HP, Navy back open-source security initiatives

As the use of open-source software, such as Linux, increases in the public sector, commercial and government agencies are taking steps to obtain credentials necessary for open source use in high-security environments.

A team including Hewlett-Packard Co. and a division of IBM Corp. are working to get an encryption protocol widely used in securing Web pages for government certification. Also, a Navy team funded by the Defense Advanced Research Projects Agency has released software that allows Linux computers to be forensically audited to military standards.

Both sets of software would be useful for agencies and contractors involved in the Defense Department's Global Information Grid and other network initiatives that require stringent security.

In the first project, a team including the Palo Alto, Calif.-based Hewlett-Packard has started the process to get FIPS 140-2 certification for a popular open-source software tool kit called OpenSSL, the Open Source Software Institute announced earlier this week. OpenSSL is the open-source implementation of the secure socket layer, a widely used Web protocol to encrypt sensitive information, such as credit cards numbers.

The Federal Information Processing Standard Publication 140-2 standard specifies the security requirements needed by cryptographic modules to be used in the government for sensitive information. The National Institute of Standards and Technology's Cryptographic Module Validation Program is the certifying body for FIPS 140-2.

The Open Source Software, a nonprofit organization based in Oxford, Miss., is leading the certification project. Gary Gross, a Hewlett- Packard security evaluation program manager, is the project's technical lead. Other participating members include the Ottawa-based Domus IT Security Laboratory, which is a division of IBM Corp., the Annapolis, Md.-based PreVal Specialists Inc. and volunteers from the OpenSSL Project.

OpenSSL is being developed as a commercial-grade tool kit to implement the secure socket layer protocols. Although widely used in the commercial sector, it had not undergone FIPS 140-2 certification.

"This is significant, because the government can't use cryptoprograms unless they've received the FIPS 140-2 certification," said John Weathersby, chairman of the Open Source Software Institute.

In the second project, a team funded by DARPA has released software for auditing Linux-run equipment over a network. The software, Secure Auditing for Linux, remotely detects and reacts to system intrusions and disruptions of Linux-run services. It also collects operational data for forensic analysis should a break-in or other incident occur.

The Linux operating system kernel does not offer this level of accountability, according to the Secure Auditing for Linux Web page.

Version 1.0 of Secure Auditing for Linux provides auditing capabilities that would bring Orange Book Common Criteria-level of auditing for the Linux operating system. The enhancements allow monitoring of all operations the system takes. The package also provides forensic-grade audit log server software. A security patch that sends alerts when events of concern take place is installed on client computers.

The DARPA award was made under the Composable High Assurance Trusted Systems program, which funded high assurance operating system technologies to protect computer systems from constant attack.

Participants in the team include members from the Navy's Space and Naval Warfare Systems Center.

The software, along with source code, may be downloaded at http://secureaudit.sourceforge.net/. It can work with RedHat Linux versions 7.3 and 8.0, offered by Red Hat Inc., Raleigh, N.C.

Linux use appears to be increasing across in government agencies. IBM Corp., Amonk, N.Y., reports that it has more than 75 government customers using Linux solutions, including the Federal Aviation Administration, the Department of Agriculture and the Department of Energy's National Energy Research Scientific Computing Center. IBM has opened an e-government center in Germany to help public sector customers use open source.