Is TCLs Cloud Mode computing really secure ?

[Pats]

Thanks guys !
The whoe exercise for this thread is to get good feedback from TCL experts to know what can be done to port our current setup (RHLinux) on TCL - since from the very first day of installing TCL we loved it !
The whole concept of TCL is very new and interesting from the users POView. We are really excited abt TCL...

Our current setup is something like this:
1) A gateway server connected to the internet via a cable with only must needed services enabled. It has ony Admin a/c ( no users at all ). It also acts as pass-thru mail service. It is simply a Celeron with 128MB RAM.
This m/c in turn is then connected to the LAN thru another intranet server (INServer).
2) This 2nd INServer has most of our needed services like File/Print server, WebProxy,mail,DNS,DHCP etc with proper authenticaion needed. It is a powerful P4-2.2GHz with 4GB RAM. It has 2 NWCards - one connected to GWServer and other to local LAN m/c.
3) All local users must login with a proper login/pw to access any net service thru this INServer.
4) Since most common users are comfortable with WinOS - so provision is given for Win as well as Linux m/c.
We want to retain our INServer and local LAN as it is - and just want to configure the GWServer with TCL.
Thats why I wanted to have you experts feedback on security aspects - which you guys have responded positively . Thanks realy !

As for security, cloud mode is pretty good if your intent to to do some banking or other sensitive operations, stay on only as long as needed, and then reboot.

No the GWServer will be always on !

One saying I heard is that practicing security is more important than patching for security.  Ideally, both should occur.

I agree - I remember a story going like this ( FoxNews ): - Clinton e-signs the first digital bill with a smart card using his dog Buddys name as the password -
It speaks volumes abt practicing security , when the worlds then most powerful man was knew nothing abt the digital security. So what abt a common user !

Also if you are concerned about security you should disable icmp request reponses and uptime detection.

Yah , possible ! Thnks !

If you want enterprise-level Linux, you need something which is branded and -- most importantly -- supported as such. That means SLED and RHEL ...
...
FWIW, I'm currently using Scientific on my "new" laptop and also my desktop and am quite happy with it even though it's not bleeding edge (it's well-patched, though, with SL's security patches coming <= 48 hours after RH's).
....
The very things that make things easier for users -- things like "sudo su" and cheatcodes --  are also things that make it easier for others to affect your system.
....
The "tightest" default install I've encountered is NetBSD's which requires the admin/user to even start SSH (OpenBSD's default is to start SSH unless the user says no at install).

Important points to note from my side !

Whose project is this anyway?

"I need or want it to behave like this so the developers should implement this ASAP."

Not at all ! I would dafinately like the TCL Team to concentrate on thier intended goal - to be portable and modular - !
But since TCL is evolving as a competitive contender in the new Linux horizon - my demands ( read requests -if the term pleases all ) are just my wishful thinking to make TCL more robust and secure !
Acutually I foresee TCL as a good case for Embeded Technolgy in future !

I really thanks to all of you for this healthy discusion abt TCLs security aspects !

~ Pats

[althalus]

Ipse dixit. Linux enjoys security through obscurity.

In user space, sure. I'm not sure I'd agree with you if we were to talk about running Linux as a server. A properly configured linux box is rock solid. Even the latest root exploit discovered in Linux is only a risk on most distros IF you install WINE, which brings us to...

it also doesn't help that most users -- server or workstation -- exercise little restraint, common sense, or caution when using them.

The biggest security hole in any IT system - The users.

Also, there's this madness affecting most distros to use the most recently released version of any software rather than patch only for bugs and/or security; most "testing" has nothing to do with auditing/testing and more to do with making sure something doesn't repeatedly segfault or cause issues with other packages.

In counterpoint to that, many other packages are far out of date - Ever tried installing FreeRadius from a Ubuntu or RHEL repo? You'll get version 1.x - So outdated it's a security risk in itself, and technically no longer supported. So it goes two ways - Too up to date, and not up to date enough. I find the repo is great for desktop use, but for servers the only "right" way to do things is install the version recommended by the software maintainers, which usually means build from source.

[lucky13]

@althalus: This is devolving from the topic. I disagree with your dismissive attitude about "user space" (workstations/desktops?), especially since you agreed with my position that the user is the weakest link in security. That's the whole problem with "converting" the least savvy and most susceptible of Windows users to Linux: if they can't manage one learning curve, how do you expect them to manage a second (steeper) one? Then developers dumb things down so that Windows refugees can run everything as root just like they did in Windows. It's freaking stupid. People who can't safely run Windows shouldn't even be allowed near computers, period. And the same applies to servers. Poorly run/configured Linux servers aren't inherently more secure than Windows servers.

I'm not surprised your argument is also founded on a specious point that basically boils down to comparing apples to oranges -- "a properly configured" Linux box versus an improperly configured Windows box. Let's compare apples to apples and oranges to oranges. A properly configured computer -- whether workstation or server -- is going to be more secure regardless of operating system (everything else held constant). And any safely configured computer *used* in a safe manner is going to be more secure than one used without any restraint.

What do you mean by "far out of date"? Software has no expiration date, it doesn't go bad just because developers have newer versions. Enterprise distros' packages *are* patched for known and potential vulnerabilities, to fix bugs, and to add the occasional legitimate feature missing from earlier releases. Is my new laptop's kernel (2.6.18-164.6.1) "far out of date" by your reckoning? I see at least 164 reasons to believe it isn't. The highest release number isn't necessarily the most secure and I've seen way too many cases where it turns out to be the least secure ever. Look at the security feeds on the right side of my blog and note how many enterprise distro (SLED, RHEL, CentOS, etc.) packages get security updates and then look at all the security activity required for the bleeding edge distros. I haven't graphed it in a while, but I did a few years ago to illustrate why certain bleeding edge distros had no place in a production/enterprise environment. There's a price to pay for living on the bleeding edge, and that price is at the expense of security and stability.

Windows updates its OS every few years and most old binaries will still run on new releases. Most Linux distros change things around more drastically and more frequently. I once joked that that's the biggest reason fragmentation is less an issue in Linux than Windows: most Linux users install and reinstall so frequently that their file systems don't have time to frag.

[tclfan]

This is a facinating and productive thread and lots of quite valuable information and opinions have surficed.
I would like to ask the following to levelset certain facts to compose a larger picture:
1. Since no servers are running unless installed, it should be secure? Specifically, if we run just browser, then firewall is not needed and does not add any value, is this correct?
2. Comparing to e.g. Puppy, which runs all as root (which is unacceptable except as rescue disk), how much security TC gains by running as user tc, although with no password and sudo not requiring password either?
No question it is much more secure, just would like your opinion please...
3. Can security attack alter the core system (Kernel and tcz's installed) or just the user persistent files, such as configs, when running from e.g. usb or frugal?
4. If TC is installed in a VM under host OS (e.g. Windows), can keyloggers type trojans infecting Windows intercept key strokes in the TCL VM? This possibility is not TC specific, of course...
4. What security features and configs are necessary to make TC an enterprise ready? Not speaking of support process, of course...

Your opinions would be greatly appreciated...

[combo3]

This is a facinating and productive thread and lots of quite valuable information and opinions have surficed.
I would like to ask the following to levelset certain facts to compose a larger picture:
1. Since no servers are running unless installed, it should be secure? Specifically, if we run just browser, then firewall is not needed and does not add any value, is this correct?

Secure only if you are running off a live cd, have absolutely no attached storage devices, and avoid web pages that require passwords or personal information. Otherwise, no.

IOW, doing your personal banking at a wifi hotspot is not a good idea.

Running without a firewall exposes all open ports to the web. A properly configured firewall, blocks out unfiltered traffic and exposes only the ports you want open. However, web browsers, by their very design,  provide a portal into your machine. Typing a URL into your address bar and hitting enter sends a request to download data onto your pc. What that data contains is anybody's guess, It could be benign text, pretty pictures, a virus, or a trojan that opens up additional ports on your machine.

A text-only browser, or one running without java, javascript, etc., enabled is probably immune to attack. But there's still the risk of passing it on to other devices on your network.

2. Comparing to e.g. Puppy, which runs all as root (which is unacceptable except as rescue disk), how much security TC gains by running as user tc, although with no password and sudo not requiring password either?
No question it is much more secure, just would like your opinion please...

Without additional hardening, TC is just as vulnerable.

3. Can security attack alter the core system (Kernel and tcz's installed) or just the user persistent files, such as configs, when running from e.g. usb or frugal?

Altering the core system directly would present an extreme challenge, especially if you're running from a cd. But once someone gains unrestricted access to your machine they can alter data on any device mounted with r/w privileges.

4. What security features and configs are necessary to make TC an enterprise ready? Not speaking of support process, of course...

I honestly wouldn't recommend TC for enterprise use.

[Pats]

Ever tried installing FreeRadius from a Ubuntu or RHEL repo? You'll get version 1.x - So outdated it's a security risk in itself, and technically no longer supported. So it goes two ways - Too up to date, and not up to date enough.

Better educate oneself in Linux Security and deploy all the possible tools at hand to strengthen the network !

I disagree with your dismissive attitude about "user space" (workstations/desktops?), especially since you agreed with my position that the user is the weakest link in security. That's the whole problem with "converting" the least savvy and most susceptible of Windows users to Linux: if they can't manage one learning curve, how do you expect them to manage a second (steeper) one?

lucky13, I think you are very practical in your approach to the real Q of OS security - from the very POView of the general user , who are the real user of any system in real life. What is the use of the security gadgets from the best manufacturer in the world - if the on-ground user/guards are NOT equiped with the RealTime use/maintanance know-how ?

<People who can't safely run Windows shouldn't even be allowed near computers, period.>

Impractical - isnt it ?

<I'm not surprised your argument is also founded on a specious point that basically boils down to comparing apples to oranges -- "a properly configured" Linux box versus an improperly configured Windows box.>

Sorry to dis-aggree - but real Q is -practical- approach to the possible secure environment handed-over to the real user, what devlpment policy can be designed for secuirty is the job of product developer - not user !
So whether -apples or oranges- both are equally imp from the consumer (user) angle. Off-cource the current topic is abt TCLs Cloud Mode !

<What do you mean by "far out of date"? Software has no expiration date, it doesn't go bad just because developers have newer versions. Enterprise distros' packages *are* patched for known and potential vulnerabilities, >

I think , you are contradicting your own view - it has expired in the current time - thats why devloper issues new patches (read - contents) to be accetable in product life cycle.

<I haven't graphed it in a while, but I did a few years ago to illustrate why certain bleeding edge distros had no place in a production/enterprise environment. >

Why ? Only because -the distro- has the potentiality for more bugs/vulnarability to collapse in BEdge enviro ? That is possible with even the NASA BEdge brand new capsule !

<Most Linux distros change things around more drastically and more frequently.>

Thats the real problem with Linux from the users POView ! It is very dificult for a normal user to keep pace with the UNIX fundas - even the directory structure changes with some distros.

<2. Comparing to e.g. Puppy, which runs all as root (which is unacceptable except as rescue disk), how much security TC gains by running as user tc, although with no password and sudo not requiring password either?
>

These distros are just - Try and Use - if satisfied develop it further by adding your own requirements and modules - something exciting - but as said above with a sharp learning curve - cause the whole concept changes for a old user of Linux.

<4. If TC is installed in a VM under host OS (e.g. Windows), can keyloggers type trojans infecting Windows intercept key strokes in the TCL VM? This possibility is not TC specific, of course>

I think - every type attack is possible in Windoze system - it is a very old and widely used distros - so majority know how to exploit the weal links there. How many Linux users know - how to grant users rights or make a file executable or even install a new software in Linux ?
How many actually know the - tar or bzip usage - etc ?

<Secure only if you are running off a live cd, have absolutely no attached storage devices, and avoid web pages that require passwords or personal information. Otherwise, no.
>

In short - offline use ! But is of any significance , specially in the age of Google and Tweeter and always-On-line generation ?

<Typing a URL into your address bar and hitting enter sends a request to download data onto your pc. What that data contains is anybody's guess, It could be benign text, pretty pictures, a virus, or a trojan that opens up additional ports on your machine.
...
Without additional hardening, TC is just as vulnerable.
...
I honestly wouldn't recommend TC for enterprise use.>

Interesting and important points ! What TCL Team thinks abt your last point ?

By the way - has TCL any future plan of "Enterprising" TCL on the lines of RHL or DEBIAN ?


~ Pats

[tclfan]

Thank you combo3 for detailed reply. Pardon my digging deeper into this, but I would like to better understand the scope of exposure and particularly in relation to the above points from technical perspective, not user browsing habits:
1. If there are no servers running as it is in basic TC, there should be no open ports, therefore what is the added value of the firewall?
If new ports are open in the course of internet browser activity such as trojans, then firewall would not play any role here and would not reduce the security exposure.  Is this correct?
2. TC appears to be significantly more hardened comparing to e.g. Puppy, which runs all as root, since it runs as user.  Why is TC just as vulnerable?
3. You cannot modify a CD, but the question is running from usb or frugal. If it is possible for someone to break in remotely to a running TC, overcoming the above points 1 and 2, is it feasible to modify the frugal or usb installation of the system in addition to user data?
4. What would be the most critical features missing that would bring TC closer to enterprise?
Thanks for your and others' patience, but this topic is quite important...

[althalus]

1. If there are no servers running as it is in basic TC, there should be no open ports, therefore what is the added value of the firewall?
If new ports are open in the course of internet browser activity such as trojans, then firewall would not play any role here and would not reduce the security exposure.  Is this correct?

A properly configured firewall will stop anything outside from accessing the ports opened by those trojans.
A properly configured firewall will stop most of those trojans sending any information OUT of your network, as well.

2. TC appears to be significantly more hardened comparing to e.g. Puppy, which runs all as root, since it runs as user.  Why is TC just as vulnerable?

By default, the tc user has no password, and can use sudo without a password. It's not quite root access, but it's close enough. Simple enough, just fix the sudoers file, add a password to TC, and add /etc/sudoers and /etc/shadow to your backups.Or you could even remaster TC with your modified sudoers and shadow files.

3. You cannot modify a CD, but the question is running from usb or frugal. If it is possible for someone to break in remotely to a running TC, overcoming the above points 1 and 2, is it feasible to modify the frugal or usb installation of the system in addition to user data?

Techninally yes, if a hacker manages to get disk access to your machine, they could alter system files. But if you think about the concepts TC is built around, cleaning up such an attack would be simple - Reboot without backing up., or after ensuring that all files listed in /opt/.filetool.list are clean. After the reboot, anything the attacker injected into your system is gone. Obviously one would still do a full system audit to make SURE that the only things there are what should be there.

4. What would be the most critical features missing that would bring TC closer to enterprise?
Thanks for your and others' patience, but this topic is quite important...

As far as I'm concerned, TC already has everything it needs to make a rock solid, dependable server. I'm testing it for use as a virtual OS for serving small to medium sized websites at the moment. For a virtual server with lower amounts of RAM, TC+cherokee far outperforms ubuntu+apache OR ubuntu+lighttpd. In the repo, TC already has firewall tools, TC already has openssh, TC already has common web servers and an NFS server. DNS in the form of DNSMasq OR Bind.

Security-wise, SELinux might be the only enterprise tool it's missing. There are other tools that might be necessary which either are not currently part of TC, or use different varieties to what I have:
* Monitoring (like Nagios and Munin)
* Management (like Webmin or something more centralised)
* Apps specific to your site, which depending on licensing, you could even package and contribute yourself, easing the path for the next business considering using TC.

[combo3]

... I would like to better understand the scope of exposure and particularly in relation to the above points from technical perspective, not user browsing habits:

Just one quick point:

I know it's tempting to gloss over user habits, but as lucky13 mentioned in a previous post, they offer the greatest avenue of attack.

Kevin Mitnick's "The Art of Deception" provides an enlightening read on how social engineering can be used to circumvent even the most technologically secure systems.

1. If there are no servers running as it is in basic TC, there should be no open ports, therefore what is the added value of the firewall?

You might not be running Apache, MySQL, or PHP, but what about X11? or Xorg? or CUPS? or Samba? or NFS?

TC_Terminal_Server (netboot) runs TFTP and DHCP services.

Edna media server runs on Python.

All of them are servers with known vulnerabilities.

Even font librairies can be expoited.

If new ports are open in the course of internet browser activity such as trojans, then firewall would not play any role here and would not reduce the security exposure.  Is this correct?

Firewalls are there to mitigate exposure. Nothing is foolproof, but why take unnecessary risks?

2. TC appears to be significantly more hardened comparing to e.g. Puppy, which runs all as root, since it runs as user.  Why is TC just as vulnerable?

The only real difference is that TC requires you to issue an additional command before becoming root user.

From a security standpoint, it's the equivalent of arguing that a house with locked doors and a key under the mat presents a greater break-in challenge than one where the doors are left wide open.

3. You cannot modify a CD, but the question is running from usb or frugal. If it is possible for someone to break in remotely to a running TC, overcoming the above points 1 and 2, is it feasible to modify the frugal or usb installation of the system in addition to user data?

Theoretically, anything is possible. In practice, however, most compromised systems are either raided for personal info or turned into spam relays and/or warez/crackz/. servers.

4. What would be the most critical features missing that would bring TC closer to enterprise?

Technical issues aside, the main reasons I would cite against using TC in a corporate setting is that it is still relatively new, has a small development team, no tech support, depends on voluntary contributions (i.e. small repo), low uptake, and an unproven track record. For home use I think it's great... but I wouldn't use it for my company's web store.

[bmarkus]

4. What would be the most critical features missing that would bring TC closer to enterprise?

Centralised management. Just one of the many others.

[tclfan]

Anthalus, Combo3, Bmarkus - Thanks very much for the elaborate insight. This thread is the best assessment on security I have read in a while! It looks to me that many pieces needed to harden TC security are available. It is just a matter of putting them together. Ones I get some time I will try to integrate these pieces. I know there are bits and pieces of info on configuring these scattered around...

[Pats]

I found these readings very interesting and in detail. Interested newbees can have a look at it:

http://www.linuxsecurity.com/

Security Features: What Does Windows 7 Have That Linux Doesn't have...

http://www.linuxsecurity.com/content/view/150685/86/&ei=6z4XS9CvLoGg6gPI_83JDw&sa=X&oi=nshc&resnum=1&ct=result&cd=1&ved=0CA0QzgQoAA&usg=AFQjCNHKRZs0SkTuM2uLh8KqSaMqTgh7ZQ

http://tldp.org/HOWTO/html_single/Security-HOWTO/

Hope this helps someone !

~ Pats

[4-stroke]

And ShieldsUP!

I always forget the address...

Edit: Link removed! I didn't realize it was a commercial site.

[roberts]

Quickly perusing this thread, I did not see mention of the secure boot code.
With that you can set both root and default user passwords.

Tiny Core does not auto mount drives, therefore Tiny Core does not auto run foreign applications, i.e., pendrive insertion attack.

The use of sudo is quite common with Linux distributions and is not as careless or reckless as running as user root. It is common sense that most Linux distrbutiuons go through the work required to offer user access and not just root.

[curaga]

What wasn't yet mentioned about running as root are the accidents. If a browser runs as root, it can crash the system completely. Of course, without a sudo password, it can do it intentionally, but when running as root, accidents can be much more severe.

I wouldn't give Flash root privileges; would you?