A good friend of mine recently had his Linux system rooted through a vulnerability in the Wu-FTPd server he was running. Much to his chagrin, my initial reaction was to laugh. This vulnerability is well-known, and patches have been available for months -- but he failed to install them. I laughed because he is constantly arguing with me that Linux is much more secure than any Microsoft Corp. OS, and he gets mad when I tell him that Linux systems are just as vulnerable. This event proved it.
When you introduce the human element into the security picture, you have already lost the battle. End-users (or clueless system administrators) who do not fully understand the OS or security basics may place a wide open system on the network. Many administrators are so busy that they do not have the time to properly monitor and manage their system's configuration.
It takes just one open hole for a system to be compromised. Users and administrators must be vigilant and stay informed about new vulnerabilities and the patches, hotfixes, or configuration changes needed to fix them. According to statistics compiled by CERT (www.cert.org/stats), this job is only getting more difficult and more time-consuming.
As a security professional, I believe the Linux vs. Microsoft battle has never been about which OS is more secure, because no system is completely secure. Everything has at least one vulnerability. The real argument lies in the ease of administration -- the ability to deploy policies and fix vulnerabilities quickly, easily, and painlessly.
Traditionally, Linux has had the edge: Installations can be easily scripted, and it is easy to tell which updates have been installed. This is a bit more difficult with Microsoft patches; to confirm installation, you usually need to check a registry key or the specific version number on a specific file.
But vendors are developing tools to make this job easier. Microsoft (along with Shavlik Technologies LLC) has been hard at work developing HfNetChk, Personal Security Adviser, and the forthcoming Baseline Security Analyzer to help administrators identify missing patches and configurations on systems. Group Policy in Windows 2000 is a very powerful tool that can be used to distribute patches and control security policy.
The new kids on the third-party management tools block are the patch management systems, such as UpdateExpert from St. Bernard Software Inc. and PatchLink Update from PatchLink Corp.
Linux has a few tools in its corner, too. PatchLink will soon support Linux OSes. Caldera International Inc.'s Volution Manager is a multiplatform centralized management program to help distribute policy and applications to Linux systems. Red Hat Inc.'s Red Hat Network helps manage security updates.
Every organization should have the processes and procedures in place to quickly learn about new security vulnerabilities and how to address them, to identify systems affected, to test the recommended solution, and to deploy the solution in a timely fashion. That's a piece of cake, right?
Mandy Andress (firstname.lastname@example.org) covers security and networking for InfoWorld in the US.