Linux

Members provide recommendations for secure OSs

The results of a recent poll showed that many of our members recommend Microsoft Windows to security-conscious clients, but a flurry of e-mails suggests that others have very different opinions. Find out what they recommend and why.

No matter which operating system (OS) you recommend, your top criterion is likely to be security. An unbreakable OS has yet to be created, and most TechRepublic members have strong opinions about the strengths of certain systems and the vulnerabilities of others.

A recent TechRepublic poll asked members which OS they recommend to clients for network security. Microsoft Windows won by a slim margin (see Figure A).

Figure A


We wanted to hear more opinions, so in an IT Consultant NetNote, we again asked our members which OS they most often recommend, and why. We received recommendations for everything from Windows to Linux, and they all had one thing in common: Each recommendation was based on the experiences—good or bad—a consultant has had with a particular system. The majority shared opinions about three systems: Linux, Microsoft Windows, and Novell. Consultants’ clients often have issues, like interoperability, to consider along with security. Several members provided their opinions on which systems work well together. We’ve collected a sampling of the recommendations we received, and the reasoning behind the opinions.

Linux
Mohammad Zaifuddin has found RedHat Linux to be the most secure OS. As system administrator for Fuji Xerox Asia Pacific in Selangor, Malaysia, Zaifuddin has worked with Solaris, Microsoft, and AIX, among others. He said he likes the fact that Linux comes with a firewall and doesn't allow simplistic or blank root passwords.

Debian Linux
"As a general rule, I'll use Debian Linux on anything Internet-facing," said member Chris Biltcliffe. "Their policy is, whenever someone finds a security exploit, they'll try have a patch available within 48 hours."

Debian Linux also features an automatic security-patching feature, which will download a list of patches daily and, if you like, will install them for you, Biltcliffe said.

Murray Webber, a systems technician and network admin for the Albany Advertiser in Albany, Western Australia, said the question of which operating system is the best for clients is a tricky one.

"Each operating system offers features that could be beneficial, and at the same time, damaging to performance and security," Webber said. He recommends setting up a "cheap computer, like an AMD K5/133MHz," with a copy of Debian Linux. He suggests using the standard 2.2.20 kernel, or upgrading the kernel package and recompiling to use version 2.4, "which has some really neat features, including iptables, ip/port forwarding, and masquerading." He said all these features are easily set up.

Webber said Debian is by far the easiest type of Linux out there. He likes the fact that with Debian updates, "everything is verified and is ensured to be 100 percent compatible before being released."

Webber said he still uses Windows XP Professional for internal workstations, but he wouldn't recommend it to others because he's "not really a fan of Microsoft security."

Microsoft Windows
Some consider Microsoft Windows an obvious choice, but others wouldn't touch it with a 10-foot pole. Colin Lewis, principal consultant and owner of Brocol Enterprises in Box Hill, Victoria, Australia, has 18 years of experience in the IT industry, and 13 years of experience with networking. He said, barring any compelling business reason to do otherwise, his most common recommendation is for Windows NT or 2000 workstations coupled with NetWare servers.

"Trying to maintain security with Windows servers is like running on a treadmill—lots of work and no progress," he said. However, he often finds that his clients have made a decision about their OS prior to his contract, and are not "open to immediate change." In those cases, he said he has been "happy to manage for the best security available with the products chosen," because it often means more work for him.

Biltcliffe had a similar opinion about Windows. "I wouldn't trust that with my cookie list." He said that while Microsoft does release patches regularly, they're frequently late and sometimes wouldn't be released at all if not for someone releasing the exploit information to the media.

"With the proliferation of Windows systems without even token gestures of security, it's only a matter of time before someone manages to find another vulnerability and writes a hack, virus, or trojan for it that spreads worldwide in a matter of hours," he said.

Member Mike Jett said he has recently been combining Windows and Cisco, which "seems to be the most effective for the network topographies I am encountering." Jett is an NT and Windows 2000 administrator and independent contractor with 25 years of experience in the IT industry.

"I have worked with UNIX, Novell, DOS, Linux, and a few others that will remain nameless, but once I started working with Windows NT, even at [version] 3.5, I saw the networking and growth potential it offered and have been on board ever since, at the same time maintaining an open mind with regards to all the platforms," he said.

Mitchel Hudson, owner of Hudson Computer Services in Indianapolis, IN, mostly supports small business clients in networks of 50 users or less. For those clients, he almost always recommends Microsoft Windows 2000 Small Business Server.

"It is an extremely cost-effective solution, giving the client all of the services they need," Hudson said, listing features like a collaborative e-mail with an integrated fax service. "All of the integrated products can be managed from a single console, which is easily demonstrated to the on-site representative and comes with two free support calls from Microsoft if purchased separately from the hardware."

Hudson said he's only had one client who "did not love his Small Business Server."

"He was a do-it-yourselfer who thought he could do the installation and configuration himself against my advice," said Hudson, an MCSE with several years of experience. "It takes a broad skill range to deploy and manage the Microsoft Small Business Server. This adds to its appeal for me because it is a perfect fit for a partnership between the solution provider and the business client."

Ray D'Andrade, president of Bright Network Solutions, Inc. in Princeton, NJ, agrees with Hudson to a point. As an independent consultant who provides security and network engineering to local small to medium size businesses, D'Andrade said he loves Windows NT and 2000, and has set up "many rock solid servers," but prefers to use lesser-known products, such as the Watchguard line of firewalls and VPN devices, for security.

“These companies are also small and somewhat unknown. I think that the more widespread and ubiquitous the OS or vendor is, the more attractive it is for hackers to play with because it could cause the most damage," he said. "Besides, I haven't been able to get the same performance out of a Windows firewall as I can with WatchGuard and PIX."

Novell
Blair Christensen is the network administrator for MicroWorks, Inc., a small custom software and consulting firm in Boise, Idaho. He said Novell, though no longer the predominant network OS, is still the most secure.

"Unlike some others, Novell grants no default privileges," he said. "This forces the admin to explicitly grant them and track them. Novell also forces a login to grant resource access, and has the easiest management interface."

Webber said he also likes Novell, despite the expense and cumbersome setup required.

"The Web management console makes secure remote administration a breeze, and Novell has always been solid as a rock," he said.

The major positive points of any Novell OS have been the Directory Services and security tree, Webber said, because everything from local login permissions to print queues have a single entry in one location.

"This makes client and networks administration quite easy," he said. "…We use a variety of systems, including Macintosh.” Now with its Macintosh and long file-name volume extensions, Novell is able to serve other operating systems such as UNIX, Linux, Macintosh, and Windows while preserving file characteristics and Macintosh resources, Christensen said.

Heterogeneous environments
The value of interoperability with other products is key for some clients, and creates an environment where competition creates better products, according to Lewis. He said that security- and value-conscious companies that are prepared to make a comprehensive evaluation—and their own decisions rather than following the crowd—are quite likely to end up with a heterogeneous environment that includes Windows, Linux, UNIX, Macintosh, and NetWare, held together for security and manageability by eDirectory.

He advocates that each product be chosen for its particular strengths as best of breed for a particular task, instead of the one-size-fits-all approach that's recommended by vendors with a vested interest.

"It reminds me of the early all-in-one office packages: Microsoft's had a strong word-processor, Lotus’ had the better spreadsheet, and so on," he said. "Fortunately, competition forced the improvement of the weaker components, and I hope something similar might happen with operating systems. If companies do choose to go all-Windows, satisfactory security is obtainable, but the price is more time and effort in configuring and maintaining security parameters and updates."