doesn't have to start from scratch. Building a secure
operating system from the ground up would have been an "insurmountable
task," Wreski said, but Guardian Digital can pluck the best of what it
finds.

For example, the company, like SuSE, MandrakeSoft and other Linux
companies, opted to use the Red Hat Package Manager, which makes it
easier to install or uninstall software. Guardian also used the
network configuration utility supplied by the noncommercial Debian
version of Linux.

Staying on top of all the software updates produced by the open-source
community is a challenge, Wreski acknowledges. "How do we do what Red
Hat does with 600 people? That's a significant challenge for us," he
said. But Wreski is convinced Guardian Digital's security specialty
will ensure the company a place.

"We use much of the same code as Red Hat," Wreski said, adding that
Guardian Digital has "gone through and configured them to work as
securely as possible."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.