Linux, OpenBSD, Windows Server Comparison:
Web Break-In Comparisons
Quantitative Comparisons
There is no easy quantitative way to compare Linux or OpenBSD
with Windows NT or 2000 on security. Microsoft's 30 security
announcements already this year on their security mailing list
looks high at first compared to OpenBSD's Advisories but there is
no way to equate the two lists. Microsoft's list covers all its
products compared with which the OpenBSD system is tiny.
Microsoft's products are used so much more widely that I'd be
surprised if they even consider OpenBSD as a competitor, unlike
Linux which obviously threatens them to some extent.
You can't use the SANS advisories which are dominated by Windows
and Linux items but cover products from other vendors that run on
Windows systems. SANS rarely mentions OpenBSD even though they
cover all systems; to be fair, NetBSD, which like OpenBSD, is not
widely used, is rarely mentioned. The much more widely used
FreeBSD, shows up much more frequently. To use the SANS list for any
quantitative comparisons, you'd need accurate counts, a scale to
weight seriousness of the reported problems and knowledge of the
number of deployed systems. It's interesting though that SANS
lists some items that Microsoft acknowledges but does not seem to
include on their lists. It appears that if a problem is fixed in
a service pack and there is no separate patch for it, that it
does not get on the Microsoft security list.
The measure that's most interesting hardly seems to exist.
That's OpenBSD systems that have actually been compromised.
I've never seen an article describing an OpenBSD
system being compromised in any way; I've never seen
anything on a serious bug leading to multiple system
compromises. I searched attrition.org for the past year and was
able to find three defaced OpenBSD sites listed; they list about
a hundred to several hundred sites a month. Apache (httpd) is
not part of the default install. I'd be interested to know what
happened in these cases. I expect the administrators loosened
security in some way or had buggy dynamic web applications with
poor file and directory permissions. Even though OpenBSD is a
tiny player, given it's reputation for security, you'd think the
trade press would jump on any serious breech of an OpenBSD system
that they learned of.
The number of compromised OpenBSD web sites is low but so is the
number of installed OpenBSD systems. Without a reasonably
accurate estimates of the computer population size, it's hard to
meaningfully evaluate raw numbers related to system compromises.
It seems reasonable to expect that a more secure system should
experience fewer compromises relative to its numbers than a less
secure system. Even if the details of compromises are examined
and largely found to be a result of administrative error, many
administrative errors suggests a system that is poorly configured
initially or one that is difficult to learn and or use. Without
detailed and reliable breakdowns on the deployment distributions
of different operating systems, quantitative measures of system
compromises can be little more than suggestive and it's necessary
to rely on the fundamental characteristics of the systems
involved and anecdotal evidence.
Web Defacements
Because there is so little comparative quantitative information
on security it is worth looking at some of what is available even
if conclusions need to be some what circumspect. The following
numbers were obtained by counting web site defacements as listed
at Attrition.org from June 2000 through May 2001.
Windows
4336 Windows NT
1070 Windows 2000
2 Windows 95
5408 Windows total
All UNIX and Like
1185 Linux Red Hat
999 Linux unknown distributions
36 Linux Connectiva
23 Linux Debian
17 Linux Cobalt
17 Linux SuSE
13 Linux ALZZA
12 Linux Mandrake
1 Linux Slackware
2304 Linux total
485 Solaris & Sun OS (1)
267 IRIX
163 FreeBSD
121 BSDI
44 SCO
28 Generic UNIX
18 Compaq Tru64 UNIX
9 AIX
7 HPUX HP
4 Digital UNIX DG
3 OpenBSD
2 NetBSD
1 PowerBSD
1 Digital OSF1
1153 UNIX & Like total
3457 UNIXs & Linux
8865 Total Windows and all UNIX
Other
2 Mac OS
1 Netware
63 unidentified
Frequently the case (upper versus lower case letters) of the
codes indicating operating system were not consistent with the
legends and had to be manually combined. There is nothing to
measure the severity of intrusions listed but in all cases
defacing a web site means the intruder at least was able to get
write access to system areas which should have been protected
from such access. In the following, where a percentage is given
based on the above numbers, the 66 unidentified Mac and Netware
incidents are not included as part of the total, only Windows and
all UNIX systems are counted.
Linux and other UNIX Defacements
Given the conceptual similarities between Linux and the other
UNIXs, a significant disparity in system compromises relative to
share of deployment for a specific function would be indicative
of real security issues. 67% of UNIX web site defacements for
Linux is roughly proportional to estimates of its deployment as a
web server so there is no evidence in web site defacement numbers
to conclude that Linux security is significantly different than
other UNIXs.
The large Red Hat share is indicative of it's prevalence as the
most widely used Linux distribution. The "Linux unknown
distribution" suggests the administrators have changed details of
response headers in ways that hide the specific distribution but
not the Linux core. Some distributions are not listed at all;
they may not have headers specific enough to identify the
distribution. After allowing for these, the distribution of the
unknown systems should loosely correlate with the frequency of
know distributions. So, many of the 999 unknown Linux systems
are likely to be Red Hat also. Given the highly speculative
nature of the 999 Linux unknowns, there is no reason to conclude
that Red Hat is significantly more or less secure than other
Linux distributions based on web site defacements.
A striking contrast in the UNIX area are the Sun, IBM and
HP numbers. While there is little doubt that Sun has a lead
among the big UNIX vendors in the Internet arena it seems
unlikely that it holds just under 97% of this market with IBM and
HP around 1.5% each. These numbers suggest significant Sun
security issues relative to their primary competitors and are
consistent with security advisories and discussions with Sun
administrators regarding default Sun installs.
The large number of IRIX compromises is also interesting. I
thought SGI ceased to be a meaningful player several years ago.
The high figure suggests one of two issues. If new IRIX systems
are still being delivered, they appear to have significant
security issues. On the other hand, these may represent aging
systems that are not being kept up-to-date and is suggestive of
those dangers.
That FreeBSD leads the open source BSD systems in web break-ins
is not surprising. FreeBSD is known to power a number of
important portals and e-commerce sites because of its extremely
high performance. Without knowing what percentage of the web
server deployment this represents, there is no way of knowing
how FreeBSD stacks up against the other UNIXs or BSDs. Likewise
OpenBSD's very low number is not sufficient to establish it has
achieved its security goals; it may simply reflect a very low
use rate as a web server.
Windows Defacements
There are no hard and fast numbers on either web servers or the
operating systems behind them. Depending on what you read and
what is being counted and how it's counted, IIS (and thus Windows
NT or 2000) accounts for between 25% and 40% of the web servers.
Apache accounts for about 60 percent and Netscape, a few percent
at most. Some others account for very small but measurable
slivers. Apache can run on Windows NT and 2000 but it nearly
always runs on UNIX system. Netscape and some others also can
run on Windows but are much more likely to run on a UNIX system.
Windows NT and 2000 servers account for a minority
off all web servers but account for a significant majority, 61%
of reported defacements. At least with regards to security
issues on systems actually deployed, related to and revealed by
web site security, Windows is clearly less secure than UNIX.
This brings us back to Windows NT and 2000 systems and their
default security. I don't know what changes Microsoft has made
to default Windows 2000 install configurations but simply put,
any Windows NT install, server or workstation, resulted in the
least secure systems I've seen to-date, on systems that included
security capabilities as part of the operating system. The large
number of open services on the Windows 2000 systems used in
attacking GRC.com are suggestive that Microsoft has enabled more
services by default rather than less. During the NT installation
there are only two options with significant security
implications. These are whether to use FAT or NTFS file systems
and where to install some optional components. If FAT is
selected as the type file system, no useful file or directory
security is possible. Further there is a good chance that at
some point the file system will experience corruption or failure
resulting in downtime (loss of availability to perform its
intended functions) and likely loss of data.
Top of Page -
Site Map
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|