[Dshield] O/S Battles, oops, I mean discussions...
bobk at networkeval.com
Wed Mar 20 05:27:54 GMT 2002
Here's my take on the difference between Unix and Windows from the point of
view of the purchasing public.
If you look at the two "curves" below, the upper one represents the time to
learn for *nix, and the lower one represents the time to learn for Windows ,
both plotted on the "Y" axis. The "X" axis represents producing perceived
useful work (like putting up a web server).
| / |
| / /
| / /
| | /
If you want to start with *nix, you have to learn a lot of different things
before you can produce anything really useful. If you start with Windows, then
visible results (not necessarily good, but visible) can be produced in a fairly
short time, with a fairly short learning curve. Remembering that the person
PAYING for the learning curve is probably not technical, nor security (or other
sophistications) aware, you can see that this makes the INITIAL cost of
implementation fairly low, and therefore attractive to a fair number of people.
However, at the high end of either curve, it's going to take a lot of learning
and experience to get there. The incremental cost in a *nix environment is not
great, but there are fewer Windows types who can rapidly climb that curve.
That said (I'm a heavy user of BOTH systems), earlier points made by other
posters relating to the overall approach of hardening vs. patching are valid,
but you've got to start somewhere. If I can start by getting people in my
organization (5,000 just at my level, 30,000+ for the whole corporation) to
apply patches, keep their anti-virus code up-to-date, and not create wide open
folder shares (particularly at the root level), then I'd consider that to be
quite a success.
I perform audits of external web (and other) servers on a regular basis, but
the bulk of the headaches we get are from worms, viruses and such that get in
through web-mail accounts (bypassing the corporate mail server), "free"
software (adware, spyware, infected downloads, etc.), pcAnywhere accounts with
no login requirements, X-servers on corporate systems (xhost +), and downloads
that aren't virus checked. On top of that, we have field offices that order up
their own Internet connections and don't bother to inform us, and other naive
Fortunately for me, there are dozens of folks in our company who are as
paranoid (or more so) than I am who feel free in contacting me anytime to track
down something unexplained.
/_/ _ /_
/_/ /_/ /_/
More information about the list