Interview with Michael Rash, Security Architect and Author of "Linux Firewalls"
by Mirko Zorz - Monday, 12 November 2007.
Michael Rash is a security architect with Enterasys Networks, where he develops the Dragon intrusion and prevention system. He is a frequent contributor to open source projects and the creator of psad, fwknop, and fwsnort. Rash is an expert on firewalls, intrusion detection systems, passive OS fingerprinting, and the Snort rules language.

How did you gain interest in computer security?

In 1996 I started working for Digex, Inc., which at that time was a tier-1 ISP in Beltsville, MD. My initial role as a support technician had little to do with computer security, but less than a year later I moved into a group that was tasked with maintaining a set of nearly 100 Check Point firewalls and a few Cisco NetRanger systems for network IDS. This exposure to both the policy enforcement and network intrusion detection sides of computer security sparked a keen interest in the field, and because we were responsible for a large set of systems I also developed an interest in automation. At the time, I had decided to round out my academic pursuits as well and had entered graduate school in the Mathematics Department at the University of Maryland initially to pursue a Ph.D. in pure mathematics. However, my interest in computer security became strong enough (mostly because of the exposure to the field of intrusion detection) to compel me to change my degree path to applied mathematics with a concentration in computer security. I finished in 2000 with a Master's degree. There was nothing more intellectually humbling than attempting to do graduate level work in pure mathematics, and I'm grateful for having had the chance to try, but my heart is in applied aspects of computer security.

Which is your favorite Linux distribution? Which one do you consider to be the most secure?

These days I've become a fan of Ubuntu, and run it on my laptop and also my desktop at work. With the completeness of the Debian repository tree, I find that Ubuntu meets my software and hardware support requirements. Also, Ubuntu is not "service happy", and does not start a huge number of services by default that you might not need (or want) to run. At home, I have a Gentoo system, and a Fedora system as well.

When it comes to security, I view major Linux distributions as relatively similar; that is, they all provide security updates to interested users, many have installers can deploy a firewall, and some take the next step and provide the ability to deploy kernel-level security mechanisms (such as the Mandatory Access Control layer provided by SELinux). Even with all of these protections, it is best to think of security as a process (particularly as something that requires monitoring), and as such always needs to be applied regardless of the Linux distribution.

One area to pay special attention to is the kernel. Major Linux distributions have to compile the kernels they install with maximal hardware support because they need to be compatible with as many end systems as possible. This also extends to filesystems and other areas of the kernel that are not purely related to hardware support. Having a lot of extra compiled code around - especially code that is part of the kernel - is not good for security. In essence, Linux distributions have a built-in layer of unnecessary complexity when it comes to installing on a particular system. So, it is a good idea to recompile the kernel with a set of configuration options that are limited to the hardware and usage specifics where the OS will run, and this is an important step that applies to all major Linux distributions.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th