Focus on Linux
Selecting OS for High-availability/mission-critical web portal Nov 29 2006 02:13PM
Mohammad Halawah (mhalawah gmail com) (3 replies)
Re: Selecting OS for High-availability/mission-critical web portal Dec 04 2006 09:08PM
Ronald MacDonald (ronald rmacd com) (2 replies)
Re: Selecting OS for High-availability/mission-critical web portal Dec 06 2006 10:30AM
Javier Miguel Rodríguez (javier miguel talika eii us es)
RE: Selecting OS for High-availability/mission-critical web portal Dec 06 2006 08:08AM
Mario A. Spinthiras (mario netway com cy) (1 replies)
Re: Selecting OS for High-availability/mission-critical web portal Dec 08 2006 07:26PM
Corey A. Johnson (cjohnson cniweb net) (1 replies)
Re: Selecting OS for High-availability/mission-critical web portal Dec 12 2006 08:05PM
Razvan Cosma (razvan cosma catv telemach ro)
Re: Selecting OS for High-availability/mission-critical web portal Dec 03 2006 02:57AM
hwertz voltron homelinux org (1 replies)
> Dear all,
>
> I am a new system administrator for a company planning to create a web portal
> which provides email, IM, e-buisness, and search engine. Liferay is our
> portal management tool.
>
> I am searching for the best OS to be our platform. The required featuers are :
>
> Attack resistance (I expect lot of attacks specially DoS).
> Stability.
> Performance.
>
> Linux and OpenBSD are the main candidates for this mission.

*cut*.. (OpenBSD vs. Debian with SELinux pros/cons)

> My thoughts are that:
>
> *OpenBSD will become vulnerable as much as the running service on top of it.
> Hence I will lose the legendary security it has.
>
To some extent. OpenBSD's code has REALLY been pored over. But,
apache and mysql's has as well.. the "low hanging fruit" security
probelms have been gone from them for years. OpenBSD prevents stack
smashing (those compiler changes). I think you can get a modified
compiler for debian that does too; either way, SELinux will detect
attempts to execute code on the stack and crash out the offending program
(so a buffer overflow will crash the offending app rather than giving the
potential intruder unwanted access.)

> *When I look at top 51 (http://uptime.netcraft.com/perf/reports/Hosters) Linux
> had 45% share. Which means that it is highly secure.
No it doesn't.. several years ago, something like 60 or 70% of
hosting domains were on Win2K+IIS, but the security was crap. But, yeah,
Linux is quite secure.

>
> * With OpenBSD I am not going to spend time hardening it but rather trying to
> get the services (MySQL, Apache, ...) running on top of it. While in Linux
> installing the services is easy but I need to spend good time hardening the
> OS itself.
I'd agree with that. OpenBSD will ship with everything FULLY locked
down, and you (carefully, after realizing the security implications) open
things up as you need them. Some Linux distros ships with daemons setup
for maximum usefulness/flexibility trading off (in theory at least)
considerable security. I think Debian is somewhere in between the "open
up everything" and "lock down everthing" crowd, but really the difference
between locked down and fully flexible is changing the configuration
files.. so just make sure to look at them for daemons you are running.

>
> Any hint/comment is welcome.
I'd suggest installing both, Debian w/ SELinux on 1 test box and
OpenBSD on another. To initially test performance, I'd use some slow
test boxes like P2s or lower P3s; a higher end system like you might
actually want to use in production will be hard to time without lots of
users slowing it down 8-). If I had to guess, I'd say the 7% SELinux
penalty will make Debian w/ SELinux and OpenBSD roughly neck-and-neck..
but I'm not sure. If both perform OK I'd go w/ OpenBSD due to the
security. Otherwise, Debian.. just carefully lock down apache, mysql,
etc.. especially, if mysql is set to accept network connections, either
lock it down to a socket or to accept connections only from localhost.

>
>
>
> Best regards,
> Mohammad
>

[ reply ]
RE: Selecting OS for High-availability/mission-critical web portal Dec 02 2006 07:08PM
terry (tvernon24 comcast net) (1 replies)
Re: Selecting OS for High-availability/mission-critical web portal Dec 03 2006 10:43PM
Vishal (vishal gnutech gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus