SCO's OpenServer 6 picks up security, but needs polish

The recently released OpenServer 6 leverages updates to a newly minted System V Release 5 kernel, performs reasonably well in the 32-bit realm and supports new features. However, SCO needs to take some time to smooth out some functionality details.

OpenServer 6 exhibited no difficulty in identifying the hardware on any of the platforms we used for testing. There is no specific provision for 64-bit processors, but OpenServer 6 found and used our dual and multi-CPU 64-bit machines, tapping those processors via x86/32-bit emulation. USB printers aren't correctly supported, but SCO says it is addressing that issue. Not fully supporting a pxE boot or other network installation in this version of the operating system is a shortcoming.

User administration initially struck fear into us, as we found that a user can be created with any password length above three characters. Subsequently, we found that when users change their passwords, those selections can be highly constrained through the SCO Security Profile Manager utility to suit high standards for password dictionary attack prevention that the underlying SVR5 supports. OpenServer 6 lets administrators force passwords with added characters, numbers and randomness.

The only real change to the standard open source bundle (which typically comprises Apache, Tomcat, Java, Java Server Pages, Mozilla, SAMBA, PostGreSQL and MySQL) included with OpenServer 6 is that Apache 2.0.3 is installed to serve up help files that are HTML representations of actual Open Server 6 system documents. This annoying implementation, however, has "localhost" references that tie the use of these HTML files to those browsing the documents on the host only, therefore there is no remote administrative access to them. The documents also incorrectly describe how to get SCO's DocView, a help/file viewer, to work.

Security measures

OpenServer 6 uses a hardened kernel but we could find no documentation on the hardening method. We noted and tested that the kernel has run-time loadable drivers, which might make it vulnerable to malicious drivers.

The integral employs network address translation and specific port admittance control and does stateful inspection. The underlying programs are BSD-licensed IP Filters (ipf). All of the components of IP Filters are there, save for the ipftest module, which while useful, is a testing application that's better replaced by other external penetration testing applications.

The OpenServer 6 default firewall rules are good. No threatening holes are left open in default settings as our tests demonstrated.

Security for applications and processes is aided by an implementation of multi-tiered privilege hierarchy for users and processes, a trend that we've seen in RedHat Advanced Server, SuSE Linux Enterprise Server and other recent operating system releases. As an example, different commands such as the file/folder permissions-giving chmodstet/cb command can be added or removed from an executable's permission list for individual users, unfortunately not for groups, making large systems administration potentially tedious (as it must be done by user, not groups).

Many system commands with security implications are covered, but we were unable to find a method to add to OpenServer's 6 comprehensive list. While easy to manage, this root or user selection process for security permissions is limiting.

SCO's OpenServer now supports -based VPN connections. We found that VPN setup was simple and the feature easy to use. This permits encrypted VPN sessions for remote worker or remote branch connectivity support, if intervening firewalls permit this connectivity.

It's also possible to make and mount an encrypted file system either for application or personal (not group) use. We created an encrypted file system, mounted the file system, then populated it with files. We discovered that on our fastest test platform ( ), the file system encryption didn't have much of an effect on system performance, even when we spawned more than 100 concurrent read/write file actions with a script.

In addition to the new file encryption method, a commercialized version of the Veritas File System called VxFS 5 (also called Journaled File System) becomes the default root file system. VxFS supports very large file sizes, as well as up to 8 exabytes stored within it - resources permitting, and SCO quotes 1T byte as a maximum. We also could mount NFS V3, AFS (Acer Fast file system), as well as the usual FAT, FAT 16 and Windows NT File System.

Performance

OpenSSL and OpenSSH are now supported with OpenServer 6, and we tested the server performance with an OpenSSL-backed, unoptimized Apache server using Spirent Communications' Avalanche gear. This test, which builds rudimentary SSL transactions and page reads over a 10 minute period, exercises a system's CPU, its cache management, and its ability to build and maintain secure Web-based, HTTP transactions.

	OPENSERVER 6.0.0 MAINTENANCE RELEASE 1 OVERALL RATING 3.5 Company:Cost: Enterprise Edition (10 users, up to 4 CPUs) $1,399. Pros: Mainstream open source application support; improved security; decent 32-bit performance. Cons: Runs in 32-bit mode only; presents small bugs and limitations. The breakdown    Installation/integration 25% 4 Performance 25% 3 Management/administration25% 3.5 Security 25% 3.5 TOTAL SCORE  3.5 Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subpar

Compared with its 32-bit alternatives, SCO OpenServer 6 performed well. For example, OpenLinux 6 maintained 54,208 transactions per minute over 10 minutes compared with Novell's SLES 9.0, which registered 57,961 per minute in that same time period.

However, as might be expected it was badly beaten in our tests by the 64-bit operating systems kernels from Sun Solaris, Novell/SuSE Linux Enterprise Server and Red Hat Advanced server, which all achieve performance numbers between 59% and 133% higher than the numbers OpenServer 6 posted in our tests.

We also tested OpenServer 6 on our Polywell 2200s 64-bit dual AMD64 platform (in 32-bit mode as mentioned) with two other performance tests that measure its ability to build and hold network connections. In these tests, OpenServer 6 was almost on par with the numbers Red Hat Enterprise Linux 4 (32-bit) posted both in terms of the maximum number of open TCP connections it could maintain (OpenServer hit 89,519 connections compared with RHEL 4's 90,745), as well as the maximum number of TCP connections per second it could register (OpenServer could hold 1,664 connections per second compared with RHEL 4's 1,890). But again, compared with RHEL 9's performance in 64-bit mode, OpenServer 6 falls well behind.

OpenServer 6 offers many of the popular niceties of Linux competition editions. And with its built-in Unix legacy, it will offer a familiar feel to some. But the lack of a 64-bit kernel, a comparatively high price, small oddities and strange licensing model should certainly raise issues with this product.

Henderson is principal researcher for ExtremeLabs of Indianapolis. He can be reached at . Laszlo Szenes contributed to this story.

Henderson is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to .

www.networkworld.com/