I am amused by the two responses to my original post. The individuals refused to address the issues presented and said essentially "Hey, look at Linux." What a lame response.

Here is the issue. No matter what operating system or combinations of operating systems used in the enterprise, defense in depth and attention to detail is always important. Whether you are using solutions from Microsoft, Red Hat, Sun, or IBM, all Operating Systems have their flaws...some of them very significant and world-wide in scope (anyone remember BIND and SendMail vulnerabilities announced what seems so recently?)

The key is to know your vulnerabilities. Remember, he who thinks his operating system is invulnerable, take heed lest he be hacked himself.

Again, if someone truly understands their environment, things like Blaster and Sobig will not be suprises and will not establish a foothold...even in the Linux community. False senses of security will lead to disaster.

Consider this, Linux has had it's issues. It was considered the least secure OS of last year. Open Source introduces it's own risk for instance the issue of the compromised Open SSH posted for download (any absolutely certain all those were corrected?). Linux requires significant work and scripts to absolutely secure it (why do the experts recommend Bastille, eh?). Sun Solaris has it's challenges too. I can build and secure a Windows System in less time than the Unix experts can with Solaris. I timed it, it can be done. With the defense in depth, four different big gun auditors have a hard time even determining the OS, much less leverage any sort of access. Any OS can hit that level of security. But it takes understanding and comprehension of the vulnerabilities the system presents to you.

As far as frequency of patching, our Unix admins perform quarterly checks and at least twice a year implement security patch and OS updates provided by Sun. And they sometimes do need to recycle the system as well, for instance, activating BSM.

The argument over the best and most secure OS is like arguing over which model car is best, Ford, GM, etc. I can tell you this, just like a car is only as good as the mechanic and maintenance performed on it, so is the OSs operated in the enterprise.

My challenge was, let's do our job, understand the technology, cover the vulnerabilities, protect our resources...not gaze at the false impression of beauty presented by Linux. Come on stop the lame comparisons.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/185/22344#22344