Click here to close now.


Linux Containers Authors: XebiaLabs Blog, Elizabeth White, Jayaram Krishnaswamy, AppDynamics Blog, Wayne Ariola

Related Topics: Linux Containers

Linux Containers: Article

Securing a Tightly Integrated OS

Protect your system with a layered approach

As the state of the art in operating systems (OS) continues to advance, an unnerving trend has emerged: vulnerabilities in tightly integrated operating systems. How do you address this? With an effective combination of educated staff, proper procedures, and technology.

Rather than being a collection of separate utilities and daemons, the modern OS is moving toward a highly integrated system with numerous dependencies. As a result, the core of the OS is more easily exposed to a broader range of vulnerabilities. While Linux still largely a collection of separate components, Microsoft Windows is at the forefront of this design principle and, in fact, is moving to an even more tightly integrated system. The risks can become significant. Whenever a vulnerability is found in one of the core components of a tightly integrated OS, interdependent components are vulnerable as a result. Developing an appropriate approach to protecting systems with tightly integrated OSs is the key to maintaining a secure and safe network environment.

The rationale for a tightly integrated operating system is sound - reduced development costs and effort, a reduction in portability issues, and fewer components to break. The flip side is unprecedented exposure to vulnerabilities. In the past, when a single system component had a vulnerability the impact was isolated to that single component. However, due to the dependencies introduced by extensive integration, that one component may now impact multiple applications. It is this chain of dependencies that presents enormous risk.

A Practical Approach to Isolating the Exposures

A number of approaches exist for isolating - or at least reducing - your exposure in cases such as these. For the purposes of this article, the assumption is that it is impossible to catch every security flaw during development and that organizations will need to take measures to protect themselves until patches or upgrades are available that solve the security flaw.

The simplest approach to dealing with exploits aimed at integrated OSs is to turn off any services not required or restrict access to those services via network firewalls or network intrusion prevention systems (IPSs). Turning off a service entirely is rarely a practical option for Web servers or file servers. In the specific case of a Web server, doing so would certainly solve the problem, but then you wouldn't have a Web server!

A layered approach consisting of the following primary components is the most practical solution:

  1. Education of your network and system administrators
  2. A baseline of the current state of your network
  3. Proper configuration of the host operating system, including current patches and service packs
  4. Proper configuration of the network service being hosted
  5. A generic network firewall to allow only specific traffic in and out
  6. An IPS to cover the bases left open by the network firewall
  7. An on-board firewall for each device (IPtables in Linux, TCP Filters in Windows)
  8. In the case of a Linux system, a chrooted environment for each available network service, and optionally physical separation from the internal network
Having an educated and security-conscious staff is the most important of these options. The ability to recognize, understand, and correct a potential security exposure or configuration error is much more valuable than any technology solution. Your staff is truly the first line of defense.

Knowledge is power! Knowing your current exposures and configuration issues should be on your short list, regardless of how far into this process you may go. Rectifying the issues found should be the immediate next step - directly followed by another baseline to once again ascertain any new issues. Automated vulnerability management tools can help make this process straightforward and manageable.

Current shipping distributions of Linux as well as current shipping versions of Windows still contain many services that are not useful or appropriate for a device that will host publicly accessible network services. You should identify and disable these services before the device is ever connected to any network. Linux is able to fully function with far fewer resources than Windows, and you should take advantage of this. If the first step (i.e., a well-educated staff) was successful, your administrators will be able to identify which services to safely disable.

The network service itself, for example a Web server, should also be properly configured. No prepackaged examples or documents should be present anywhere within the document root, nor should any of this data be accessible by anyone over the network. For example, many exploits exist that rely upon these stock examples being installed in a default installation of the Microsoft IIS Web server.

Every network that is to be interconnected with any other network should have a firewall at the gateway. The firewall should be configured to only allow specific traffic both into and out of the network. Nearly every firewall controls inbound traffic, but few are configured to also control outbound traffic. For example, should an internal system ever be infected with a worm (as has happened both with Linux and Windows), the outbound controls will hopefully limit the impact and propagation of the worm.

An intrusion prevention system (IPS) is a great tool to fill in the cracks that a firewall leaves open. As most firewalls do not normally perform any type of content inspection (or very limited if they do), the allowed traffic is by no means assured to be free of malicious content or exploits. This is where an IPS really shines - the ability to inspect all traffic for attacks. Most IPS products also allow the traffic to be blocked, hence the prevention in intrusion prevention system. The value of an IPS is often discounted or misunderstood, yet for those in the know, an IPS represents a 24/7 partner that never stops preventing the malicious traffic from entering your network.

An on-board firewall is a critical component that will shield your organization from the inevitable configuration error. By restricting which types of network traffic may be passed into and out of each endpoint, you greatly reduce your exposure. Windows and Linux have this capability. Most Linux distributions use this out of the box; however, Windows must be configured after the fact to leverage this capability, although Service Pack 2 for Windows XP will change that.

Chrooted environments are an extremely effective means to isolate processes on a Linux system. Linux has native support for chrooted environments and most distributions ship with tools out of the box that will allow you to do this for nearly any network service (or any process for that matter!). Unfortunately, Windows has no good way to implement a chrooted environment. A somewhat feasible option for Windows includes running VMware, but the resources required are often too much, making this impractical. The primary benefit of a chrooted environment is the logical separation: if a process or application is exploited, the damage is limited to the chrooted environment, significantly reducing the impact to the rest of the system. How-to's exist for popular Linux network services and a quick search on Google will find those.


The rate of exploit attempts and network worms is rising and will continue to rise. The attack vectors are continually increasing in their sophistication, and attacks are becoming much more difficult to prevent or even contain. Both Linux and Windows can be made insecure in a network environment - and both can also be made secure enough to be safe. Regardless of your chosen platform, the most important tool available to you is an effective combination of your staff, proper procedures, and technology.

More Stories By Brad Doctor

Brad Doctor, CISSP, is StillSecure's director of security research. He has been involved in IT security for more than 10 years. Prior to StillSecure, Brad consulted for such companies as Apple Computer, Phoenix Technologies,
and the Monster Board, fulfilling network and host-based security needs. In addition to traditional IT security, Brad also worked with Quova, Inc., as the director of research.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@ThingsExpo Stories
Internet of Things (IoT) will be a hybrid ecosystem of diverse devices and sensors collaborating with operational and enterprise systems to create the next big application. In their session at @ThingsExpo, Bramh Gupta, founder and CEO of, and Fred Yatzeck, principal architect leading product development at, discussed how choosing the right middleware and integration strategy from the get-go will enable IoT solution developers to adapt and grow with the industry, while at the same time reduce Time to Market (TTM) by using plug and play capabilities offered by a robust IoT ...
Today’s connected world is moving from devices towards things, what this means is that by using increasingly low cost sensors embedded in devices we can create many new use cases. These span across use cases in cities, vehicles, home, offices, factories, retail environments, worksites, health, logistics, and health. These use cases rely on ubiquitous connectivity and generate massive amounts of data at scale. These technologies enable new business opportunities, ways to optimize and automate, along with new ways to engage with users.
The buzz continues for cloud, data analytics and the Internet of Things (IoT) and their collective impact across all industries. But a new conversation is emerging - how do companies use industry disruption and technology enablers to lead in markets undergoing change, uncertainty and ambiguity? Organizations of all sizes need to evolve and transform, often under massive pressure, as industry lines blur and merge and traditional business models are assaulted and turned upside down. In this new data-driven world, marketplaces reign supreme while interoperability, APIs and applications deliver un...
The Internet of Things (IoT) is growing rapidly by extending current technologies, products and networks. By 2020, Cisco estimates there will be 50 billion connected devices. Gartner has forecast revenues of over $300 billion, just to IoT suppliers. Now is the time to figure out how you’ll make money – not just create innovative products. With hundreds of new products and companies jumping into the IoT fray every month, there’s no shortage of innovation. Despite this, McKinsey/VisionMobile data shows "less than 10 percent of IoT developers are making enough to support a reasonably sized team....
“In the past year we've seen a lot of stabilization of WebRTC. You can now use it in production with a far greater degree of certainty. A lot of the real developments in the past year have been in things like the data channel, which will enable a whole new type of application," explained Peter Dunkley, Technical Director at Acision, in this interview at @ThingsExpo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Through WebRTC, audio and video communications are being embedded more easily than ever into applications, helping carriers, enterprises and independent software vendors deliver greater functionality to their end users. With today’s business world increasingly focused on outcomes, users’ growing calls for ease of use, and businesses craving smarter, tighter integration, what’s the next step in delivering a richer, more immersive experience? That richer, more fully integrated experience comes about through a Communications Platform as a Service which allows for messaging, screen sharing, video...
SYS-CON Events announced today that Dyn, the worldwide leader in Internet Performance, will exhibit at SYS-CON's 17th International Cloud Expo®, which will take place on November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Dyn is a cloud-based Internet Performance company. Dyn helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. Through a world-class network and unrivaled, objective intelligence into Internet conditions, Dyn ensures traffic gets delivered faster, safer, and more reliably than ever.
There are so many tools and techniques for data analytics that even for a data scientist the choices, possible systems, and even the types of data can be daunting. In his session at @ThingsExpo, Chris Harrold, Global CTO for Big Data Solutions for EMC Corporation, will show how to perform a simple, but meaningful analysis of social sentiment data using freely available tools that take only minutes to download and install. Participants will get the download information, scripts, and complete end-to-end walkthrough of the analysis from start to finish. Participants will also be given the pract...
The IoT market is on track to hit $7.1 trillion in 2020. The reality is that only a handful of companies are ready for this massive demand. There are a lot of barriers, paint points, traps, and hidden roadblocks. How can we deal with these issues and challenges? The paradigm has changed. Old-style ad-hoc trial-and-error ways will certainly lead you to the dead end. What is mandatory is an overarching and adaptive approach to effectively handle the rapid changes and exponential growth.
Mobile messaging has been a popular communication channel for more than 20 years. Finnish engineer Matti Makkonen invented the idea for SMS (Short Message Service) in 1984, making his vision a reality on December 3, 1992 by sending the first message ("Happy Christmas") from a PC to a cell phone. Since then, the technology has evolved immensely, from both a technology standpoint, and in our everyday uses for it. Originally used for person-to-person (P2P) communication, i.e., Sally sends a text message to Betty – mobile messaging now offers tremendous value to businesses for customer and empl...
Can call centers hang up the phones for good? Intuitive Solutions did. WebRTC enabled this contact center provider to eliminate antiquated telephony and desktop phone infrastructure with a pure web-based solution, allowing them to expand beyond brick-and-mortar confines to a home-based agent model. It also ensured scalability and better service for customers, including MUY! Companies, one of the country's largest franchise restaurant companies with 232 Pizza Hut locations. This is one example of WebRTC adoption today, but the potential is limitless when powered by IoT.
You have your devices and your data, but what about the rest of your Internet of Things story? Two popular classes of technologies that nicely handle the Big Data analytics for Internet of Things are Apache Hadoop and NoSQL. Hadoop is designed for parallelizing analytical work across many servers and is ideal for the massive data volumes you create with IoT devices. NoSQL databases such as Apache HBase are ideal for storing and retrieving IoT data as “time series data.”
Clearly the way forward is to move to cloud be it bare metal, VMs or containers. One aspect of the current public clouds that is slowing this cloud migration is cloud lock-in. Every cloud vendor is trying to make it very difficult to move out once a customer has chosen their cloud. In his session at 17th Cloud Expo, Naveen Nimmu, CEO of Clouber, Inc., will advocate that making the inter-cloud migration as simple as changing airlines would help the entire industry to quickly adopt the cloud without worrying about any lock-in fears. In fact by having standard APIs for IaaS would help PaaS expl...
NHK, Japan Broadcasting, will feature the upcoming @ThingsExpo Silicon Valley in a special 'Internet of Things' and smart technology documentary that will be filmed on the expo floor between November 3 to 5, 2015, in Santa Clara. NHK is the sole public TV network in Japan equivalent to the BBC in the UK and the largest in Asia with many award-winning science and technology programs. Japanese TV is producing a documentary about IoT and Smart technology and will be covering @ThingsExpo Silicon Valley. The program, to be aired during the peak viewership season of the year, will have a major impac...
SYS-CON Events announced today that ProfitBricks, the provider of painless cloud infrastructure, will exhibit at SYS-CON's 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. ProfitBricks is the IaaS provider that offers a painless cloud experience for all IT users, with no learning curve. ProfitBricks boasts flexible cloud servers and networking, an integrated Data Center Designer tool for visual control over the cloud and the best price/performance value available. ProfitBricks was named one of the coolest Clo...
Organizations already struggle with the simple collection of data resulting from the proliferation of IoT, lacking the right infrastructure to manage it. They can't only rely on the cloud to collect and utilize this data because many applications still require dedicated infrastructure for security, redundancy, performance, etc. In his session at 17th Cloud Expo, Emil Sayegh, CEO of Codero Hosting, will discuss how in order to resolve the inherent issues, companies need to combine dedicated and cloud solutions through hybrid hosting – a sustainable solution for the data required to manage I...
Apps and devices shouldn't stop working when there's limited or no network connectivity. Learn how to bring data stored in a cloud database to the edge of the network (and back again) whenever an Internet connection is available. In his session at 17th Cloud Expo, Bradley Holt, Developer Advocate at IBM Cloud Data Services, will demonstrate techniques for replicating cloud databases with devices in order to build offline-first mobile or Internet of Things (IoT) apps that can provide a better, faster user experience, both offline and online. The focus of this talk will be on IBM Cloudant, Apa...
WebRTC is about the data channel as much as about video and audio conferencing. However, basically all commercial WebRTC applications have been built with a focus on audio and video. The handling of “data” has been limited to text chat and file download – all other data sharing seems to end with screensharing. What is holding back a more intensive use of peer-to-peer data? In her session at @ThingsExpo, Dr Silvia Pfeiffer, WebRTC Applications Team Lead at National ICT Australia, will look at different existing uses of peer-to-peer data sharing and how it can become useful in a live session to...
As a company adopts a DevOps approach to software development, what are key things that both the Dev and Ops side of the business must keep in mind to ensure effective continuous delivery? In his session at DevOps Summit, Mark Hydar, Head of DevOps, Ericsson TV Platforms, will share best practices and provide helpful tips for Ops teams to adopt an open line of communication with the development side of the house to ensure success between the two sides.
SYS-CON Events announced today that IBM Cloud Data Services has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. IBM Cloud Data Services offers a portfolio of integrated, best-of-breed cloud data services for developers focused on mobile computing and analytics use cases.