ClearOS Security Overview
The purpose of this document is to outline the security paradigms that exist within ClearOS. ClearOS is a multipurpose Operating System (OS) that is designed with security in mind. There are several ways in which ClearOS is strengthened in security above standard distributions of Linux and other ways in which ClearOS works within the context of best practices in Linux. These areas are:
Patching, maintenance, and updates.
Firewall, routing, and security zones.
Add-on products, features, and 3rd party applications.
Security alerts and errata
ClearOS is benefitted by sharing much of its code with CentOS. “CentOS is a Linux distribution that provides a free, enterprise-class, community-supported computing platform functionally compatible with its upstream source, Red Hat Enterprise Linux (RHEL).”(Wikipedia). CentOS-based distributions have certain advantages based on upstream sources:
1) Packages are generally highly stable - This comes as a result of packages being proven in the wild to be generally bug free in the Fedora community. Once packages meet a certain criteria, those versions are included in releases of RHEL. From there, RHEL backports security and bug fixes of future versions into the same version. This makes for broader compatibility with other packages in the distribution. The result is a stables system. The downside is that RHEL and CentOS are often considered to lag behind for the latest and greatest bleeding edge features. While this downside is difficult for some developers, it is a boon to IT administrators who seek stability in their systems as well as security.
2) RHEL and CentOS enjoy a long life-cycle as all their releases are long term support. ClearOS gains a benefit from this by having many of its packages updated by the community and by other organizations for the long haul. You can read more about ClearOS End of Life here
3) Before any package makes it to ClearOS Testing repositories, they have already endured significant testing in the CentOS community. For ClearOS, the end of the CentOS Production Release is the start of the ClearOS Quality Assurance (QA) process.
Patching, Maintenance, and Updates
As mentioned, ClearOS intakes many packages that are already heavily tested in QA. From there packages are assembled and tested by ClearOS engineers. They are combined with ClearOS packages that have been developer tested and tested within our continuous integration environment. Next, packages are installed on specific ClearOS production machines we call the 'dog food' servers. Essentially, if it isn't good enough for us, its not good enough for you. Major updates are announced to the community and volunteers can install and try out the latest packages. Generally, skilled community evaluators and ClearOS staff participate in this release. After these tests are complete, packages are released to the ClearOS Community users through automatic updates. These users use a free version of ClearOS in exchange for being the first traunch of users to use ClearOS outside of volunteer teams. Issues are reported to the forums which engineers from ClearCenter monitor. Once packages pass through the community, they are released to the Home and Business users with paid subscriptions via automatic updates.
Generally, a week will have passed between patching Community and Business/Home editions. The exception is in cases of zero-day patching in which the whole process is collapsed into just a few hours after the patch is validated by the 'dog food' servers.
Upstream Patches - For these patches, ClearCenter will generally wait until upstream patches have been release but there are instance where upstream is too slow and we patch ahead of upstream.
ClearOS-specific - ClearOS patches are handled out of the authorized (not public) bug tracking so that the any exploit is not illustrated in the wild. Community Users participating in this process must be vetted and sign confidentiality agreements before being allowed to see details about the occasional patches against ClearOS.
Firewall, Routing, and Security Zones
ClearOS is designed to function as a Unified Threat Management (UTM) system. As such, it is designed with security in mind. There are 3 modes that ClearOS can be configured for:
In both kinds of Standalone modes, ClearOS is not operating as a gateway or router. The key difference is between the two is the firewall rules or lack thereof. With the Public Server mode, firewall is in effect for the External facing interface. In ClearOS terms, External always means 'Internet-facing'. For Private Server mode, no firewall is in effect and it is assumed that hosts on the network are trusted. In Gateway Mode, the firewall is in effect for the External interface and routed packets received on DMZ, LAN, or HotLAN interfaces.
By default, there are 4 typical zones for traffic. The firewall is configured to protect services based on these zones and the behavior of mode is also determined by these zones. For example, External is aways the interface(s) with gateway IP addresses defined. On a Private Server, there is no firewall on this interface, but in Public Server and Gateway Modes, the firewall locks down.
It is possible to configure a Private Server by designating a Public Server mode. The key is to open up the appropriate ports required for your services to work.
The ClearOS firewall process looks at the mode and the roles of the interfaces in order to determine the layout of the firewall rules sets. Unlike other firewall solutions, ClearOS is 'function aware' meaning that you don't have to define every step of the packet flow in order to traverse it. In some solutions you are required to make aliases, define incoming rules, defining destination rules and source port rules just to get One-to-One NAT working. In ClearOS, simply define the rule in the 1:1 NAT module and ClearOS takes care of the rest.
Routing and MultiWAN
One of the important features of ClearOS is the ability to use multiple Internet Service providers in order to balance traffic or as a backup. Because of this, you need to make other systems, such as the firewall, aware of your changes. With ClearOS you can use the standard IP routing methods available to Linux or you can use IPRoute2. Because ClearOS must properly identify zones and routes for traffic, you may need to edit files by hand for advanced configuration. Please contact support if you need assistance of ask the ClearOS Community.
Add-on products, features, and 3rd party applications
Because ClearOS is able to perform as a UTM, many applications exist in the ClearOS Marketplace to enhance your security. Even if you are using ClearOS as a Standalone Public Server, these applications can benefit you. For example:
Intrusion Detection and Prevention
This is also called IDS/IPS. This app is an implementation of Cisco's Snort on ClearOS. These two apps comprise the engine for detection and the engine for prevention/reactive support. It also contains very old pattern files so make sure to get the updates.
These updates are critical for Intrusion Detection and Prevention to work well in a modern era. ClearCenter resells homegrown and official Snort rules by subscription from reasonable fee.
Attack Detector is a framework and a threat prevention. Unlike IDS/IPS it looks at the security logs for services like SSH and SMTP to see if an attacker is attempting to brute force their way into a login. If so, they are blocked by the firewall.
Filtration and Egress Control apps
Several apps in the Marketplace are specifically geared to control how and what information can flow out of your network and even at what rate.
Gateway Management is a rockstar kind of app on ClearOS. What it does for filtration is simply amazing. Primarily it is a DNS filter and as such, does not play well with the Proxy Server and Content Filter. GatewayMANAGEMENT is far more than a DNS filter though, the DTTS (Don't Talk To Strangers) feature ties DNS to the firewall and blocks traffic that should not egress from your network. If you want to stop users from VPN…done. Proxies…handled. Botnets…not a chance. Quite simply, if you are not running this app yet, you aren't doing IT right.
Proxy Server and Content Filter
The Proxy Server lies at the heart of content filtration and serves the role of an intermediate cache so that a page or content object can be held in memory or on disk for inspection.
The Content Filter engine in ClearOS uses DansGuardian to analyze page content or URL lists to classify page content. You can then block specific types of malicious content, inappropriate material, or other categories. The Content Filter uses a layered approach which includes:
In order to filter both HTTP and HTTPS, you need to use the Proxy Server in a Non-Transparent Mode. In transparent mode, filtering only occurs on HTTP.
AntiMalware and Anti-Phishing
Gateway Antimalware plugins are available for the proxy and content filter. Updates from the open source community are available as well as purchasing ClearCenter provided patterns or even 3rd party providers.
Application Filter and Protocol Filter
The Application Filter app and the Protocol Filter app are related in functionality. In fact, the same engine is used in the upcoming new application Netify. These filters work by watching the streams of data and can block certain types of traffic above and beyond simple port-blocking. These apps represent the replacement technology for former L7-Filter app.
You don't normally think of Quality of Service as a security app but controlling the flow of data and prevent Distributed Denial of Service (DDOS). By placing limits on the ability for an application or service to saturate your network, you can prevent critical apps and services from a DDOS attack.
ClearOS has several VPN applications to choose from. Some are more applicable to site-to-site type connections and others are useful for road warriors and remote workers.
Dynamic VPN is an IPSec-based service that is dynamically negotiated with ClearCenter acting as an enablement cloud. While this service requires public IP addresses on both ends of the tunnel, neither end needs to be static. By far, this is the fastest way to onboard VPN with ClearOS in a 'set it and forget it' model.
Static IPSec VPN for Business
If you need interoperability with other types of IPSec standard equipment, this is your app. This application allows you to define granular controls for VPN so that you can connect to other types of commercial VPN and Open Source VPN solutions based on IPSec.
OpenVPN is designed in ClearOS to function as a two-factor authentication road warrior VPN. It is lightweight, fast, and highly respected as the ideal VPN solution for many situations. It works well if you server is behind NAT and you have to port forward to it. The log files are very detailed so if you run into trouble it is easier compared to other VPN solutions to see what is going on.
While Road Warrior VPN is the default here, you can make custom files from command line that will support Site-to-Site configuration.
This technology exists for backwards compatibility. You should NOT use if if you have other options because it is broken and has been for some time. It is easy to use and the client comes standard on many operating systems (although it is being actively deprecated in many operating systems and will not likely appear in future versions of ClearOS.)
Against our better judgment and yours, here is the documentation (again, use something else please!!!)
Some apps are specifically targeted at hardening your environment.
Security alerts and errata
Security alerts and vulnerabilities in ClearOS and other ClearCenter projects are logged in the Vulnerabilities Overview section of the documentation site. Please submit a ticket if you receive an audit report that details any vulnerabilities which are not yet tracked.
Upstream vulnerabilities are handled through the open source community and through packages directly from CentOS. For a list of packages that differ between CentOS and ClearOS, please review the ClearOS Packaging document
For third party applications, please reference that company's security policies or contact ClearCenter Support for assistance in finding the responsible support and security provider for that app.