UNIX vs Windows NT: Which Is More Secure?
Without A Firewall, Your OS Must Protect Your From The Increased Risk of Adding A Web Server
By Jay Heiser
One of the great joys of being a computer professional is the opportunity to waste hours of time sparring over religious issues. With colorful prophets such as Bill Gates and Scott McNealy, there's no shortage of hype surrounding the debate over the superior operating environment. While this makes for terrific sport, it doesn't answer the email. In a business scenario, you need to ask, "Which technology best meets our requirements?" For servers visible to the Internet, especially Web servers, the ability to successfully resist attacks is crucial, which leads to the question of this article: Which is more secure, Windows NT or UNIX?
There is no simple answer to this question. You need to understand the server's functional requirements, the resources available to create and maintain the server, and the nature of the threat environment, all of which vary from organization to organization, and according to current goals. What are your requirements for confidentiality, data integrity, and availability? What special services or back-end access will you need? These questions must be addressed first in order to make a well-informed choice of Web-server operating environment.
Security Requirements
Security is an issue only because some organizations can expect to be attacked successfully, which will have an impact on their business goals. In the November 1997 issue of Web Techniques, I discussed some examples of successful Web-server attacks in "Web Security Failures." At best, these security incidents resulted in organizational embarrassment. If they hadn't taken action to improve server security, several of these businesses would have eventually failed.
If Web-server hacks had no effect on the victim, computer security could be treated like a game. Unfortunately, most businesses on the Web need to make security a mandatory part of their planning process. They spend money building an Internet presence because it is an important component of their corporate communication programs, and increasingly, the Web server is the only sales channel. When the Web server is down, income stops. Even after service is restored, some desirable visitors may never return.
The more visible or controversial an organization, the more likely it is to come under attack. Major corporations, political lobbying or activist groups, and government entities -- especially military agencies -- all attract a disproportionate share of computer vandals and saboteurs. Personal Web pages, small businesses, and community organizations are less likely to be attacked. However, as discussed in "Web Security Failures," in the case of a small software vendor, any Internet server has the potential to be hijacked. Assume that your Web server will be periodically poked and prodded by hackers.
Failure Modes
Security failures can be attributed to either poor administration or actual software bugs. Ultimately, the person configuring and administering the server is responsible for maintaining its security posture. Allowing critical software with known bugs to stay on the server is tantamount to an administrative failure. The damage and embarrassment of a successful attack are the same whether or not the administrator could have taken reasonable steps to prevent it.
No matter which operating system you use, the more network services that are accessible to intruders, the greater their opportunity to find weaknesses. Don't run any services that aren't absolutely necessary. Many Web-server security breaches are the result of attacks on services such as mail or NFS that are not even being used, but were inadvertently turned on during the installation.
UNIX
Although it's well understood by specialists, UNIX has a reputation for being arcane: It normally takes years of practice to learn the vagaries of UNIX administration, utilities, and behaviors. Unfortunately, many UNIX distributions are quite vulnerable to network and keyboard attack as installed out of the box. Poor UNIX configurations are a hacker's dream, and are distressingly common on the Internet. But while UNIX has a well-deserved reputation as a security problem, experienced and skillful administrators can usually make any UNIX system virtually bulletproof. Many of the server daemons in commercial UNIX distributions, such as sendmail, are implemented using nonproprietary source code. While this gives hackers opportunity to examine the code for weaknesses, it also ensures that security and network experts will review it.
Complete source code for the commercial variants of UNIX is not available for review, but because it has been so widely used for 20 years, the basic technologies and architecture of UNIX are well documented. As a known quantity, it offers a relatively high degree of assurance. So if you're an expert, you can be very confident that a UNIX system is as secure as you expect it to be.
Such experts apparently did not administer the UNIX systems I described in the previous article on security failures. Authentic UNIX gurus are professionals with years of hands-on administration experience.
UNIX users have always reveled in the convenience and power of network services such as the remote shell, and many new UNIX systems end up with dozens of different network services available. The rich environment of UNIX makes it especially appealing for hijacks. Typically, an intruder finds some weakness that eventually allows the ability to telnet in to the host victim and gain administrative privileges. Because UNIX is command-line oriented, a remote user can do virtually anything that the administrator on the console can. It's easy for an intruder to take advantage of a UNIX system and install his or her own software to sniff out other passwords, or create a chat room, or send email under an assumed identity. To cover their tracks, hackers need access to a series of machines that allow them to telnet in and then telnet back out to the next machine in line. Sites that discover an intruder and attempt to trace the attack back to its source will very quickly run into a tortuous path of hops over multiple time zones.
Be aware that the different UNIX flavors vary widely in their installation options and the relative security posture of their resulting configurations. Redhat Linux, for example, configures itself very tightly in its default configuration, protecting all network services behind TCP/Wrapper, a system add-on that provides very precise control over remote access to network services.
Any UNIX system can easily be configured as a hacker's playground. Inattentive or clueless UNIX administrators are responsible for most Web-security disasters. However, properly maintained UNIX systems are highly reliable and attack resistant. UNIX is used today for the most sensitive electronic commerce applications on the Internet.
Windows NT
In general, NT is easier to administer without a high level of expertise. Unfortunately, as Microsoft aims NT at the same market segment now occupied by UNIX, it becomes more complex and correspondingly more difficult to administer. While NT has not suffered from the takeover attacks afflicting UNIX, it has proven embarrassingly vulnerable to denial-of-service attacks. While it is getting better, NT has not proven to be as robust as most UNIX implementations. It is not unusual for UNIX servers, including some Web servers, to run for more than a year without rebooting. Few NT users have experienced that level of reliability. Even with the most up-to-date service packs, if NT doesn't crash periodically, it usually needs regular rebooting.
The most significant NT security failures have been related to weaknesses in the NetBIOS service running on TCP. Services such as file and print sharing, normally used only on the LAN, can be accessed from the Internet by binding NetBIOS to TCP. You shouldn't allow file sharing to run on systems that are visible on the Internet. If your Web server allows use of Microsoft's file-sharing service, you are running a level of risk unacceptable to most organizations.
Because NT is completely proprietary, relatively new, and still evolving rapidly, there is less certainty about what is required to make it truly secure. Source code is not available, and university students spend little time hacking it, so knowledge of NT internals is much less widespread than knowledge of UNIX. Few NT security experts are available. The saving grace is that NT is no fun to hack, so casual hackers tend to avoid it. It just doesn't attract the attention that UNIX systems do. As NT becomes more widely used, this may change.
NT is a great operating system, is getting better, and is easier for most casual users. It is a security quagmire if NetBIOS is allowed over TCP, but that service is easy to disable, and there are no noteworthy examples of it being used to compromise a Web server. NT is not as robust as UNIX, and has proven more vulnerable to denial-of-service attacks. NT has no history of hijacking attacks and does not offer the capabilities that such system hackers are looking for.
Other Operating Systems
Macintoshes have proven themselves amazingly cracker-resistant as Web servers. While they don't offer the rich variety of network services that NT and UNIX do, they also don't appear to have a lot of vulnerabilities. There have been attempts to make impregnable "hardware" Web servers that store all their data on write-protected media. This is not convenient, but it offers the highest possible resistance to remote attacks (note that you could use read-only media, such as CDs in read-only drives, on UNIX or NT servers also). All platforms are vulnerable to denial-of-service attacks, although they vary in their vulnerability.(Also see "The Big Security Picture".)
Firewalls
The firewall was developed as a sort of logical check valve, allowing certain outgoing network connections while denying incoming connections. They are often considered for duty as Web-server protective devices. While this is not their primary or original function, they can reduce the number of threats that reach a Web server, making them useful protection for poorly administered servers. The most significant aspect of a firewall is that it is designed to disallow anything that is not explicitly allowed. A firewall should fail safe, meaning that a failure should never result in a lower level of protection: Depending upon the priorities specified in your security policy, losing server availability is usually preferable to becoming more vulnerable. Most firewalls offer greater protection against denial-of-service attacks than do either NT or UNIX, even when the firewall is running on one of those platforms. They also provide better alerting mechanisms in case of attack. Firewalls add very little additional protection to a well-configured server, but the belt-and-suspender approach of redundant protection (placing a carefully secured Web server behind a firewall), helps a lot of system administrators sleep better at night.
If you put an external Web server on an internal corporate network, you'll increase the risk to everything on that network -- even if everything is behind a firewall (see
Table 1). Placing an Internet-accessible Web server on a corporate LAN is risky, and should be done only in controlled situations. Most sites making such an internal connection with the Web server build in another layer of isolation between their Web server and sensitive internal systems, the details of which are beyond the scope of this article and should not be attempted without the assistance of an experienced specialist.
If you're responsible for a small site that wants to maintain its own Web server, consider adding a third interface to your firewall and putting the Web server on it (see
Figure 1). Properly configured, this adds very little incremental risk to the organizational resources already protected by the firewall, while adding a fail-safe security countermeasure to your Web server.
Conclusion
Table 2 presents a summary of the advantages of NT and UNIX. Out of the box, NT represents less risk for most Web sites, but properly administered, UNIX can be secured to a higher degree of certainty. If you have a relatively casual site with minimal security requirements, NT is the path of least resistance. It also represents a more than acceptable level of security. If it is convenient to put a third interface on your firewall, consider hanging your Web server off it. If you are concerned about maintaining high levels of availability, or if you represent a high-visibility organization that attracts some negative attention, a professionally administered UNIX system represents the least risk. Those truly paranoid site administrators should consider read-only media. Perform your requirements analysis first, choose a system that you can properly administer, and then consider a hosting service if you don't have appropriate expertise in-house. (Also see "Outsourcing".)
Jay is a the director of product management for Querisoft, a firm bringing new NT administration and Web-protection tools to market. He will be speaking at the IT Forum (www.itforum.com) in San Francisco on April 29 about building secure Web servers. He can be reached at jheiser@querisoft.com.
Previous Page |
1
|
2
|
3
|
4
|
5
|
6
|
7
Next Page
