[unisog] On the security of non-Windows op systems

Phillip G Deneault deneault at WPI.EDU
Mon Feb 16 02:58:17 GMT 2004


On Thu, 12 Feb 2004, Selden E Ball Jr wrote:

> Gentle folk,
> 
> Sorry, I couldn't let this one go by :-)
> 
> >    No one in the non-Windows world should claim absolute
> > superiority in terms of security, but there are some systems
> > that significantly raise the bar for attacks, and while not 100%
> > fool proof are far more likely to resist attacks.
> 
> >    My favorite example of this and what I personally use is
> > OpenBSD. Their pro-active stance on code audits and protection
> > schemes makes it a more secure system.
> 
> You might want to consider OpenVMS when thinking about 
> installing systems, especially servers, that need to be secure.
> 
> It's been a while since there have been any native VMS viruses,
> although someone did write a DECnet worm a very long time ago.
> Its current hardware platforms (VAX and Alpha) are unable to run
> any Intel binaries at all, of course, although HP is porting
> it to a new platform (Itanium) that will.
> 
> Naturally, services based on interpreted languages are likely to be
> just as vulnerable as the Unix versions (e.g. Apache with perl CGI scripts).

I like OpenVMS and how secure it is but until the HP version comes out I
think investing the Alpha required to run it might be a little silly.  As 
it is, I think most institutions won't want to invest in a rapidly 
decaying system platform.(Even though a new Alpha is quite possibly the 
fastest processor available).  On top of that, there are not many 
applications that work directly between the two systems.  

I do however like to mix and match operating systems and system 
processors.  Many exploits might work on a particular operating system but 
are written for Intel based OS's.  By taking a system like OpenBSD and 
running it on a non standard platform, like an Alpha, the system has a 
much lower risk associated with it.  Obviously, this doesn't work too well 
with Windows, but it does help with various versions of Linux and BSD.

Another option is to apply many of the same security features in OpenVMS
into another OS.  Some of the fine grain controls available in OpenVMS are
available in SELinux.  This is a major component in Fedora Core 2.  
GRsecurity(www.grsecurity.net) is an attempt to backport some of these and
other features into the 2.4 Linux kernel.

My $0.02,
Phil

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Phil Deneault     "We work in the dark, We do what we can,
deneault at wpi.edu   We give what we have. Our doubt is our passion,
WPI NetOps         and our passion is our task. The rest is the
InfoSec            madness of art." - Henry James
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-







More information about the unisog mailing list