Posted on 07/04/2005 4:11:57 PM PDT by ShadowAce
Software security is quite often a subjective measure, mainly because there is the risk of a security vulnerability being created with every line of programming code. Each vulnerability has a degree of severity which may or may not be important to the end user. The result is an infinite number of interpretations of security, especially in a complex application such as an operating system like Windows or Linux.
A more objective method of rating security is to track the number of bug fixes issued for a particular software suite. When compared to Linux, Windows appears to be more prone to flaws by this measure. Recent U.S. Computer Emergency Readiness Team (CERT) vulnerability metrics reported 250 episodes for Microsoft Windows, 39 of these having a severity rating of 40 or greater. With Red Hat Linux there were only 46 episodes, of which only with only 3 scored over 40. There are thousands of reports that compare the two operating systems but reports like this by an independent government body, on the relative number of critical flaws between them, should be given greatest consideration.
There are good reasons for this difference in security. For instance, Linux's open source methodology of software development helps to expose errors more easily. This is an advantage Windows doesn't possess. Another disadvantage with Windows is that many of its core applications rely on the use of remote procedure calls (RPC), a method of inter-computer communication that unpredictably and dynamically assigns communications channels. This forces firewall rules to be less rigid than they need to be in comparison with operating systems like Linux that limit the use of RPC.
There are security differences that are visible exclusively for end users, not just systems administrators. For example, Windows is certainly more prone to viruses with most end users having to invest in antivirus software to keep their systems safe. More recently, Windows has seen the intrusion of spyware that can surreptitiously obtain and/or distribute personal information about you to others after it has been unwittingly downloaded and activated during Web browsing. Microsoft has recently purchased antivirus and antispyware companies to help counter this threat.
It is possible to operate Windows and Linux with administrator and regular user accounts, but many third-party Windows applications don't strictly adhere to this distinction, and often need to be run by users with administrator privileges to operate correctly. Viral attacks initiated by these users therefore become more damaging. Linux applications usually respect this security requirement and are therefore less susceptible to such exploits.
Windows also suffers from its developers' desire to create a simple to use system which makes it very intuitive to use, but this has been achieved at the expense of comprehensive security. It also has the handicap of needing to be backwardly compatible with older less secure versions, a shortcoming that Linux hasn't faced yet.
Linux does have its security weaknesses; the most common one I see is its lack of reliable native support for some leading edge technologies. Manufacturers generally develop their hardware and associated driver software for use by the Windows majority. The Linux community usually has to reverse engineer these products to make them compatible with the open source operating system and this sometimes makes their first efforts unpredictable. In some cases, acceptable Linux hardware compatibility can lag that of Windows by months or even years. Fortunately this is becoming less problematic with the likes of IBM and Novell backing the open source standard to help streamline the compatibility process.
External to its GUI faÇade, the Linux command line is complex and often not very intuitive. This can deter administrators from securing their systems correctly due to the perceived difficulty. Linux is primarily used as a network enabled operating system and a default installation can unnecessarily activate many network enabled applications. This can create unknown areas of weakness that could be exploited. Fortunately these and other weaknesses have been improved upon by stricter default security and simpler command line utilities to make administration easier.
It is always best to know the relative strengths of both operating systems and choose them according to the overwhelming needs of your business while taking sufficient precautions to make each secure.
On the plus side for Linux, there are many types of Linux based tools available to improve security. The Nessus vulnerability scanner can check for networking related flaws on remote systems as well as missing software patches and other flaws on systems on which it is installed. Nessus should be used to test newly installed systems and also production servers during scheduled maintenance periods.
The nmap utility is another, though less comprehensive, network scanner that is installed by default in Linux. It can also be very useful for IT staff who are not yet comfortable with the configuration of Linux software.
Highly security conscious companies will connect Ethernet taps to the protected interfaces of firewalls to which they also attach special packet inspection servers that can then watch network traffic as it passes by. Tools, such as ACID, can then analyze this information and match it against known attacks that can pass through firewalls.
ACID can create e-mail alerts and through its Web GUI it can also display detailed information on packet streams that seem suspicious. I'd recommend this product for any company that can justify an employee with dedicated responsibility for IT security. ACID can create a great deal of false positive reports and needs to be tuned continuously.
Irrespective of the operating system used, implementing inappropriate practices can potentially compromise your business continuity. Inadequate backups, poor password policies, shared user accounts and security projects that don't include multi-disciplinary teams and infrequent audits -- to name a few -- should be avoided wherever possible.
Linux security is a holistic entity and businesses should not limit their precautions to only the characteristics of the operating system.
This is a fairly balanced article about security. Read it, please, before commenting.
Crosslinked to my general-purpose browser, malware, OS, and tech post:
Browser Wars, take two
various FR links | 12-22-04 | The Heavy Equipment Guy
http://www.freerepublic.com/focus/news/1306815/posts
Linux is primarily used as a network enabled operating system and a default installation can unnecessarily activate many network enabled applications.
This is true for many distros but it varies. RHEL will install an http server, mail server, ftp server, etc.. in its 'default' (anyone who does a default in any os (RHEL or other) needs to stop administering systems) but they are not on by default.
If you EVER, EVER see something called "Spy Sheriff"...do NOT NOT NOT ever, ever, click on it...my DW did this today on my daughter's laptop...and it is the most destructive malware I've ever seen. Had to format and reinstall everything. The clean ups I found were just to horrible to contemplate.
I run Mozilla on MY machine...with AVG, ZoneAlarm, but the daughter hadn't bothered to reinstall all that after her last TrojanHorse...Unnggggghhhh!
Happy Fourth!
Thanks for the ping.
"This forces firewall rules to be less rigid than they need to be in comparison with operating systems like Linux that limit the use of RPC."
As you know, I am a big UNIX fan... but this statement is just ignorant.
Both Windows and UNIX utilize an RPC Locator service.
On UNIX, this is port 111. On Windows, this is port 135.
They both point to ephemeral ports used by other processes. On UNIX, this might be NFS, for example. On Windows, it might be something like MS-MQS.
In either case, an internet connected system should have both ports blocked. Furthermore, on either OS, software firewall software can be configured to allow access only from trusted systems with a need to connect to these ports.
They are both pretty much equivalent in terms of risk.
This article is a stinker, dude.
"On the plus side for Linux, there are many types of Linux based tools available to improve security. The Nessus vulnerability scanner can check for networking related flaws on remote systems as well as missing software patches and other flaws on systems on which it is installed. Nessus should be used to test newly installed systems and also production servers during scheduled maintenance periods."
Nessus really sucks since Tenable took it over.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1034903,00.html
It's also no longer free.
"The nmap utility is another, though less comprehensive, network scanner that is installed by default in Linux. It can also be very useful for IT staff who are not yet comfortable with the configuration of Linux software."
Less comprehensive? It's a port scanner with banner grabbing and flag setting features. It's also available for Win32.
http://www.insecure.org/nmap/nmap_download.html
"Highly security conscious companies will connect Ethernet taps to the protected interfaces of firewalls to which they also attach special packet inspection servers that can then watch network traffic as it passes by. Tools, such as ACID, can then analyze this information and match it against known attacks that can pass through firewalls."
ACID is just a front end for Snort, www.snort.org. On it's own, it does nothing. Building, deploying, tuning, maintaining, and monitoring an NIDS system is nothing to take lightly. It is NOT easy to find a well trained IDS analyst. Most organizations are far better served by paying for managed outsourcing of NIDS, since most commercial systems now also feature IPS, intrusion prevention systems, as well.
"ACID can create a great deal of false positive reports and needs to be tuned continuously."
The tuning is through SNORT, not through ACID. I actually built and deployed a production Snort/ACID system a couple years ago because I had limited budget to work with. It had several sniffers with 1GB ethernet cards plugged into switch span ports. It took several months to get it well tuned, throttled, and reporting in a useful way. This included writing some PHP code of my own to get it to do things it doesn't do by default. It's a great system, but VERY manual and not for someone who is not already an expert at IDS analysis and network forensics, as well as experienced with UNIX.
This article, full of fallacies and half-truths, is NOT a good form of UNIX advocacy!@
(Hi to the Infosec ping list! 1 or 0, for on or off!)
It reads like it was written by a Linux shill trying to sound unbiased.
Actually, it sounds like some one with a not quite enough knowledge of Linux. Most of his points are correct, if not completely current.
For example, while Linux distros in the past often installed things like NFS or Apache automatically, most Linux distros shipping today have nearly all of their listening services turned off by default.
And his comments on security tools indicate an amateurish level of skill. The best security tool I've found is still tcpdump. Some tools may help you identify where you need to start looking, but in the end it comes down to a trained pair of eyeballs looking at the packet traces.
Oh the other hand, your one-liner of an attack on it pretty well shows up who is the shill, and for which side.
Actually, having recently worked for a managed IT security provider, I'd say that you are considerably worse off outsourcing your security to a third party.
Your best bet is to hire competent security engineers and let them watch your data.
Yes, that's expensive. But what's your data worth?
After reading your comments, I'll agree. I'm not a security expert.
This article, full of fallacies and half-truths, is NOT a good form of UNIX advocacy!@
I didn't post it as a form of advocacy, but informational. Obviously I failed there too! :)
Thanks for your comments. I do enjoy reading informative posts by people who know what they're talking about.
You are incorrect. I really don't have a dog in the fight, emotionally speaking, and if I did it'd would be Linux, not Windoze. Several posters far more expert than I have pointed out issues with the article. I am not an expert and don't pretend to be, I was just rendering an opinion on how the author came across.
"Actually, having recently worked for a managed IT security provider, I'd say that you are considerably worse off outsourcing your security to a third party."
If you want 24x7 NIDS coverage, you'd need to hire 5-7 people, which would cost $500k-$1,000,000 a year depending on the portion of the country and experience of the personnel.
In comparison, you can get that kind of coverage PLUS lease the hardware for $100k-$150k a year from a managed service provider. Economy of scale rocks! :)
" Your best bet is to hire competent security engineers and let them watch your data."
There is no guarantee that you will be able to attract more competent employees than a Managed Security Services provider would. It's really hard to find experienced IDS analysts. It's kind of a boring job, and the people who can do it well can also do more exciting things well. As a result, you have to pay a premium.
" Yes, that's expensive. But what's your data worth?"
If it's worth a lot, then it's worth having security in layers of detective and protective controls, which de-emphasizes the importance of any particular layer. The value of your data as a whole is kind of moot, it's the relative value of each information asset that determines the amount of available protective resource that each asset should recieve... based on their relative values to the business.
ARO x SLE = ALE
Annual Rate of Occurrence x Single Loss Expectency = Annual Loss Expectency
Here is a decent looking article on the topic: http://www.windowsecurity.com/articles/Risk_Assessment_and_Threat_Identification.html
Great post adam..
Wow, I'm shocked that an article on a Linux website by a Linux book author would find that Linux has better security... /SARCASM
The problem is that the actual service provided by a Mangled Security Services provider is generally sub-standard.
Additionally, unless your security provider is going to have complete and total access to every device on your network, they will only be marginally effective at preventing attacks.
Once you outsource your security, the managed provider then has to examine data to determine if an attack has taken place. If it has, then what? You report it? To whom?
You've outsourced your security people, remember? The people you report it to need to be able to determine whether the attack that was seen is actually a problem on their specific network. Who's going to do that once you've outsourced your security?
Who's going to fix the problem? Who's going to determine if it's actually a problem on the types of devices you are running, at the patch level you are running, with the applications (some of them created in-house) that you are running?
Your managed security provider will have about 10 people (24x7 coverage requires about 11 people to be effective) to monitor data for several dozen companies, all of which are different and all of which are constantly changing.
Outsourcing security make look good on the books, but it's chimera. All you'll do is outsource a person to blame. And eventually, there will be more things that require blame.
I mean, buying yourself a good review has been standard practice at One Redmond Way for a very long time. What's good for the goose is good for the gander, right?
Oh wait, that would only be right if Microsoft actually wanted to compete. Since they don't, any Linux website that advocates Linux will of course be shouted down by the Microweasles.
" Once you outsource your security, the managed provider then has to examine data to determine if an attack has taken place. If it has, then what? You report it? To whom?"
I didn't say that - I said that outsourcing NIDS/HIDS/NIPS is a good idea for some organizations.
It would be reported to the security team poc at the customer. I never advocated outsourcing all security functionality, just some monitoring duties. This frees up the staff of the customer to do more productive activities.
Again, monitoring IDS is just one layer of what should be a multi-layered approach.
"Additionally, unless your security provider is going to have complete and total access to every device on your network, they will only be marginally effective at preventing attacks."
No, they just need access to their appliances, and those appliances need to be plugged into switch span ports.
IPS systems need access to agents running on individual systems - the vendor doesn't need direct access to the systems.
"Wow, I'm shocked that an article on a Linux website by a Linux book author would find that Linux has better security... /SARCASM"
Please keep in mind my critique of this article the next time you criticize me as being an open source bigot.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.