Security Quote

[mskarl]

OK a guy at work who I believe to be very smart and has lots of expierence.  But I believe he may be wrong about what he is saying.  

I was talking to him about why we don't secure our network more.  We have a OpenBSD firewall and that's it.  We haven't updated it in about 2 years.  We have a win2k web server.  I said why don't we run linux as our webserver?  Isn't linux more secure than Win?  He said Linux is open source, therefor anyone can see the holes in it.  Windows isn't.  Therefor it is easier to hack linux than windows.  I said keeping Linux open is what keeps it secure (right?).  

Anyway I'm sure you all may have tons to write about this so please give me good stuff to fight back with!!!

Thanks.

Oh ya he also said no one hacks Open BSD becouse no-one cares!!  What's your guy's view on this?

[ April 02, 2002: Message edited by: Anti M$ ]

[psyjax]

WOW! First off, the win argument makes no sense at all. There is no such thing as security thrugh obscurity.

It is because Linux is open source that it is so secure. The years of battle hardent UNIX at it's roots and subsequent development by people who need security needs met have made it more secure than windows could ever hope to be.

Your friend is right about one thing, because it's open source people can see the holes. That's why the decades (counting UNIX some 30+ years!) of development behind the OS have basically eradicated all the holes! And should any new ones pop up, you bet someone will stand up and fix it ASAP. With Windows you have to wait till some cracker breaks in to your system before M$ decides it's time for another security patch.

[voidmain]

Well, any system can be hacked if you don't keep it up to date.  I believe that when holes are found in Linux they are fixed *much* more rapidly.  And since you are talking web server, just do a quick search on security holes in Apache vs IIS, there is no comparison. Code Red was a prime example of why *NIX web servers make MUCH more sense than Windows web servers. Now if the person you refer to has been using NT for quite some time and is not familiar with *NIX/Linux then it is very possible that he could set up the *NIX box to be as insecure or less secure than the Win* box. If both the *NIX box and the Win* box is kept up to date with latest patches and security fixes the *NIX box will be more secure because with Win* you are at the mercy of Microsoft for coming out with a patch or even recognizing there is a problem. With Linux not only are patches out quickly but you have the code and if you are good with code you can close the hole immediately without waiting on a vendor patch. Of course you would have to know exactly what the hole is before you can close it and vendors are becoming a little more closed mouth about releasing details until a patch is released. Being on the hacker lists can get you good exploit information so you can close the hole.

Just prior to Code Red making a joke of Win*/IIS I had converted one company from ISS to Apache/Linux. They were very happy not to be effected by Code Red.

As far as firewalls, BSD is good but it should be kept up with as well. For corporate firewalls I prefer hardware firewalls though.  Netscreen has some really nice products.  A Netscreen 10 or 100 on the corporate side, along with an IDS (Linux/Snort/Acid/MySQL make a good IDS) works well. Then set up Netscreen 5 boxes on Cable/DSL and VPN them to the corporate firewall from people's homes that need them (CEO, VPs, IT people, etc) make life nice.

[ April 02, 2002: Message edited by: VoidMain ]

[mskarl]

My friend has been working with NT since the beggining of NT so your probably right,  NT would be more secure for us because I'm not trained well enough yet.  Our data for the company isn't very important.  I can't see any advantage for anyone to hack us.  Our website isn't even well known.  I think I'm one of the only people who goto it.  But anyway I like learning so I really appreciate the information.  

I thought that linux was more secure since 56% of the web is on linux/unix box's.

[Calum]

your workmate sounds like a dumbass.
it doesn't sound like he is ignorant, but stubborn, which is a dozen times worse in a workplace where you are responsible for stuff.
I suppose it's not my place to tell him how to do his job, but it seems he is a little lax about his responsibilities...

anyway, as the dudes said, linux is secure because whenever a hole pops up, somebody fixes it pronto, because they can see it immediately.
There are many more honest developers than malicious crackers, so a hole will usually get fixed before any pain is caused, with windows, M$ don't give a shit about upkeep, so they keep it all closed source, hope nobody figures out all their errors ad back doors, and when somebody does, they release a "free" patch that you will probably end up paying for anyway (post, packing, cost of CD, cost of 'required components' et cetera...)
sorry, didn't mean to piss on yr bonfire, if something's not broke, why fix it? (i refer to yr work setup) but open source unix is more secure than a closed winDOS type OS for that and many other reasons.

[voidmain]

quote:Originally posted by Anti M$:
I thought that linux was more secure since 56% of the web is on linux/unix box's.

Market share has nothing to do with how secure the system is. If that were true, Windows would be one hell of a secure platform and we all know that ain't true. *NIX has the web market share because it makes a FAR superior web server platform than Win/IIS.

[ April 03, 2002: Message edited by: VoidMain ]