SUSE Linux Enterprise Server 11

Software flaws in applications that are exposed via the Internet can allow attackers to compromise systems that host critical data. Perimeter security only solves part of the problem, and firewalls do little to protect against the growing number of threats that originate from within company walls.

As a result, IT organizations regularly patch their servers to protect against the latest threats; however, this reactive security strategy still leaves businesses dangerously exposed. With experienced hackers becoming faster at exploiting security vulnerabilities, IT organizations often have little or no time to download, test and apply security patches to their systems.

Application Security with AppArmor

The most effective solution to protect you from external AND internal threats is to use application security, in addition to other security best practices. Application security, such as that provided by the AppArmor® technology integrated with SUSE Linux Enterprise 11, allows systems administrators to specify the files that a program may access and the operations that that program may perform on the files. Any other behavior beyond that scope is denied and logged.

AppArmor is the most effective and easy-to-use application security framework for Linux applications available today. It proactively protects the operating system and applications from external or internal threats, including zero-day attacks, by enforcing good program behavior and preventing even unknown software flaws from being exploited. Security profiles completely define what system resources individual programs can access, and with what privileges. A number of default policies are included, along with learning-based tools and advanced statistical analytics that simplify the development of customized policies, even for very complex applications.

A True Firewall

SUSE Linux Enterprise protects your network from external attacks with a so-called "stateful" firewall. Firewall is probably the term most widely used to describe a mechanism that provides and manages a link between networks while also controlling the data flow between them.

Whenever Linux is used in a networked environment, you can use the kernel functions that allow the manipulation of network packets to maintain a separation between internal and external network areas. Strictly speaking, the mechanism that is responsible for creating a firewall infrastructure is called a packet filter. A packet filter regulates the data flow according to certain criteria, such as protocols, ports, and IP addresses. This allows you to block packets that, according to their addresses, are not supposed to reach your network. To allow public access to your Web server, for example, explicitly open the corresponding port. The Linux netfilter framework provides the means to establish an effective firewall that keeps different networks apart. With the help of iptables—a generic table structure for the definition of rule sets—precisely control the packets allowed to pass a network interface. Such a packet filter can be set up easily with the help of SuSEfirewall2 and the corresponding YaST administration module.

So, no matter where an attack originates—internally or externally—SUSE Linux Enterprise Server 11 allows enterprises to ensure data integrity while reducing system administration costs and preventing downtime.

Best-in-class

SUSE Linux Enterprise Server 11 provides:

• Out-of-the-box application security at no extra cost.
• Automated application-profiling and policy-creation tools that simplify application security administration and configuration. Security policies can be created and deployed in minutes, not days.
• The best-performing application security solution. (The performance overhead of AppArmor is significantly lower than that of SELinux, which ranges between 7 and 16 percent.)
• The ability to dynamically update policies without an interruption in service. Any change to SELinux security policies requires the system to be taken down and rebooted. No reboot is necessary when changing an AppArmor policy.
• The ability to use a complementary solution that assists in enterprise-wide policy deployment. Get the details on how to use Novell ZENworks® Linux Management (ZLM) to administer AppArmor security policies.