Windows versus FreeBSD versus Linux.

Uploaded on:
L a y e r O n e 2 0 5. Windows versus FreeBSD versus Linux ... L a y e r O n e 2 0 5. For Your Safety and The Safety of Those Around You. Linux Zealots ...
Slide 1

Windows versus FreeBSD versus Linux Or: Why Deploying Linux in your Environment is Suicide

Slide 2

Don\'t Believe Anything I Say "Do not have confidence in anything basically in light of the fact that you have heard it. Try not to have faith in anything basically on the grounds that it is talked and reputed by numerous. Try not to have faith in anything basically in light of the fact that it is discovered composed in your religious books. Try not to put stock in anything just on the power of your educators and seniors. Try not to put stock in conventions since they have been passed on for some eras. Yet, after perception and examination, when you find that anything concurs with reason and is helpful for the great and advantage of the whole gang, then acknowledge it and satisfy it." - Buddha Daytime - Security specialist "Freeway highwayman" in Linthicum MD Night - Founder of the Shmoo Group, Capital Area Wireless Network, occasional creator

Slide 3

For Your Safety and The Safety of Those Around You Linux Zealots Windows/BSD/Others This discussion might be very little more than flamebait You might be helped to remember a/. Examination This discussion is intended to be intuitive

Slide 4

Lets Talk about Security For the feds, "Data Assurance" Tactical Coding Error versus Design Flaw Script kiddie versus Dedicated Attacker Host Hardening versus Long term operational security

Slide 5

Long term Operational Security Often neglected part of "security" We are not an end all by ourselves. Further, an IDS does not operational security make Any simpleton can be prepared to secure a host Look at all the security books on the rack Running a long haul secure undertaking is the extreme thing

Slide 6

Enter Rant Mode

Slide 7

Potter\'s Pyramid of IT Security Needs Honeypots IDS Sophistication and Operational Cost Software Sec ACLs Firewalls Auth/Auth Patch Mgt Op. Systems

Slide 8

Why Does the Development Method Matter? You can unquestionably do midsection catch examination to say why it does or does not make a difference Structured procedure is the best way to construct a protected and versatile framework Or Having numerous eyeballs and absence of clear course implies the best and most helpful stuff is the thing that will get incorporated, not all the cushion. There is no right reply… Process driven code can suck horrendously There are regularly not "numerous eyes" taking a gander at security Corp View OSS View

Slide 9

But truly, is there a distinction? Past what the extremists say, and what the media says… Is there a genuine contrast? Surveying this distinction is a genuine PIA with bunches of red herrings Methods of deciding contrast Examine the advancement forms Examine the historical backdrop of security in the design Vulnerability insights? Analyze the future headings of security Ideally get measurements from endeavors on how they spend their security spending plans and why I\'m not Burton or IDG… So I just asked companions…

Slide 10

Let\'s discussion about Vulnerability Statistics Vulnerability details are (for the most part) an ancient rarity of strategic coding blunders, not more concerning issues "In the most recent year we cut the quantity of patches we discharged from 35 to 12" Well, in case you\'re moving up numerous vuln fixes to one patch, it doesn\'t check Further, the effect from the vulns may fluctuate also Not only a MS issue… MDKSA-2004-037 Whose code was the vuln in? Portion? Coordinated Application? Outsider?

Slide 11

But We\'re in front of ourselves. In the first place, Windows! Created as a complete framework And then a few… Applications are firmly incorporated with working framework. Clearly, MS functions as one association, and Office overhauls know about Windows redesigns and the other way around Kernel MS Created Core Sys Utils MS Created Applications MS Created

Slide 12

Windows Release Methodologies Publicized well ahead of time Much of it is advertising spam, however there is clearly a HUGE engineer arrange that seeds new innovation data well ahead of time of discharge MS has a propensity for once they\'ve commanded a business sector, they quit managing the business sector IE is a prime illustration This negatively affects security MS will just incorporate as much security as the business sector requests. The OSS world will keep on integrating security b/c it\'s the best thing to do

Slide 13

Windows Security Roadmap Many long haul security activities Internal code security programs Security is woven through their whole improvement process Tho with the late declaration of Land II, they may not exactly be there yet Security usefulness guide Including a full MLS agreeable OS by 09 Definitely mindful of Security Operations

Slide 14

FreeBSD is planned and created as a complete end to end framework Kernel to userland framework utilities Structured advancement process Core group, and responsibility for all parts of the center OS Beyond userland framework utilities, thirdparty programming is bundled by the FBSD group Either in double or source bundling (or both) Kernel FBSD Created Core Sys Utils FBSD Created Applications FBSD bundled

Slide 15

FreeBSD Release Methodologies For Core framework, there is a FreeBSD Release Engineering group. For Third gathering programming, there is additionally a group committed to "deliver an amazing bundle set appropriate for authority FreeBSD discharge media." More information at

Slide 16

FreeBSD Security Roadmap FreeBSD gives EOL data WELL ahead of time of EOL striking surrender administrators a heads. Numerous coordinated security highlights Securelevels are an incredible component Expanded ACL control, prisons (!chroot) While not a Roadmap ala Microsoft, still an awesome begin.

Slide 17

Linux It\'s Bazaar, isn\'t that so? Linus et al control the bit Community makes the rest with some free coordination Distros use Duct Tape as a "worth include" to assemble everything While they\'re all "Linux" they\'re fundamentally diverse OS\'s Aren\'t they? Piece Linus Created Core Sys Utils Community Created/Distro Pkg Applications Community Created/Distro Pkg

Slide 18

A Choice Slashdot Quote First, why do I care the slightest bit about the bloat of the graphical envinron versus the bloat of the part? It\'s all a player in the OS to the extent I mind Second, stop with this GNU/Linux versus Linux poo

Slide 19

Linux Kernel Release Methodologies Whenever they feel like it Whenever they have a craving for repeating the third digit Changes with every significant discharge 2.0 was not quite the same as 2.2 than 2.4 than 2.6 Not as a matter of course done in conjunction with Distros discharged in the meantime will regularly utilize diverse portions Frankly, it\'s all at Linus\' and his appointee\'s control

Slide 20

Distro Release Methodologies Even tho they\'re all "Linux", they\'re similar to their own particular OS So there… Some are moderate developments and depend on uber administrators Debian is a definitive illustration Others endeavor to have structure and make things simpler on the client The Old ReadHet, Ubuntu, and so on… However, since they\'re truly in charge of the bundling and paste code, they\'re at the impulse of the group for components, particularly security A distro won\'t, for occurrence, compose their own firewall code

Slide 21

Linux Security Roadmap Not much out there for "Linux" There\'s scarcely a piece guide… RedHat discharged a security guide 2 years back that fundamentally added up to "Coordinate SELinux into RH distro" Really, that is about all I discovered… Others have knowledge? Heaps of extra things (GRSec, and so forth… )

Slide 22

And now, Patching is a center Security work, and discharging patches ought to be a center merchant capacity MS used to discharge patches at whatever point it "seemed well and good" Now they\'ve gone to month to month move up patches Concerns about losing determination (otherwise known as: making 0day assaults an issue) have not emerged Certainly rearranges progressing Ops Regression testing/QA can be planned ahead of time and fix sending times are lessened

Slide 23

Patching on the *NIXs FreeBSD Kernel Patches direct from FBSD designers Linux Kernel Patches can be connected from code Patches can be connected from distro code Which is correct? Outsider patches (system stack, KDE, and so on) Patches direct from engineer Patches from distro Core framework utils in FBSD originate from FBSD designers Again, which is correct? *NIX patches less demanding to see, simple to mass send More hard to figure out whether it\'s required

Slide 24

Lets not Forget about SnR So, it\'s not just about the design Security administrators need to stay a la mode I.e. We can legitimize why see surf the net throughout the day The damnation that is the Linux Distro security declarations We whimper about the terrible SnR on an IDS, why don\'t we cry about the SnR on revelation records Bugtraq Mod. Supports . Vuln Disk. Patch Rel. Ubuntu Rel . Mandrake Rel . Red Hat Rel . Debian Rel . OpenLin Rel . FBSD Rel . BillyJoe Rel . V u l n e r a b I l I t y T i m e l i n e

Slide 25

The Future Linux keeps on getting by savage power and an overall system of radicals The Linux devotees make Apple clients look tame MS will keep on pushing the limits of security past what the cliché OSS working framework can do Especially from an operational security point of view The BSD\'s will keep on being the pioneers in the OSS development wrt operational security

Slide 26

Questions? Answers?

View more...