bah
|
| Author | Content |
|---|---|
| incinerator Jul 28, 2006 1:49 AM EDT |
Quoting:Security managers should keep that in mind when their organizations are in the process of selecting a version of Linux. No, clueful security managers will disregard that article and do proper research before they select their software. This article is based on several wrong assumptions: 1. One Linux fits all: Quoting:So, why pick one brand instead of another?Well, why not pick one AND the other? With zero licensing costs for many GNU/Linux and BSD variants, picking more than one becomes a viable option. There are many distros available that specialise for certain uses cases. I can use one GNU/Linux for my company's desktops and another BSD for the firewall. Depending on the particular role of a certain computer, quickness of security updates might be much less an issue than the author suggests. 2. Selection of security issues: The author says it himself, he only selected issues that appeared on all distros investigated. Now, if GNU/Linux A fixed these exemplary issues 10 times quicker than BSD B, but GNU/Linux a has 100 issues popping up each year instead of the 10 BSD B has to deal with, using the author's comparison metric might paint the wrong picture. 3. All security wholes affect me equally: If I'm using postfix, I won't care about sendmail issues, or will I? 4. All security wholes affect each system equally: If BSD A comes with stack-smashing protection out of the box, but GNU/Linux B doesn't, security issues regarding stack smashing might be much less severe on BSD A than on GNU/Linux B. 5. All security managers are equally clueful: Using GNU/Linux A because it seemingly fixes security issues 10 times quicker than all the others won't make your system more secure if you have clueless admins and security managers who configure them boxes to leave them ports wide open. Imho that's the most important part of the picture anyway. Clueful sysadmins and security managers are paramount to establishing security in your network. Everything else is secondary. However, the author seems to miss that point entirely. Conclusion: I don't like that article. The author tries to reduce a complex and tricky topic like computer security to a bunch of stupid figures, compiled by using metrics that do not reflect the diversity you'll encounter in the real world at all. Clueful sysadmins won't read it, and the clueless will learn the wrong things from it. This is just the thing you don't want your (clueless) manager to read. Btw, today is System Administrator Appreciation Day. One Zen hug to every sysadmin from me ;-) http://www.sysadminday.com/ |
| dinotrac Jul 28, 2006 2:51 AM EDT |
>Well, why not pick one AND the other? Money. Everything a corporation does costs money. If you can select one that server all of your needs --- Microsoft's original sales pitch for NT in the server room --- you will save money. It's why, for example, Southwest airlines flies nothing but Boeing 737s, even when other planes might be better suited to specific routes. The overall savings in terms of inventory, training, etc, overwhelms the individual savings. |
| incinerator Jul 28, 2006 4:33 AM EDT |
True, but only to a certain degree. When you are servicing a route that only has 10 passengers per flight, you will end up losing big money if you'll fly a 737. A smaller plane is certainly better on such a route. On the other hand, the airline might simply decide to abandon that rule. Well, companies wanting to set up secure computer networks can't do that. You'll hardly abandon firewalls even if they only make up 1% of all your company's computers and require specialised efforts to maintain then, will you? Take a little example: Lets assume that using a special flavour of GNU/Linux or BSD "optimised" for firewall use somehow gives you "more" security automatigally. The beancounters say that this is to expensive. You end up using a "desktop-optimised" variant of GNU/Linux or BSD as your firewall. The consequence would be a somewhat less secure computer network. Secondly, your point about logistics is certainly a valid and good one. But it doesn't reflect the reality of big companies' IT environments. Even if the top (IT) management claims so, you'll hardly find any software monoculture in bigger companies. Usually there's a variety of solutions used, with quit a bit of the software made (produced and/or customised) in-house. Imho, with zero licensing costs, the logistics of having to support i.e. two different variants of GNU/Linux are not significantly more expensive for a company to justify a monoculture deployment. Even within companies preferring to use non-free software, you'll hardly see such a software monoculture. |
| dinotrac Jul 28, 2006 6:37 AM EDT |
Re: monoculture... It's not about mono vs. non-mono culture so much as most effective environment with fewest resources. I agree that some organizations can handle more variety than others. I haven't claimed that anybody should standardize on a single distribution...though many organizations probably should. What I have said is that money matters, as do personnel. The solution needs to fit the application, but it also needs to fit the organization. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!