GeodSoft logo   GeodSoft

Linux, OpenBSD, Windows Server Comparison: Web Break-In Comparisons

Quantitative Comparisons

There is no easy quantitative way to compare Linux or OpenBSD with Windows NT or 2000 on security. Microsoft's 30 security announcements already this year on their security mailing list looks high at first compared to OpenBSD's Advisories but there is no way to equate the two lists. Microsoft's list covers all its products compared with which the OpenBSD system is tiny. Microsoft's products are used so much more widely that I'd be surprised if they even consider OpenBSD as a competitor, unlike Linux which obviously threatens them to some extent.

You can't use the SANS advisories which are dominated by Windows and Linux items but cover products from other vendors that run on Windows systems. SANS rarely mentions OpenBSD even though they cover all systems; to be fair, NetBSD, which like OpenBSD, is not widely used, is rarely mentioned. The much more widely used FreeBSD, shows up much more frequently. To use the SANS list for any quantitative comparisons, you'd need accurate counts, a scale to weight seriousness of the reported problems and knowledge of the number of deployed systems. It's interesting though that SANS lists some items that Microsoft acknowledges but does not seem to include on their lists. It appears that if a problem is fixed in a service pack and there is no separate patch for it, that it does not get on the Microsoft security list.

The measure that's most interesting hardly seems to exist. That's OpenBSD systems that have actually been compromised. I've never seen an article describing an OpenBSD system being compromised in any way; I've never seen anything on a serious bug leading to multiple system compromises. I searched attrition.org for the past year and was able to find three defaced OpenBSD sites listed; they list about a hundred to several hundred sites a month. Apache (httpd) is not part of the default install. I'd be interested to know what happened in these cases. I expect the administrators loosened security in some way or had buggy dynamic web applications with poor file and directory permissions. Even though OpenBSD is a tiny player, given it's reputation for security, you'd think the trade press would jump on any serious breech of an OpenBSD system that they learned of.

The number of compromised OpenBSD web sites is low but so is the number of installed OpenBSD systems. Without a reasonably accurate estimates of the computer population size, it's hard to meaningfully evaluate raw numbers related to system compromises. It seems reasonable to expect that a more secure system should experience fewer compromises relative to its numbers than a less secure system. Even if the details of compromises are examined and largely found to be a result of administrative error, many administrative errors suggests a system that is poorly configured initially or one that is difficult to learn and or use. Without detailed and reliable breakdowns on the deployment distributions of different operating systems, quantitative measures of system compromises can be little more than suggestive and it's necessary to rely on the fundamental characteristics of the systems involved and anecdotal evidence.

Web Defacements

Because there is so little comparative quantitative information on security it is worth looking at some of what is available even if conclusions need to be some what circumspect. The following numbers were obtained by counting web site defacements as listed at Attrition.org from June 2000 through May 2001.

Windows
   4336   Windows NT
   1070   Windows 2000
      2   Windows 95
   5408   Windows total

All UNIX and Like

   1185   Linux Red Hat
    999   Linux unknown distributions
     36   Linux Connectiva
     23   Linux Debian
     17   Linux Cobalt
     17   Linux SuSE
     13   Linux ALZZA
     12   Linux Mandrake
      1   Linux Slackware
   2304   Linux total

    485   Solaris & Sun OS (1)
    267   IRIX
    163   FreeBSD
    121   BSDI
     44   SCO
     28   Generic UNIX
     18   Compaq Tru64 UNIX
      9   AIX
      7   HPUX HP
      4   Digital UNIX DG
      3   OpenBSD
      2   NetBSD
      1   PowerBSD
      1   Digital OSF1
   1153   UNIX & Like total

   3457   UNIXs & Linux

   8865   Total Windows and all UNIX

Other

      2   Mac OS
      1   Netware

     63   unidentified

Frequently the case (upper versus lower case letters) of the codes indicating operating system were not consistent with the legends and had to be manually combined. There is nothing to measure the severity of intrusions listed but in all cases defacing a web site means the intruder at least was able to get write access to system areas which should have been protected from such access. In the following, where a percentage is given based on the above numbers, the 66 unidentified Mac and Netware incidents are not included as part of the total, only Windows and all UNIX systems are counted.

Linux and other UNIX Defacements

Given the conceptual similarities between Linux and the other UNIXs, a significant disparity in system compromises relative to share of deployment for a specific function would be indicative of real security issues. 67% of UNIX web site defacements for Linux is roughly proportional to estimates of its deployment as a web server so there is no evidence in web site defacement numbers to conclude that Linux security is significantly different than other UNIXs.

The large Red Hat share is indicative of it's prevalence as the most widely used Linux distribution. The "Linux unknown distribution" suggests the administrators have changed details of response headers in ways that hide the specific distribution but not the Linux core. Some distributions are not listed at all; they may not have headers specific enough to identify the distribution. After allowing for these, the distribution of the unknown systems should loosely correlate with the frequency of know distributions. So, many of the 999 unknown Linux systems are likely to be Red Hat also. Given the highly speculative nature of the 999 Linux unknowns, there is no reason to conclude that Red Hat is significantly more or less secure than other Linux distributions based on web site defacements.

A striking contrast in the UNIX area are the Sun, IBM and HP numbers. While there is little doubt that Sun has a lead among the big UNIX vendors in the Internet arena it seems unlikely that it holds just under 97% of this market with IBM and HP around 1.5% each. These numbers suggest significant Sun security issues relative to their primary competitors and are consistent with security advisories and discussions with Sun administrators regarding default Sun installs.

The large number of IRIX compromises is also interesting. I thought SGI ceased to be a meaningful player several years ago. The high figure suggests one of two issues. If new IRIX systems are still being delivered, they appear to have significant security issues. On the other hand, these may represent aging systems that are not being kept up-to-date and is suggestive of those dangers.

That FreeBSD leads the open source BSD systems in web break-ins is not surprising. FreeBSD is known to power a number of important portals and e-commerce sites because of its extremely high performance. Without knowing what percentage of the web server deployment this represents, there is no way of knowing how FreeBSD stacks up against the other UNIXs or BSDs. Likewise OpenBSD's very low number is not sufficient to establish it has achieved its security goals; it may simply reflect a very low use rate as a web server.

Windows Defacements

There are no hard and fast numbers on either web servers or the operating systems behind them. Depending on what you read and what is being counted and how it's counted, IIS (and thus Windows NT or 2000) accounts for between 25% and 40% of the web servers. Apache accounts for about 60 percent and Netscape, a few percent at most. Some others account for very small but measurable slivers. Apache can run on Windows NT and 2000 but it nearly always runs on UNIX system. Netscape and some others also can run on Windows but are much more likely to run on a UNIX system. Windows NT and 2000 servers account for a minority off all web servers but account for a significant majority, 61% of reported defacements. At least with regards to security issues on systems actually deployed, related to and revealed by web site security, Windows is clearly less secure than UNIX.

This brings us back to Windows NT and 2000 systems and their default security. I don't know what changes Microsoft has made to default Windows 2000 install configurations but simply put, any Windows NT install, server or workstation, resulted in the least secure systems I've seen to-date, on systems that included security capabilities as part of the operating system. The large number of open services on the Windows 2000 systems used in attacking GRC.com are suggestive that Microsoft has enabled more services by default rather than less. During the NT installation there are only two options with significant security implications. These are whether to use FAT or NTFS file systems and where to install some optional components. If FAT is selected as the type file system, no useful file or directory security is possible. Further there is a good chance that at some point the file system will experience corruption or failure resulting in downtime (loss of availability to perform its intended functions) and likely loss of data.

transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

 


What's New
How-To
Opinion
Book
                                       
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.