What's New in Trustix™ OS version 2
Trustix™ are committed to establishing Trustix™ OS as the most secure and stable enterprise server OS available. To further realize this vision we have developed and added a number of security and performance enhancements for Trustix™ OS 2
IBM Stack protection
In line with its mission to produce the most secure distribution of Linux available, Trustix™ OS now incorporates IBM stack protection. This technology is of particular importance to enterprise server deployments where safeguarding data is of paramount concern.
Extending the Stackguard compiler, Stack Protection defends systems from buffer overflows by inserting protection code into an application at the point of compilation.
It detects and defeats stack smashing attacks by protecting the return address on the stack from being altered. The ``XOR Random canary'' method places the xor value of the return address and a random number next to the return address when a function is called and then checks that the value is preserved before the function returns.
This delivers effective buffer overflow detection and avoids the corruption of pointers by re-ordering local variables to place buffers after pointers.
Such protection is achieved with miniscule performance overhead whilst producing programs that are inherently hardened against Stack Smashing Attacks.
vsftpd
Trustix™ OS 2 replaces ftpd-bsd with the improved security and performance capabilities of vsftpd. Commensurate with the ideals of Trustix™ OS, vsftpd dispenses with unnecessary features and services, targeting security, stability and performance as its main criteria. It takes advantage of the Linux's powerful chroot and capabilities facilities to fix fundamental design flaws in many standard ftp servers. Furthermore, secure coding techniques detect and prevent buffer overflows by abstracting string and buffer manipulations behind a buffer API. Performance benchmarks have shown vsftpd to be a more capable solution than its competitors, with testers finding a 2x speed increase over ftpd-bsd
Samba 3.0.2
Trustix™ OS version 2 improves file and print sharing capabilities by upgrading to Samba 3.0. Samba is a fully portable, POSIX compliant application that runs on a variety of UNIX and UNIX-like systems including Linux. The latest version is the first open source implementation of Windows NT Primary and Backup Domain controller functionality. Users can migrate to Samba 3.0 from an NT domain whilst keeping their existing user and group account databases- thereby saving businesses the expense of acquiring client access licenses.
It is also fully compliant with Windows Server 2003 security features by implementing Kerberos 5 authentication, SMB signing for tamper-proof file serving and SCHANNEL security for secure remote procedure calls.
Tests by IT Week Labs show the Samba 3.0 file and print server software is 2.5 times faster than Windows Server 2003 in the same role.
XFS
XFS is the world's fastest and most scalable journaling file-system. Integration of XFS into Trustix™ OS 2 confers numerous benefits over previous versions:-
- XFS combines advanced journaling technology with full 64-bit addressing and scalable structures and algorithms. This combination delivers the most scalable and highest performance filesystem in the world.
- The XFS journaling technology allows it to restart in less than a second after an unexpected interruption, regardless of the number of files it is managing. Traditional filesystems must do special filesystem checks after an interruption, which can take many hours to complete. The XFS journaling avoids these lengthy filesystem checks.
- XFS journaling also speeds the read and write data transactions. XFS uses efficient table structures for fast searches and rapid space allocation. XFS continues to deliver rapid response times, even for directories with tens of thousands of entries.
- XFS is a full 64-bit filesystem, capable of handling files as large as a million terabytes.
- XFS Bandwidth - Tests show XFS delivers near-raw I/O performance.
IPv6 integration into Postfix
Trustix™ OS extends and enhances the capabilities of Postfix by incorporating support for IP6. Postfix is a Mail Transfer Agent (MTA): software that mail servers use to route email. It is highly respected by experts for its secure design and tremendous reliability.
IP6 is the putative solution to the address depletion problem posed by IP4- allowing the automatic configuration of multiple network devices. This delivers true peer to peer networking and allows mobile devices to quickly acquire addresses as they move along foreign networks. By integrating IP6 into Postfix, TSL ensures maximum compatibility, flexibility and future proofing for mail servers.
ICAP support in squid
ICAP is a protocol designed to off-load specific Internet-based content to dedicated servers, thereby freeing up resources and standardizing the way in which features are implemented. For example, a server that handles only language translation is inherently more efficient than any standard Web server performing many additional tasks. ICAP concentrates on leveraging edge-based devices (proxies and caches) to help deliver value-added services. At the core of this process is a cache that will proxy all client transactions and will process them through ICAP/Web servers. These ICAP servers are focused on a specific function, for example, virus scanning, content translation, language translation, or content filtering.
Trustix™ have incorporated ICAP support into its squid proxy to enable squid to perform content adaptation in a way suitable for virus scanning and other special functions.
