Linux.com

Key findings: Linux vs. Windows security capabilities

A qualitative assessment of operating system security is subjective and your "mileage may vary" based on present and past experience. My goal here is to provide a framework for users to increase their understanding of Windows and Linux security capabilities. The following analysis is by no means comprehensive and is intended as a starting point for end-user evaluation. As the technical innovation of Linux and Windows continues, so will the discourse on which is more secure. The overall finding of this analysis is that Linux provides more secure capabilities than Windows.

Table 1: Key Linux and Windows Operating System Security Capabilities

Base security

Microsoft and Linux both provide support for authentication, access control, audit trail/logging, Controlled Access Protection Profile, and cryptography. However, Linux is superior because it offers, in addition, Linux Security Modules, SELinux, and winbind. The user of a Linux system can decide to add additional security mechanisms to a Linux distribution without having to patch the kernel.

Various access control mechanisms have been built on top of LSM; for example, building compartments that keep applications separate from each other and from the base operating system, which limits the impact of a security problem with an application. Linux base security is further enhanced by applications, such as Tripwire, that enable System Integrity Check functionality to periodically verify the integrity of key system files and warn those responsible for system security whether a file's contents or properties have been changed.

A limitation of Windows base security is MSCAPI, which trusts multiple keys for code signing. Microsoft's model focuses on providing one build of a product that can enable weak or strong encryption simultaneously. Although modules are not all signed by one key, since MSCAPI trusts a large number of root certifying authorities, and trusts multiple keys for code signing, it takes only one key to be compromised to make the entire system vulnerable to attack. This can happen either by having an authorized code signer accidentally disclosing his private key, or by having a certifying authority issue a certificate in error. This has already happened once, when Verisign mistakenly signed two certificates in Microsoft's name and released control of these certificates to unauthorized individuals.

Network security and protocols

Linux's and Windows' support for network security and protocols are comparable. Both include support for IPSec, an open standard for cryptography-based protection at the IP layer. IPSec verifies the identity of a host or end point and ascertains that no modifications were made to the data during transit across the network and encrypts data. OpenSSH, OpenSSL, and OpenLDAP are available on Linux, and corresponding closed source implementations -- SSH, SSL, LDAP -- are available on Microsoft systems.

Application security

Linux is somewhat superior due to continuing security issues with Microsoft IIS and Exchange/Outlook. Apache and Postfix are cross-platform applications and tend to be more secure than corresponding Microsoft products. Application security for Linux is also enhanced with firewalling built into the kernel, and Snort is an excellent intrusion detection system. One notable recent addition to the Linux kernel for x86-based systems is Ingo Molnar's exec-shield, which provides protection against attacks from buffer or function pointer overflows and against other types of exploits that rely on overwriting data structures or putting code into those structures. The exec-shield patch also makes it more difficult to conduct a shell-code exploit. Since exec-shield operates transparently applications do not need to be recompiled.

Microsoft is taking strides to redesign the security of its products and provides patches for its installed base. Still, security issues in legacy Windows products persist and complicate this task. This leaves many Microsoft users exposed to security threats, since patches must be well documented prior to deployment. Also, the tendency for Microsoft to mix data and program code in its applications, e.g., ActiveX, can allow untrusted data from outside the system and can cause the activation of arbitrary code with untrusted data. In some cases, Windows even allows digitally signed code to be supplied from outside the system, which means a local systems administrator can't audit the code. Instead the system administrator is dependent on whoever signed the code to perform an appropriate code review.

Application security is improved for Microsoft-only applications on the .Net Framework. Of course, for IT shops with heterogeneous platforms, e.g., Linux, Windows, Unix, and especially for applications built on Java, application security for Microsoft-only products is limiting.

Deployment and operations

With deployment and operations, Linux has a slight edge over Microsoft, since most administration is done through a command-line interface. A variety of installation and configuration tools, e.g. up2date, YaST2, and Webmin, are available from Linux distribution providers. Bastille Linux is a hardening tool that supports Red Hat, Debian, Mandrake, SUSE, and Turbolinux Linux distributions. In contrast, most Microsoft system administrators use a GUI that can be easy to use but also allow mistakes in configurations easily. Despite the fact that some people believe that it is possible to train anyone to be a Windows system administrator in one week, the question is how much will they understand about administration? The overall majority of Microsoft security problems are due to poor configuration during deployment and operations. Installation and configuration tools come with Windows, and Microsoft provides guidance in hardening domain controllers, infrastructure servers, file servers, print servers, IIS servers, IAS servers, certificate services, and bastion hosts. However, there is distinction between hardening infrastructure and hardening the operating system.

Assurance

The metric that defines operating system assurance is Common Criteria (CC), an ISO standard (ISO 15408). There is a hierarchy of evaluation assurance levels -- for instance, EAL1 through EAL7. The Common Criteria evaluation is valid only for a specific system configuration of hardware and software. Windows has received a superior EAL to Linux; it has achieved EAL4, while Linux recently achieved EAL3. SUSE is planning to achieve EAL4 by year-end. Government organizations, primarily, require CC assurance. Even though assurance requirements started primarily with government accounts, and in particular the U.S. Department of Defense, they are applicable in a commercial setting as well. However, most customers do not need to meet the same level of assurance as the Department of Defense.

Trusted Computing

Trusted Computing is an architecture that prevents tampering with applications and enables secure communication with a vendor. A number of vendors, like Intel, Microsoft, and IBM, are embracing the potential of this emerging technology. At present, this capability is more vision than reality and neither Linux nor Windows is superior at this time. Microsoft's vision of Trusted Computing is related to digital rights management. The open source community currently sees little value in Trusted Computing.

Open standards

Linux is superior to Windows because it supports open standards. Although Microsoft also supports a number of the same open standards, like IPSec, IKE, and IPv6, it also embraces and extends standards. For organizations with heterogeneous systems and a requirement for interoperability, "standards" that have been extended with proprietary code makes consistent flaw detection and bug fixing more time-consuming and difficult. An example of this is Microsoft's extension of Kerberos, a standard protocol. Microsoft added an authorization capability to the Kerberos ticket, and although Kerberos was initially defined for this specific purpose, the functionality was never used. Moreover, Microsoft embraced and extended the Kerberos standard by specifying the process for other applications to share the authorization data field in the ticket. Microsoft's version of Kerberos is not completely interoperable with the standard, so IT managers who use Microsoft Kerberos will find it harder to deploy and manage Kerberos across a heterogeneous IT environment and will prefer an all-Windows IT infrastructure.

Open source

If the criteria for a secure operating system is open source, then Linux is clearly superior to Windows. Microsoft's Shared Source Initiative is an attempt to meet customer requirements for looking at source code. Yet, in large part, Shared Source subscribes to a "look, but don't touch" philosophy. The governments of Russia, the United Kingdom, China, and NATO participate in Microsoft's Government Security Program. Despite the pragmatism of this initiative to add transparency and emphasize partnership, there are varying requirements organizations must meet to access and use Microsoft source code. For example, not all source code for Windows can be viewed online, so a user who wants to do a build and test an application must plan an on-site visit to Microsoft's headquarters.

Recommendations

Security considerations in Linux and Windows continue to fuel the debate on which is better, an open source or closed source operating system. Industry logic is that an operating system based on open standards and open source enables interoperability, improves bug detection and fixes, and is superior to a model of security through obscurity. Open source also forces Linux distribution providers to be absolutely transparent in the production process. Every step can be re-run by users, and this enables incremental security on a meta level. Windows, for which no source code is available, does not enable equivalent transparency.

While Linux provides equivalent to superior security capabilities in comparison to Windows, the security of a Linux system is largely dependent on the choice of Linux distribution, the kernel it is based on, and the skill of the IT staff in implementing and supporting the system. Since your success in implementing and maintaining a secure operating system rests with your IT shops, make sure that they have the training and expertise to deploy, manage, and troubleshoot. Formulate discipline on the part of the IT manager and system administrators who need to understand how to apply security best practices.

We recommend that organizations start an analysis of their operating system security by becoming familiar with key security capabilities that are required to meet the organization's need for functionality, which will reduce risk and ensure compliance.

If you are considering migration to a different operating system or upgrading your current product, select an operating system environment based on a qualitative analysis of security capabilities, rather than beginning with point products. When you combine consideration of your business needs with an understanding of operating system security capabilities, you can fulfill functional requirements, reduce risk, and ensure compliance.

Stacey Quandt is a principal analyst at Quandt Analytics, where she covers key market trends important to IT vendors and corporate users of Linux and open source technologies. Prior to establishing Quandt Analytics she was a principal analyst at the Open Source Development Labs and an industry analyst at Forrester Research. At Giga Information Group, a subsidiary of Forrester Research, she created the firm's Open Source Research Competency and advised Fortune 1000 customers with published research and tactical and strategic advice on Linux.

Copyright 2004 Quandt Analytics

Share    Print    Comments