Friday, March 30, 2007

Security-Enhanced PostgreSQL

Recently, I came across a posting announcing the release of a SELinux-enhanced version of PostgreSQL. SE-PostgreSQL makes use of the labeling and Mandatory Access Control (MAC) features that SELinux provides. This is a tremendous addition to enterprise security, particularly in the government and financial fields.

What SE-PostgreSQL provides is a mechanism for controlling access to information in a database in a very fine-graned manner. The example provided in the announcement demonstrates this using a table containing beverage information. In this example, the table contains several columns related to different types of beverages (name, price, type of beverage, quantity on hand, etc.). The table is then altered to require a SE-Linux security context to access specific parts of this data. For example, one security context is required to access the table at all. An additional, higher-security context is required to access rows where the beverage is not a soft-drink. If you look at the output provided in the sample queries, you will see that these rules are applied based on the user's security context. The amount of customization doesn't end there, however. You can apply access control based on rows, columns, tables, databases, etc. While this level of customization may be intimidating to smaller enterprises, larger enterprises will welcome the flexibility it gives them.

This type of capability has huge ramifications for the use of PostgreSQL, Linux, and open-source in general within the government and financial sectors. Data of different government classification levels can now reside in the same database. A unified database can be used in financial institutions with assurance that the information cannot be modified by unprivileged or unauthorized users. My small amount of SQL experience has largely revolved around open-source databases, such as MySQL and PostgreSQL. My day job does not require much SQL work, so as a result I only play around with it on my free time. While MySQL seems to be the most widely used, my personal preference is for PostgreSQL. True, it lacks some of the features MySQL has, such as clustering. However, it more than makes up for it in other ways, such as its strict transaction handling abilities. I've always felt PostgreSQL's security architecture was superior as well, with its ability to use external authentication sources (Kerberos, LDAP, etc.) for users. The addition of SELinux support to this mix has put PostgreSQL in a class unmatched by any other open-source database (and many closed-source ones as well).

Thursday, March 15, 2007

CentOS 5-beta -- First Impressions

Last night, I installed the beta release of CentOS 5 to take it for a test drive. For those of you looking for screenshots, there are several screenshots of Red Hat Enterprise Linux (RHEL) 5 available here. Although the artwork is different in CentOS, everything else is the same. These screenshots should give you a general idea of what the experience is like. While I haven't had a chance to play with all of the new and enhanced features, I've been quite impressed with what I have seen so far. I started by installing the beta on my HP Pavilion zt3000 laptop. My biggest criticism of those who claim that "Linux is ready for the desktop" has been issues with running it on a laptop. From ACPI support, poor hardware support, and an inability to function the way a laptop should, I have been less than thrilled with several Linux distributions.

For starters, I was pleasantly surprised with the updates to Anaconda, the system installer. The entire install process has been streamlined, requiring far less user intervention, even for more advanced configurations. One of the things I like most about Windows XP installations is that, for the most part, it is "set it, and forget it". You answer a few questions about networking and such, and the rest of the install is automated. CentOS 5 follows this philosophy with the updated installer.

One thing that was obvious from the first time I booted into CentOS 5, is that it is FAST. Really fast. In CentOS 4.4, it took approximately 10 seconds from login to GNOME desktop. With CentOS 5, this time has been reduced to 2 seconds. While this is a pretty trivial achievement, it goes a long way to improving the usability of the system. Speaking of usability, CentOS won me over during the boot process. Why? Because X Windows, by default, was set to my laptop's optimum resolution: 1680x1050. In every other Linux distribution I have used, it defaulted to some other non-widescreen resolution, and I was forced to manually change the configuration file. Not any more. In addition, when I later plugged the laptop into its docking station to use my external 19" LCD, it immediately changed its resolution to the appropriate 1280x1024. This is such a long overdue change in system behavior.

Once I was logged in, I began taking a quick tour of the system. The new Clearlooks theme looks great, and the crispness of screen fonts is incredible. I've never seen a Linux distribution that displays fonts this clearly. This release also includes Compiz, the compositing engine for X Windows. Compiz provides all the nifty (yet pointless) visual effects for the desktop, similar to what Mac OS X is capable of. This was one of the things I was most curious about, as I have not had a chance to work with a Compiz-enabled system. My impressions? Not bad. The wobbly windows are definitely a neat trick, but I don't like that it takes a split second for the windows to snap into place and regain their focus. One thing I didn't get a chance to investigate was the load on the CPU with Compiz enabled. Compiz is OpenGL accelerated, and I wanted to make sure that the extra load was forced off to the graphics card instead of the CPU. I'll take a look at this tonight.

This evening, I plan to investigate some of the server and developer-oriented features of CentOS 5. Since I spend most of my time in Linux doing Java development work, I'm curious as to the performance of Eclipse, Intellij Idea, MySQL/PostgreSQL, and Tomcat. If the server performance has increased in the same way as desktop performance, I think I will find myself spending a lot more time in Linux, and a lot less time using Windows XP.

Wednesday, March 14, 2007

Smartcards at Disneyland?

I stumbled upon this blog entry, showing a picture of the new hotel room keys in use at Disneyland Paris. You're not mistaken, they look like smartcards. It seems every year in recent memory has been called, "The Year of the Smartcard" or, "The Year of PKI". I can certainly imagine some innovative uses for these smartcards. Since they can be used for payments at all of the restaurants and stores within the park, what about a Kerberos-enabled payment system? Or, load the cards with credentials enabling a user to download photos from their vacation when they get home (so long as they have a reader attached to their PC). While I'm not sure what the backend technology behind the cards does, it's not the first time that Disney has used cutting-edge security technologies at their parks and resorts. In 2005, Disney implemented biometric finger scans for all guests at Walt Disney World. However, they used similar technology for annual passholders even before that.