The United States Department of Homeland Security (www.dhs.gov)
changed
its
servers
over
to
Oracle on Linux last week, after running on Windows 2000 for several months.
Experts say that it is unlikely the change is a reaction to “Slammer,” the MS
SQL server worm that rocked the Internet last week.Netcraft shows the change took place on January 24th and 25th. The site had
previously run off the U.S. Office of Personnel Management servers, but now is
listed with Energis Squared, the same group that hosts the White House website.
The changeover appears to coincide with the slamdown of the ‘Net by the MS SQL
server worm. Officials from the Department of Homeland Security were
unwilling to comment on the server changes, but Jerry Brady, CTO of Guardent, a security consulting company that provides services to the federal government, says that it would not be possible to get a new server up and running
that quickly. “The lead time there has got to be a lot more,” he says. “Still,
the general trend of vulnerability [in MS server products] would cause some
concern.”
Jay Beale, lead developer for the Linux lock-down tool Bastille Linux agrees. “I’d
love to tell you that they switched because of a Windows worm.
Unfortunately, an operating system switch generally takes a lot more
than a weekend to pull off, in terms of planning, testing, and
actually moving. So they probably didn’t switch because of that
particular worm. It’s far more likely that it was a planned switch
to an operating system that they know they can more easily lock down,” he says.
But Brady says, even with the incredible slowdowns and outages, it could have been a lot worse last week. “You could have done a
lot more with that, with direct targets. Because of the randomness, this looked more like a science fair
project,” he says. “I’d worry a lot more about what comes next.”
That’s probably why
officials
decided
it
would
be
better
to
run
the
Department of Homeland Security site on Linux.
It’s not that Linux and other open source solutions don’t have security
glitches, in fact, today Engarde Linux released information about and
fixes for several
MySQL
vulnerabilities. The difference is that Linux and Unix can be “locked down” much
more
effectively, according to Beale.
“An
experienced sysadmin can just do so much more to lock down a Unix-based
operating system, especially Linux,” says Beale. “Windows 2000 doesn’t offer
either
the same kind of granularity of configuration or the equivalent ability
to inspect pieces of the operating system.”
Microsoft itself has said that the MS SQL server
vulnerability could allow
an
attacker complete control over the victim system. Microsoft issued a patch for
this vulnerability back in July of 2002, but judging by the slowdowns of the
past few days, not many MS users availed themselves of the fix.
It would seem logical to switch to a more secure OS for which fixes
appear almost immediately after security bugs are recognized, but most
site owners across the country have not done that yet, unlike the savvy Department of
Homeland Security. Even the fed’s Office of Personnel Management servers, from
which the dhs.gov website evacuated, are staying with Windows 2000 for now.
In fact, many government websites still run on Windows or other combinations of
server/OS. Here’s a listing of some:
- www.firstgov.gov – apache on solaris – CERFnet
- www.loc.gov – web on aix – Library of Congress servers
- www.info.gov – netscape on solaris – GSA servers (switched
from Microsoft IIS on NT4 in October 2001)- www.irs.gov – netscape on solaris – IRS servers (switched from HP-UX in January
2002)- www.fedworld.gov – apache on SunOS – National Technical Information Service
- all DOJ sites – netscape on solaris – DOJ servers
- www.nsa.gov – Microsoft IIS on Windows 2000* – Lingualistek
- www.supremecourtus.gov -Netscape on Compaq Tru64 – U.S. Govt. Printing Office
- most .mil sites – netscape on solaris – Defense Technical Information Center
Contrary to some speculation, Brady doesn’t think the ‘Net is at risk for a
resurgence of the MS SQL worm this week. “The fix is so trivial,” he says. “And
it seems efforts to filter the traffic have been very effective. Besides, why
would you ever put a SQL server naked on the Internet? There are a whole lot of
other things you’d put up first.”
*The website of the National Security Agency shows up as being hosted by
Lingualistek, a small tech business in Maryland that runs its own site on Apache and Linux.
on Linux.
Category:
- Security
