November 23, 2005

Test drive: EnGarde Secure Linux

Author: Irfan Habib

EnGarde Secure Linux is a server-based distribution developed with security in mind. It comes with a minimal set of services so that the server is not unnecessarily exposed, and no superfluous software -- including no X Window-based window manager. Even compilers, such as GCC, are not included. Yet EnGarde enables you to run any sort of Web presence, from a simple mail server to a complete e-commerce site.

EnGarde's hardware requirements are modest. The developers recommend a system with at least a Pentium class processor, with 32MB of RAM or greater, a hard drive of 2GB, and one PCI network interface card.

Since EnGarde is made for servers, it comes with just a simple command-line installer, which asks for a little information from the admin -- except when it comes to setting up the network -- and mostly does hardware detection by itself. EnGarde does not detect exotic hardware devices such as high-end graphics cards or any peripheral devices not common on servers. It just detects essential hardware for servers, such as network interfaces, SCSI peripherals, and RAID controllers.

A common complaint with previous EnGarde versions was that it did not allow an admin to partition the drives manually. This feature has been added to the latest version, while the old automatic partitioning option has been retained.

After the partitioning section, the administrator can select the packages he wants to install. EnGarde comes with MySQL 5.0.13, Apache HTTPD 2.0.55, and PostFix MTA SMTP server 2.5.5.

To manage EnGarde after it has been installed you can use either of two interfaces: one is the shell, and the other is a secure, user-friendly Web-based administration utility called the Guardian Digital WebTool (GD WebTool). With this tool you can administer a server from any platform with a browser and control every aspect of the system. That offers great potential for servers' physical security. It enables you to administer a server without having physical access to it, so you can lock the server in a secure place and manage it from any network-connected device. Remote access to the distribution is limited to SSH and the WebTool.

The GD WebTool is always running through its own personal Web server, which allows connections only via SSL and can be accessed on port 1023. When you enter the main screen, you see a page with a menubar on top. The second menu item, called Service, is the most important one. This menu contains links which lead to pages where the admin can control all the services EnGarde can host. You can view general server configurations, configure the DNS server, manage email services, and configure SMTP and POP/IMAP servers. You can also set up an FTP server, manage SSH, and manage the Web server, all from the browser.

Through the System menu, you can access a variety of security-related settings, backup, and maintenance functions such as specifying the machines that can connect to the server, or which machines can access the GD WebTool. Through this menu you can also navigate to the firewall configuration page. Configuring the EnGarde Firewall through the GD Webtool is a snap: you can configure global firewall settings, shut down and restart the firewall, add trusted and un-trusted interfaces, enable or disable firewall modules that enable or disable services such as FTP and PPTP to be transferred through the firewall, set up port forwarding rules, and set blacklists of hosts and networks from which to block access. From here you can access the Guardian Digital Secure Network page, which allows organizations to manage the software configuration of their EnGarde installations within its domain. It includes access to software updates, technical support, and security information alerts.

In the System Backup section the admin can create and restore backups and view the changes since the last backup was made. Nearly everything can be backed up, from user home directories and Web server files to DNS configurations. You just specify what is to be backed up, in what frequency, and what to exclude from the backup.

If you want to restore from a backup, you can see a list of available backups with the dates they were made, and of what type they are. Select one and click Restore Backup. After restoring a backup, you'll see a report of what was restored and what was changed in the system.

One feature I would like to see in this section is the SELinux configuration. EnGarde ships with SELinux, but the user is not provided with a user-friendly interface to compile SELinux policies.

Through the Auditing menu you can access the system logs, including PHP, mail, Apache, and MySQL logs. Finally, this section also lets you generate, schedule, and view Tripwire reports.

The GD WebTool is innovative and well-designed and lets you get productive quickly. I would like to see other distributions adopt such a tool, as it allows transparent access to the system from any platform for which a Web browser has been developed.

Conclusion

Guardian Digital's EnGarde Secure Linux is a well-rounded server distribution that pays attention to even the smallest details. Anyone considering establishing a secure server or Web presence should consider it, as it offers tight security, and everything you need to configure a server out of the box is built into it.

The EnGarde Community Edition is licensed under the GPL and free to download. Guardian Digital offers three different "Media Kits," which amount to support plans. The Basic Media Kit, which is priced $299, offers the following perks: a downloadable ISO link, annual subscription to Guardian Digital Secure Network Update Module, access to online installation and configuration guides, and 15-day email incident support dealing with basic installation and configuration only.

The $729 Standard Edition Media Kit brings the user a source and binary CD-ROM of EnGarde, an annual subscription to Guardian Digital Secure Network Update Module, printed and online installation and configuration guides, and 60-day phone, email, and Web support. Support requests can deal only with basic installation and configuration.

The $1,629 Corporate Media Kit brings the most perks to the user, including all of the above and one year of priority phone, email, and Web support, where support requests can deal with anything.

Category:

  • Linux
Click Here!