Linux, OpenBSD, Windows Server Comparison: Security Conclusion

For some time OpenBSD has been recognized as the security leader among general purpose operating systems. It is appreciably more secure than standard distributions of Linux that have been typically had moderately long lists of security related bugs. These tend to be fixed quickly but most users don't keep their systems up to date. Because of their modular nature, including individual services that use a single port or two, and do not depend on other services, both OpenBSD and Linux can be fairly easily hardened into limited function servers, with very restricted opportunities for compromise. While OpenBSD is more secure than most versions of Linux, it is significantly weaker in application support and scales less well. As Linux can be easily hardened to almost any suitable degree, its larger application base gives it an advantage in most environments. Where security is of the utmost importance and particularly in border technology, such as firewalls and proxies, encryption and VPNs, OpenBSD is typically the first choice.

New pre hardened versions of Linux present some interesting comparisons to OpenBSD. Their track record is not yet established, but theoretically they may have some advantages. By making the same kinds of choices that OpenBSD has, sometimes to an even greater degree, these systems face some of the same problems facing OpenBSD. These pre hardened systems are Linux, but not complete Linux, and may be missing infrastructure components present on standard versions of Linux. When an administrator installs a new application on one of these systems, he or she may face the same issues that an OpenBSD administrator sometimes faces, needing to find and install a support library or other component the software product needs, and that was removed from the hardened version of Linux.

Though Windows servers have significant feature lists of security related functions, default Windows installs are typically abysmal with regards to security issues. As a practical matter, many Windows servers' security is never significantly improved, leaving large numbers of Windows systems as easy prey for potential intruders. Serious new bugs continue to be found, even in Windows code several years old. All servers should be, but Windows servers must be protected with exterior firewall and intrusion detection systems. Even with exterior protections, new bugs continue to be found that allow remote system level compromises in core Microsoft code, where firewalls cannot protect the system. When as many as 400,000 systems are compromised in a few days by code that can provide remote administrative access, Windows systems need to be regarded as relatively high risk when exposed to the Internet compared to Linux and especially OpenBSD. Some insurance companies now charge higher rates to insure Windows systems as opposed to UNIX systems.

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.