But what makes HP-UX unique is its intrusion detection. Sitting on top of the OS, it is designed to protect applications in the 11i environment. When an attempted intrusion or actual security breach is found, the system alerts its IT handlers by pager or other means so they can respond to the break-in immediately.

HP-UX supports Internet Key Exchange (IKE), a management protocol standard used in harmony with IPSec-the IP Security Protocol. It provides robust authentication and encryption of IP packets. While IPSec can be configured without IKE, IKE enhances IPSec by providing additional features such as handling protocol and algorithm negotiation based on local policies, as well as generating encryption and authentication keys to be used by IPSec.

Other security considerations allow IT to maintain a main directory for users, and then offer directory-enabled authentication for Unix and Windows users who need it. The LDAP-UX plug-in module, for example, is used for authenticating the latter. “We assume the world is not Unix-centric,” Appalaraju said, “so this module is a framework for authenticating users from other environments.”

Appalaraju said Unix is biggest in enterprise computing; he believes it was the dominant desktop OS five years ago, and as he put it, “has always been secure.”

Security is a strenuous process, according to Ravi Iyer, product line manager for Sun's Solaris, because it requires continuous auditing and accountability. He believes practices, products, and tools ultimately determine security.

Iyer said role-based access control is Solaris's standout. By segregating access based on users' business functions, people who access the system only see what they must-and are permitted to. Like HP-UX, Solaris, now at version 8, features pluggable authentication modules (PAM) to facilitate integration of authentication technologies such as smart cards, Kerberos, RSA, and others into entry functions such as login, telnet, and FTP without modifying those services. And Solaris incorporates Sendmail solutions for electronic messaging security and control. As Iyer put it, “PAM allows access for layers of applications.”

Also available is the Solaris Security Toolkit, a free standalone product that automates security processes based on questions, and makes creating new systems less complicated by cloning existing attributes from other systems. “We understand that security is not a single deliverable product-it's a process,” Iyer said, “so we provide tools separate from the OS to address that.”

According to Iyer, Solaris, built with discretionary access control, will benefit from future enhancements such as options for security during install, and beefed up smart card support, role access control, and security support tools. He also said Sun plans to build Solaris Security Toolkit functions into the OS.

Increased development of security tools and management options is a direct response to consumers. According to Bill Sandve, IBM's director of Unix product management, people get nervous about security because of its many aspects and meanings. He said IBM's AIX platform responds by promoting trusted activities in a trusted environment.

AIX, now at version 4.3.3, features security enhancements such as the Internet protocol security network packet filter, designed to restrict traffic to known sources inside a firewall, and the optional IBM SecureWay Directory, for storing user IDs and reducing security administration. A Sendmail upgrade with anti-spamming features is also included.

“We aim to standardize security by building an infrastructure for name mapping,” Sandve said. “It correlates an ID across the IBM server environment to manage users.”

According to Sandve, the ideal scenario is a common infrastructure set that uses a standard application program interface (API) to communicate with Windows and other Unix environments. He said trends suggest security policies are becoming more centralized than ever before.

In hopes of addressing such trends, Sandve said IBM is working on tools that help administrators set up hardened environments and allow them to configure security system defaults during the installation process. This includes Web-based, GUI-driven task guides for simplified setup of VPNs, for example. IBM is also considering ways to leverage knowledge in the open source community.

Windows

A paradigm difference between Microsoft Windows 2000 and other environments such as Unix and Linux, according to Christopher Budd, security program manager at Microsoft's Security Response Center, is Microsoft's ability to integrate systems with management. (Windows XP Professional is taking over from Windows 2000 as the current server-side version, although Microsoft still supports NT 4.0.)

Built in software restriction functions allow administrators to block access to certain applications based on a user's role. “This makes the system more intelligent,” Budd said. “Focusing on roles makes it possible for people to make integrated security systems.”

And with Active Directory, a centralizing solution, administrators can build and distribute group policies from one location to manage users and machines across the enterprise. “You're designing a computing environment for user and groups,” Budd explained. “You can keep data entry people in a small space or grant lots of access to superusers.”

Microsoft has extended this methodology to apps bundled with Windows, including Outlook and Internet Explorer. Outlook 2000 can be treated with the Outlook E-mail Security Update, and Explorer with Internet Explorer Administration Kit, designed to help create user environments. Both are intended to help administrators increase system manageability.

According to Budd, everything in Windows is checked against comprehensive and rigorous security models, ensuring that nothing can bypass OS security. “Windows 2000 features complete security subsystems, so every process runs within the security context and has associated permissions,” he said. “We have a comprehensive vision.”

No system can be completely secure. That said, the goal becomes making and keeping system intrusion more difficult. When choosing an OS, ask yourself: What is being protected? What is its value? What potential threats exist? Whatever your answers are, one thing is for sure: Ultimately, system security is your responsibility.

The Linux Alternative

Linus Torvalds released primordial versions of Linux in 1991. In making the open-source kernel available on the Internet to developers, the OS Torvalds described as “just a hobby” would grow into a widely supported environment. And today, many commercial developers stay true to the Linux genesis by embracing the open source community.

Red Hat Linux, released in 1994 and now at version 7.1, brings the benefits of corporate backing-including new security features-to Linux. For example, system administrators can configure a firewall during the installation process, and can choose which services should be allowed by default.

According to Marty Wesley, Red Hat project manager, administrators can control access by user and group and on the file level, setting permissions for reading, writing, and executing. “This allows collaboration between users, but keeps the files private,” he said.

Linux features IP Chains and IP Tables security types, which are responsible for blocking connections on specified ports based on network traffic rules and reviewing connection and machine states, respectively. But Linux's open-source nature is at least partly responsible for its security. With thousands of eyes watching emerging code, an increased interest exists among developers to produce secure material.

While Red Hat benefits from external developers, system administrators can take advantage of Red Hat Network, a plan in which they create system profiles, submit them to Red Hat, and automatically receive new patches and upgrades.