Security Expert Dave Wreski Discusses Open Source Security
Features editors have a seat with Dave Wreski, CEO of Guardian Digital, Inc. and respected author of various hardened security and Linux publications, to talk about how Guardian Digital is changing the face of IT security today. We are interviewing Dave Wreski, founder and CEO of Guardian Digital, Inc. Guardian Digital is perhaps best known for their hardened Linux solution EnGarde Secure Linux. EnGarde is touted as the premier secure, open-source platform for its comprehensive array of general purpose services, such as web, FTP, email, DNS, IDS, routing, VPN, firewalling, and much more. In contrast to most Linux distributions, which try to be everything to everyone, EnGarde is focused exclusively on being an extremely secure, powerfully functional, multi-purpose server. This dedicated focus is unique in the notoriously feature-oriented open-source community.

LS: Your company, Guardian Digital, has been featured on our site numerous times. You, personally, have also been so kind as to share your security expertise with our readers. Can you explain a bit about your company and the offerings you provide?

Dave Wreski: Guardian Digital is dedicated to providing enterprise and small business customers with inherently secure business-critical Internet solutions. We provide everything from web services to email to intrusion detection to VPN services to proxy caching all designed with security as the primary concern. Recognizing the fact that network security can no longer be an afterthought, our solutions provide embedded security at every level of design, providing the bulletproof security corporations need without sacrificing the functionality they desire.

LS: What is the problem with today's network security solutions as you see it? How does Guardian Digital solve these problems?

DW: A large part of the problem with effective network security is the complex architecture of applications. As technology evolves and the availability of features expand, proprietary and open source software solutions are inundated with often unnecessary features resulting in convoluted and hard to secure systems. We, on the other hand, provide hardened out-of-the-box solutions that integrate security and productivity features into a cohesive and easily maintainable system. We achieve this goal by focusing on user and system security in each application and by keeping unnecessary complexity to a minimum.

LS: I notice that you have chosen Linux as the basis of your system. Can you tell us why?

DW: We are strong believers in open source design model and are proud to be active members of the open source community. The innate benefits of the open source method form the foundation for each of our secure solutions. Open source software is transparent, and does not rely on obscuring the source code as a security measure. Our developers, in collaboration with the thousands of open source developers throughout the world, identify and patch vulnerabilities much quicker then closed source counterparts and as a result, we are able to consistently ensure the infallible security our solutions provide.

In addition, the availability of source code allows us to customize each of our solutions to fit the individual needs of our customers, providing the utmost reliability and security. For example, we have modified the basic Linux 2.4 kernel to incorporate OpenWall stack protection. Because of this, we are largely immune to many of the buffer overflow attacks that plague the largest Linux distributions.

LS: What, in your opinion, distinguishes EnGarde from other open-source solutions out there?

DW: There are several areas; I believe that set us apart from anyone else in the market. Our concentration on integrating embedded security, powerful functionality and simplified maintenance into each solution is an enormous differentiator for us. I believe strongly that EnGarde is, quite simply, the most secure Linux server platform available today. It would take considerable work for even the most experienced Linux administrator to render any other Linux distribution as securely functional as EnGarde is right out-of-the box, and that includes those that claim to be "secure"! This is a fundamental issue of design; where other distributions simply try adding a coating of security on top of an existing Linux platform and calling it a "secure solution", where EnGarde actually integrates engineered security into each business-specific solution.

In contrast to most Linux distributions, EnGarde is also quite minimalist. It does not claim to be anything more then an extremely secure hardened server. This makes it much easier to keep it secure. It also incorporates a myriad of security features that others have not really integrated or configured, even if they offer packages that theoretically allow it to be done, which usually involves a lot of work and expertise. These include memory protection, Mandatory Access Control, intrusion detection, exquisite logging, secure-by-default settings for all available services, a minimum of listening ports, and strict control of applications' permissions and user privileges, quick and reliable patching - EnGarde embodies all of these principles. Others may incorporate a few of these features as well, but we are the only ones I know of that have them all, and that includes the other so-called "hardened" Linux installations.

We're not impressed by the simple fact of packages existing for many of these things on other platforms because simply installing them without taking the time to fully integrate them, as we have, can often mean that you may be drawn into a false sense of confidence in your security. Many of these things do require some real expertise to use properly.

LS: Many people would say that there is a tradeoff between security and functionality. Can you comment on this?

DW: Unfortunately, that is a common misconception among users. While you can render an unpatched Windows machine secure by turning it off and locking it in your closet, it is not going to do anything for you. We design our products to encompass every possible security measures in order to minimize the security impact of added functionality. In fact, while EnGarde is most well-known as being a secure a server, it is also able to provide our customers with more then just security. Securely running all of the traditional web and email services, EnGarde is capable of doing it more smoothly and with greater functionality than would normally be available simply by downloading and installing the packages as they otherwise exist. This is especially true in our Secure Mail Suite, a modular extension to the EnGarde system. We can ironically combine greater functionality with greater security by focusing exclusively on services, as opposed to user-level applications, such as you might find on a workstation.

Moreover, you can have all the theoretical security and functionality in the universe; but if the system is too difficult to use, it doesn't matter. To busy IT professionals, there is often no real difference between very arcane functionality and no functionality at all. A well designed system should be intuitive; it should require the least possible knowledge and experience of the user, and above all, should consistently perform as it is expected to.

To back-up that theory, Guardian Digital solutions afford users ease of use and simplified administration. Utilizing a remotely accessible web interface, over a secure SSL channel, provides effortless administration and maintenance for all Guardian Digital solutions. The WebTool is something we are very proud of. We have worked very hard to make administering EnGarde exceptionally easy -- so easy, in fact, that it is one of the features that sets us apart.

LS: What are the advantages of offering a lightweight distribution?

By choosing a select set of packages, generally by best-of-breed, we can concentrate on integration. While other distributions may want to throw a lot of options at the user; it takes an enormous amount of work to make all of the components operate together properly. For example installing a random MTA (Mail Transport Agent), amavisd, and spam and virus checking programs into an existing system and get them all working together smoothly is a very difficult and time consuming task.

EnGarde alleviates situations like these, by handling application integration behind the scenes, meaning everything is configured to work seamlessly together. Many of our customers tell us that this is one of the greatest things about EnGarde. They are not interested in having a lot of 'choice' so much as they are interested in efficiency, functionality, and quick, easy access. You can take an EnGarde install CD to a new computer and have a hardened web server running in twenty minutes.

LS: You've emphasized that EnGarde is very secure. Can you tell us specifically what technologies you use to keep EnGarde servers secure?

DW: EnGarde is engineered to be secure, that is, robust security features are available at every level of design. Of course, we use secure services, such as SSL-tunneled IMAP and POP for mail. But the platform itself is also hardened.

Besides the kernel memory protection I talked about before, we also watch over the important system files with Tripwire and Snort, two industry-standard open source intrusion detection tools. For further security, we have also weaved LIDS (Linux Intrusion Detection System) into EnGarde. LIDS is not really intrusion detection, by the way; tripwire provides host-level intrusion detection for EnGarde. LIDS provides Mandatory Access Control, which means that the power of the 'root' user is contained by roles. Even if someone manages to get root access to your server, there is little they can do unless they know the password to unlock LIDS. They cannot otherwise touch your system files, configuration, or auditing. Like Tripwire, this application is not included hoping administrators knows how to implement it; configuration is taken care of for you and EnGarde employs it from the first install, which is a definite contrast to all other distributions.

For additional security, we have developed a very sophisticated graphical auditing and reporting system accessible to the web administration interface. This module reports system activity for both for events on the server itself and other the network. Incorporating pre-configured mrtg, administrators can monitor network traffic patterns for suspicious or potentially malicious activity. Graphical reports are sent to administrators providing the resources they need to ensure system effectiveness, pinpoint potential issues, and identify unlawful use. The refined auditing system will also automatically log suspicious user activities, and automatically alert the administrator as soon as these events occur.

LS: Patching is a major concern in security circles. In this age of zero-day attacks, how do you keep your systems patched?

DW: The past has shown that our products tend to need fewer patches than most of our competitors due to the hardened security of EnGarde. However, no one is completely immune to every attack and when we do need to implement a security patch for an open- source package; we are often amongst the first to do so.

To make patch-management as simple as possible, we have developed a sophisticated patch-management system, Guardian Digital Secure Network (GDSN). Using this single web interface, an administrator can easily patch their EnGarde system with a simple click of the mouse. GDSN keeps track of dependencies for you, which also solves one of the biggest hassles of system maintenance today.

LS: What are some developments Guardian Digital has recently released?

DW: A few months back, we released the very first open source intrusion detection and prevention system. It was a very successful release and in the short amount of time it has been available it has proven to be a critical security tool and a product organizations really needed. We also recently released the next-generation of our secure email system, Secure Mail Suite. Through months of planning and development, we have created the most complete email system of its kind. It's very powerful, has an intuitive interface, and of course, secure.

LS: What does the future hold for Guardian Digital?

DW: The future is very bright. We are consistently working with our customers and the open source community to continue to develop the most technologically advanced security and productivity applications and customer-friendly service offerings that will further protect corporate networks from the ever-changing barrage of Internet security attacks.

LS: Dave, thank you so much for your time. We wish you and your company the best of luck!

For more information, please visit

Only registered users can write comments.
Please login or register.

Powered by AkoComment!