Linux in Government: How to Misunderstand the Enterprise Linux Desktop

Exploring the differences between popular and enterprise Linux distributions.

If you are considering deploying open-source software in your organization, this article aims to help you draw appropriate distinctions for your business case. We address economic issues, issues of security and administration and the availability of applications. We also discuss myths and perceptions of the dominant operating systems in the market today.

Executive Summary

GNU/Linux and open-source software have matured and attained significant popularity within the enterprise space. GNU/Linux already has made a showing of dominance based on empirical indicators. For example, the Netcraft Web Server Surveys shows the Apache server as having an installed share of 67% to 71%. Apache has become the default Web server for Linux. The Linux desktop also receives consideration for enterprise deployment. Anchored by cross-platform productivity suites, such as OpenOffice.org, StarOffice and the Mozilla FireFox browser, Linux has gained acceptance in numerous heterogeneous environments.

One measure of enterprise acceptance achieved by Linux is its place among the elite operating systems produced by IBM, HP, Sun, SGI, Microsoft and Sony. In addition, two Linux enterprise distributions recently achieved the coveted status of Common Criteria Certification. This certification offers governments a high level of confidence in using Linux (see Table 1).

Common Criteria Certification

What is Common Criteria? Certification in this area provides standards for security for mission-critical software. Common Criteria Certification provides a seal of approval recognized by government agencies and enterprise IT professionals. Countries that recognize the Common Criteria include the United States, Canada, the United Kingdom, Australia, New Zealand, Germany, France and Japan.

In January 2004, Novell SuSE Linux Enterprise Server 8 earned the EAL 3 certification. Atsec Information Security GmbH, along with IBM, assisted Novell SuSE with the certification process. In May 2004, Oracle helped Red Hat achieve its Common Criteria certification. Version 3 of Red Hat Enterprise Linux was certified to meet EAL 2 of the Common Criteria Certification.

Having attained this certification, Red Hat and Oracle and Novell SuSE can be deployed in government operations and in the Department of Defense. It also means they can deploy into security-sensitive organizations, such as federally insured banks and other government and government-regulated agencies. State and local government units with Federal Assistance programs also can deploy Red Hat and Novell SuSE Enterprise distributions.

Table 1, below, lists all operating systems that have been evaluated, as taken from the complete and official list of all evaluated software products. As you can see, Linux shares space with some prestigious software.

Table 1. Operating Systems that Meet the Common Criteria Standards for IT Security

The Federal SmartBuy Initiative

On July 1, 2004, the Executive Office of the President of the United States issued a memorandum for Senior Procurement Executives and Chief Information Officers. The memorandum emphasizes the President's previous memorandum titled "Maximizing Use of SmartBuy and Avoiding Duplication of Agency Activities." In this latest memorandum, OMB 04-16, the President issued the following ground-breaking statements:

This reminder applies to acquisitions of all software, whether it is proprietary or Open Source Software. Open Source Software's source code is widely available so it may be used, copied, modified, and redistributed. It is licensed with certain common restrictions, which generally differ from proprietary software. Frequently, the licenses require users who distribute Open Source Software, whether in its original form or as modified, to make the source code widely available. Subsequent licenses usually include the terms of the original license, thereby requiring wide availability. These differences in licensing may affect the use, the security, and the total cost of ownership of the software and must be considered when an agency is planning a software acquisition.

This is merely one example of the changes under way in procurement policies and habits across federal, state and local government agencies nationwide. Despite great odds and powerful opposition to changes in the status quo, open-source software has established a place at the conference table, where it will stay and survive on its merits.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: Linux in Government: How to Misunderstand the Enterprise Lin

Anonymous's picture

While Linux is making progress, the Red Hat common criteria evaluation is a joke. EAL2 assurance doesn't even require complete testing or access to developers, so isn't much, despite distinguished company. Worse, the Common Criteria Certification report says:
The following features of Red Hat Enterprise Linux were specifically excluded from the evaluation:

Re: Linux in Government: How to Misunderstand the Enterprise Lin

Anonymous's picture

EAL Certification does not mean much, if it is based on limited conditions and is based on a security target that is not very strict. Obviously the Red Hat certification has limitations in practical terms, but for that matter, so did Windows 2000, which supposedly was not supposed to run applications, be connected to the internet or have a floppy drive for its certification. Kind of makes one wonder about the whole process does it not?

Re: Linux in Government: How to Misunderstand the Enterprise Lin

Anonymous's picture

Those terms for Windows related to C2 certification and had to do with Windows NT 3.51.

The Common Criteria certs mean quit a lot. Where do you MS trolls come from? Are you trained in disinformation? Where will you apply those skills once MS bites the dust?

Re: Linux in Government: How to Misunderstand the Enterprise Lin

Anonymous's picture

He didn't say that Common Criteria doesn't mean much, he said that the EAL level doesn't mean much, which is true. Much more meaningful is the protection profiles (PP) tested against and the restrictions. In that sense, the chart given in the article is quite misleading, because the EAL level given doesn't have much to do with the level of security of the system under evaluation. It has more to do with the level of assurance that the system in question really mets the certification that it gets.

Re: Linux in Government: How to Misunderstand the Enterprise Lin

Anonymous's picture

This is from a Microsoft troll.

Ignore at will.

Re: Linux in Government: How to Misunderstand the Enterprise Lin

Anonymous's picture

Did you say that the RH CC was a joke?

You're an expert -- and we should do what with your opinion? Make a buying decision? Grow tomatoes? What?

Let me see if I understand this. You take something out of context, write an opinion and it's supposed to mean something. IS that right?

So, X- Windows is important for a server? Support for Appletalk and IPX?

When Apache gets it's own CC - then Red Hat will be OK?

Why did you bother to write anything? To amuse yourself?

Re: Linux in Government: How to Misunderstand the Enterprise Lin

Anonymous's picture

Maybe, he thinks he knows something about benchmarks or certifications. I didn't get that he did. What was the point?

Re: Linux in Government: How to Misunderstand the Enterprise Lin

Anonymous's picture

Some people feel like they need to vote on everything. They can't just shutup and listen. I didn't think his comment was particularly important, amusing or thoughtful. He must have thought he was on Slashdot or one of the Debian mailing lists. I guess.

Re: Linux in Government: How to Misunderstand the Enterprise Lin

cjcox's picture

Minor correction:
Red Hat came to this conclusion and chose to eliminate its long-time retail product and turn it into a free project, called Fedora.

Red Hat's offering has always been free. Though they did have a retail package that you could buy (most just downloaded it). The major change is that it went from a solely Red Hat developed offering to a community developed offering (with Red Hat owning the guidance and direction) with a more frequent release schedule.

Re: Linux in Government: How to Misunderstand the Enterprise Lin

Anonymous's picture

I discussed this with Leigh May in an interview. Red Hat called it their retail product. No one said anything about it being free. Although at the time, it was free. It just didn't enter into the conversation. The conversation centered around subscriptions at $60 per year per machine.

She did say that they wanted it to be more community based- but they were discontinuing the Retail Product and service. Not that it matters much since they did discontinue it, got the brand changed and only sell Enterprise Linux.

Is anyone confused by that? Or that Matthew said Windows was better for the home user?

Tom

So much for Freedom? Fedora trademark use restrictions

Anonymous's picture

http://fedora.redhat.com/about/trademarks/guidelines/page4.html

So much for "Freedom"? Fedora started out as an attempt to beat Debian at their own "game". It's now a Red Hat Software sub project, and thus, is corporate controlled. I much prefer the co-operative and open style of the Debian GNU/Linux project and Software in the Public Interest, where just about anyone can apply to become a maintainer, and thereby receive voting rights within the democratic organization:

http://www.debian.org/devel/
http://www.spi-inc.org/

Re: Linux in Government: How to Misunderstand the Enterprise Lin

cjcox's picture

That wasn't worded as clearly as I liked... obviously Red Hat, like all other Linux distributions is dependent on community contributions and free software. However Red Hat owned the organization, administration and installation aspects of their product in that they alone developed on those pieces until Fedora.. now there is even more community involvement and a bit less red tape (hmmm... now I know why it's called RED tape).

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix