Windows or Linux? - Choosing between the devil or a hard place
This article first appeared on SecurityNewsPortal.com
By:Sebastian
Network security cannot be left to chance these days. It is incumbent on businesses, given the throng of Internet connections
across the globe, that their systems - no matter what types of operating systems or servers involved, are patched, hardened
and secure.
Then again, if it is up to individual organisations to protect what they have, perhaps the role of OS vendors is to strengthen the
security features they offer. Just which vendor does this better is difficult to establish....
This is a very controversial subject. But this article tries its best at straightening out all the knots when left choosing between Windows or Linux.
While proponents of Linux systems maintain that the many security vulnerabilities and attacks coming to the fore are due to Microsoft's dominance in the market and its inherent vulnerabilities, others believe that Bill Gates' behemoth company is beginning to hold its own in acknowledging and addressing security issues. With fame, however, misfortune can follow.
"If we are talking serious, determined attacks on corporate data, rather than 'education' or ego-boosting web hacks, then Microsoft products may well get more hits," says Viktor Ozherelyev, program manager for Aelita Software's control migration suite. "I would attribute this to the fact that these products, unlike the vast majority of Linux installations, power internal business infrastructures. A recent study said that 90 per cent of business information worldwide is stored in Office documents, Word and Excel files residing on Windows NT/2000 servers."
From its beginnings some two decades ago, Microsoft has faced plenty of criticism when it comes to integrating security mechanisms into its offerings, but it is trying to correct this in today's webbed together world. For example, besides adding several of the latest and greatest security features to Windows 2000, Microsoft also recently released its first security product, an enterprise firewall and web cache, in the form of the Internet Security Acceleration Server. On its web site, visitors can find tons of information about security issues, patches, tools, security partners and more.
"To me the thing that has really improved is the dedication to security and the commitment you see here, all the way from production groups to senior managers of the company," says Steve Lipner, product manager of the Microsoft Security Response Centre. "We can always do better and we can always improve. ?The commitment to continuous improvement is there."
In addition to this seeming change in Microsoft's approach to security, Linux has experienced some difficulties of its own. Although in the past, hack and virus attacks on corporate networks seemed to be expressly reserved for Windows-based systems, Linux - still considered by many to be a non-viable commercial grade OS since it offers no standard system, is starting to experience more than its share of abuse from the hacker community. Whether it is Red Hat, Slakware, OpenLinux or Mandrake, the popular open source code system is starting to feel some pain. No system is left untouched by attackers roaming the Internet anymore.
"From personal experience, the platform doesn't really matter," says Bruce Hartley, CEO and co-founder of e-business technologies inc. "What matters is how the platform is configured and whether or not it has been kept up to date with security patches, hot fixes, etc. If a Linux or NT system has been kept up to date and known vulnerabilities are patched, it makes it much harder to penetrate."
The Latest Proof
Similar to the Linux Raman virus but much more lethal, the sophisticated Lion worm, an automated and sophisticated tool, shows just how real the problem is. Taking advantage of Berkeley Internet Name Domain (BIND - the code that runs DNS servers) vulnerabilities, the worm infiltrates a system to steal passwords, sending them to a China.com site. It installs hacking tools and uses the newly infected machine to search the Internet for other victims. Linux and Solaris servers, as well as Windows IIS boxes, have also been compromised by Russian and Ukranian attackers in cyber-extortion attempts, which are currently being investigated by the FBI.
Highlighting these recent events, The SANS Institute's Stephen Northcutt noted in a recent newsletter that "Windows IIS servers and Linux and Solaris boxes are falling prey to attackers at an unprecedented rate." As such, administrators, commercial groups and government entities must form what he calls a defensive security community.
"The FBI's notice about widespread Russian and Ukranian cyber-extortion, as well as ? the Lion worm breakout, clearly show that the defensive security community is losing ground to the attackers," Northcutt wrote in the SANS Training and GIAC Certification Update in March. "As a community, it is time for us to stop and say, 'This is where we draw the line.'"
Drawing of the proverbial line depends heavily on how companies are defining their security programs and updating the patches of their operating systems, not necessarily on the system they choose to run their operations.
"According to various reports, regular patching greatly reduces your risks of being humiliated by a casual hacker. More than 90 per cent of successful attacks exploit vulnerabilities discovered many months ago," says Aelita's Ozherelyev. "If you are not an easy target, then [the hacker] will move on to find one. But the really interesting aspect of security management is brought into focus when you try to take a holistic approach and architect a complex, usable yet secure environment. When you consider a deliberate, informed and motivated intruder who will use a variety of break-in tactics, security can and does get quite expensive."
Which is worse?
Both systems have vulnerabilities, but Linux supporters contend it is their preferred system's open source code that makes it more secure. Because of its open nature bad code can be diagnosed and evaluated much more easily.
"Over the last year or so, exploitable vulnerabilities in open source code, that have been there for a long time, have been discovered," Aelita's Ozherelyev says. "In the real world, I reject this claim that open source leads to security. ?The basic question about open source and systems like Windows is not, 'could you look at the source code to detect vulnerabilities', but, 'Does anybody look at the source code to detect vulnerabilities?'"
He adds that Microsoft pays professionals to do structured reviews of code to make sure everything is secure. Open source, if examined at all, is done on an irregular basis. Ozherelyev explains further that as Linux grows, so will news about potential problems.
WatchGuard Technologies' Brad Robel-Forrest, senior engineer, also says that it could be "technically possible to push a patch into a Linux distribution that enables a hole" because the code is open to view from all. Many weak spots in Windows may never be exploited without looking at the code.
"Open does not necessarily mean stronger. OS strength is derived from continually fixing 'interesting things'. And the interesting things are only exposed in demanding business environments. The Linux community will see a flood of bugs as this OS expands its coverage from basic networking services like DNS/DHCP to hosting critical pieces of business IT flow," he warns. "To sum up, source code accessibility is essential to fix a bug, but it is not by reading the code that you usually expose a bug. Deployment is stressful, demanding. Real-life environments where thousands of people depend on the installation makes an OS a prime target for attacks and irons out 'undocumented features' very fast - provided, of course, the developer are responsive to bug reports."
Indeed, the area of response is where others say that Microsoft has been a bit unconcerned. The company seems slow to come forward with patches. While Linux will publish a patch within days of recovery, explains Steven Schoch, president and CEO of StarNet Communications Corp. "With Windows, you often have to wait for the next release. The reason is that the number of competent security engineers with access to Linux source code is many times greater than the number with access to Windows source code," he adds.
Andy Evans, senior security engineer with Ecora, says that the Linux community is much better in responding to holes. On the other hand, even with its open source advantage, it is still getting hacked and has not fully proved itself just yet, he adds.
Other Microsoft challengers maintain that the company has produced a bevy of holes in its platforms to present a more user-friendly product. In its case, function overrides strong security mechanisms. "Little surprise here: security risks are usually latent and require sizable investment to mitigate, whereas usability is evident and produces tangible profits," says Aelita's Ozherelyev.
Microsoft's Lipner says that the company is focused on secure and usable products people want to buy. In doing this a balance must be struck - no product can be so secure with locks so strong that people are prevented from getting any use out of it.
"Something some people fail to realise or consider is that high levels of complexity usually mean decreased security," contends e-business technologies' Hartley. "Windows NT/2000 has million of lines of code. Linux has significantly less. This may mean less functionality, such as a real user-friendly GUI (graphical user interface) or less integration with applications software, but it also means less complexity and [fewer] opportunities to induce security flaws and errors."
Systems Up and Running
If you look at recent studies done by the likes of IDC, IHL Consulting Group and others, some businesses may be deciding to become homes for Linux systems. Predictions that shipments of Linux products will rise over the next year or two or that Linux-based point of sale devices will be bought up at a rapid rate over the next 12 months show that some people are taking harder looks at more than just Microsoft products. Iain Franklin, European vice-president of Entercept Security Technologies, says that the reasons some companies may be weighing Linux products as options more often nowadays are simple.
"First of all, there is a prevalent dislike of Microsoft over other systems. Secondly, Linux is less susceptible to script kiddies and casual hacking because there is generally less knowledge and information around to learn about Linux hacking, although this knowledge is increasing. Another reason for the increase in shipment frequency is the fact that Linux is being given away free of charge on many appliance-type products," he explains.
Despite analysts' projections that Linux will gain a wider audience, most likely due to price and platform availability, the real question is where are the systems going, says Hartley. "Are they running large e-commerce web servers or are they being used in a test lab or by a student/hobbyist?"
With the world's corporations depending on their Internet connections to experience profitability and longevity, many have decided at the same time to rely on Microsoft systems to get them set on the road to market share.
Lipner explains that Microsoft will be adding other security features to products in the future. The company is focusing on more features and security assurance, with added flexibility, security and management capabilities in mind. The key is offering products to customers in which they can have strong confidence.
As the company continues to make strides in better securing its products, the web's hacker community has kept up an equally fervent pace, however. "Windows gets hacked twice as much as Linux proportionally, according to various sites that log hacker activity," says Franklin. "This implies that Microsoft has more known vulnerabilities, more enemies and there is more knowledge around about its products."
In addition to this, Microsoft products' popularity has lead more people to be trained on it than Linux. They understand Windows operating systems much better than Linux's many variations, explains Franklin.
"Also, hackers love to hate Microsoft. Corporate policy is predominantly Microsoft and due to prevalence and NT knowledge in the marketplace, more vulnerabilities have been found," he says.
Now what?
Both Linux and Microsoft operating systems are probably pretty close in strength, says WatchGuard's Robel-Forrest. A "common misconception is that Windows is less secure," he adds. "More likely, [it's] just that it has a much broader install base and, thus offers the greatest return when a hacker focuses on cracking Windows-based flaws."
To be sure, says Ozherelyev, exploiting Linux servers is not likely to get fame-seeking script kiddies on the nightly news. "On the other hand, the interesting thing is that many people admit that a properly configured NT box is at least as strong as anything else. I strongly believe education of administrators can alleviate many of the risks on the Windows platform."
Regardless of the platform companies may choose, they have to take responsibility for their operations, maintains Ecora's Evans. Both require some expertise and diligence, adds e-business technologies' Hartley.
"In general, if someone has the technical skills to really understand the Linux source, they could 'create' a fairly secure instance of the operating system. Unfortunately, with an open source product, every installation can be modified by the end-user. Therefore, it would be hard to determine if a security problem was due to Linux or the implementation 'created' by the end-user. This is one of the reasons it's hard to quantify security," he explains. "In Microsoft's case, they control the distribution. What they don't control is the end users' willingness/ability to apply security patches."
Most often with web hacks and other attacks, he says that Microsoft provides warning and fixes, but users do not install them. The same goes for Linux.
"The various Linux vendors provide base installations that many times require patches or updates to fix security problems. This is an end-user issue. Worse, since Linux is open source, an end-user could, if they didn't know what they were doing, make the OS less secure," Hartley continues. "With Linux it can go both ways. With Microsoft, since it is a closed OS, we must rely on them to patch security flaws as they are uncovered."
In his opinion, companies must treat security like an operational requirement to prevent attacks - patches are not the whole solution. "Security requirements should be treated no [differently] than performance, availability, scalability, ease of use, etc. Unfortunately, many times, the decision is driven by the availability of applications software needed by the business or the skill sets of the IT staff," he states.
Ecora's Evans advises that companies should enlist audit processes to determine weaknesses in network operations, and consider doing these audits on a monthly basis. Professionals in this area, who are trained in catching problems, will fix a snag before it leads to major problems. Make sure security tools, such as intrusion detection systems, firewalls, anti-virus solutions and more, if needed, are configured properly and running smoothly. "If you're proactive, it will pay off," he adds.
Depending on what they are trying to achieve with their technologies, it is likely organisations will need to seriously consider security controls - especially if connected to the Internet, says Lipner of Microsoft. Along with this, though, they will also have to examine usability, availability of applications and cost of ownership when it comes to deploying and maintaining sound operations.
"It's really a system of products, practices and advice. ?Security attacks can be written against any product. The Linux viruses we've seen in the last few weeks are sort of concrete proof that this is true. I'm primarily a security guy and when I look at the things we're doing - internal code reviews, common criteria evaluations, some of the future activities [in regard to] our products, it's hard for me to imagine anyone going anywhere else."
And future activities in security implementations are quite integral to Microsoft's continued growth, maintains e-business technologies' Hartley. Though they have taken some steps, more must be done.
"For Microsoft to continue to maintain and possibly increase market share, it must begin to get serious about security. This means designing and implementing more robust security mechanisms, more thorough testing, less use of insecure default configurations, and quicker patches to identified vulnerabilities," he says. "With regard to patches, as OS revisions are shipped, patches should be incorporated into the base builds, instead of relying on users to install them. A more robust advisor or warning mechanism would also be useful."
And Linux vendors will have to meet the same ends, he further explains, in addition to getting more applications software vendors to support their OS.
"This is critical. Ease of use is also a current problem with regard to Linux when compared to Microsoft," he contends. "If Linux vendors made installation and set up, including security features, easier, more users would consider Linux."
1.) Remote Host Discovery with Portscanning - adept
2.) Script Kiddies and Screenwhores - Grifter
3.) Intro to Packet Sniffers - Grifter
4.) Quantum Mechanics (Part 2) - Josette
5.) SWATing Samba - socrates
6.) The Quest for Passwords - Shaft
7.) Windows or Linux? - Sebastian
8.) Getting Started with MySQL - L33tdawg
