Can I add to this discussion that the security of the web server while a high priority is not the only priority. We touched on the firewall in front of the web server as part of this discussion but please also note that the router which is very likely in front of everything needs a very high level of security on it and like everything else we discussed they do not come secure 'out of the box'. Access lists, and removal of services on your router are vital steps. Just take a look at what is possible with GRE tunnels to see some of the damage that can be done quite easily.
Trevor Cushen -----Original Message----- From: RUSSELL T. LEWIS [mailto:[EMAIL PROTECTED]] Sent: 16 July 2002 14:56 To: [EMAIL PROTECTED] Subject: Re: NT/2000 vs Unix based Web Servers Trustix Secure Linux (www.trustix.com and on linux ftp mirrors) is a perfect example for a *nix distro that was also built with security as priority #1. We are still in the month trial period for their firewall and e-mail servers based on this free linux distro. Think of it as another alternative to the secure BSD, and I only mentioned it because some people get all hostile or uncomfortable when talking about using linux or a BSD so now there are two names to float your boat. :-> The nest approach still lies in running what you know best so YOU know it's secure. Even if you run the most secure OS (via tweaks of out of the box settings), you gotta batten down the hatches of your web server as well. So I'd say your decision of *nix & apache or windows and IIS (or windows and apache) should be based on what you know the best, or can pay someone to know the best. -Russell [EMAIL PROTECTED] on 07/16/2002 03:09:06 AM To: "Hornat, Charles" <[EMAIL PROTECTED]> cc: [EMAIL PROTECTED] (bcc: RUSSELL T. LEWIS/SPECTRAL RESPONSE INC./SPECTRALNT1) Subject: Re: NT/2000 vs Unix based Web Servers While it is generally true that default installations are insecure, it is not absolutely true. OpenBSD (http://www.openbsd.com) comes to mind as a secure default installation. Conversely to commercial and most open source alternatives, the primary focus of OpenBSD is security at the cost of all else. You have to know how to enable the features you want, and accept the insecurities that come with those features, including usability. Some specialized Linux distributions follow similar principles to OpenBSD. Not to trigger a distro jihad, I will avoid shortlisting any distros and having my shortlist assumed to be comprehensive. It's bad enough that I named a domestic product on a list that is surely dominated by foreigners. Anyone tempted to take that the wrong way should whois rogers.com before flaming :-) On Mon, Jul 15, 2002 at 16:31:20 -0400, Charles Hornat wrote: > > I really hate these religious debates over who is more secure, so I did a little study to see which is worse out of the box as well as with the latest security/cluster patches. www.securitywriters.org "OS Scan". > > Its a no win argument because both can be hardened and both are weak out of the box. Neither Unix vendors nor Microsoft thing security first when designing a new OS, primarily the focus is usability. > > Charles >
