Linux vs. Vista: How Does Security Stack Up?
Feb 13, 2007 4:00 AM PT
As the five versions of Microsoft Windows' new Vista operating system sit on store shelves, current Windows users are taking their time deciding if they will upgrade from Windows XP or buy new computers with Vista installed. The push for buying Windows Vista follows an epidemic of computer viruses, spyware and adware intrusions and carries the promise of a more secure computing environment.
However, some computer security experts contend that Windows Vista offers little to make computing more secure. They suggest that rather than wait for a half-baked new Windows operating system, consumer and enterprise users would have far better security with Linux.
"For the most part, the relatively slow response to Windows Vista is self inflicted. Vista has offered little to entice those using Windows XP to migrate," John Cherry, initiative manager for the OSDL (now Linux Foundation) Desktop Linux Working Group, told LinuxInsider. "It also comes with a heavy price tag in terms of training, hardware requirements, hardware compatibility and application compatibility."
Anyone debating which system's security is better need only ask a system administrator, Cherry said. In the face of viruses, worms or other breaches, the answer is obvious.
"We don't need a survey or study to determine the answer. The answer is universal with those that actually manage these systems," Cherry declared.
No Linux Stampede Yet
If Linux is the clear-cut winner in the desktop security shoot-out, why have enterprise users been so slow in migrating from Windows? The availability of niche applications in corporate environments is still the major inhibitor to mainstream adoption, he noted.
However, that situation could soon change for both corporate and small-business users. Cherry sees signs that IT decision makers are considering the Linux alternative in the face of the Vista introduction. Many IT managers are incorporating plans to move their niche applications to Linux, he disclosed.
Based on a recent OSDL Desktop Linux Working Group survey and feedback from the desktop community, the main factor preventing the widespread adoption of the Linux desktop in the workplace is application availability.
"If an organization has significantly invested in a Microsoft-centric IT infrastructure, introduction of non-Microsoft products on the desktop remains problematic due to the limited support for open standards in this kind of infrastructure," Cherry explained.
The survey's conclusions noted that open source developers have already created replacement programs for all the essential business needs. Those considering a switch to Linux, however, do not want to leave their favored Windows applications.
Linux outperforms Windows XP and Windows Vista because its architecture is different. Linux derives its security in large part from its Unix design philosophy, also used as the basis for Mac OS X.
There are two distinct differences that account for Linux's better security reputation, according to Cherry. One, users do not habitually log in as administrator, which is often required to run Windows. Two, mail clients and desktop applications do not automatically execute attached code.
In addition, technologies such as SELinux and AppArmor and stack randomization have been developed for Linux that help to limit the impact of a security breach if it were to occur, he said.
Linux is also better than Windows at recovering from buffer overflows, which are a common attack vector.
"This is best handled at the interface level as a register exploit in Windows," Ken Steinberg, CEO of computer-security firm Savant Protection, told LinuxInsider.
Linux allows software developers to go into the system and fix buffer overruns, he added. However, one can not do that with Windows.
Chink in the Armor
Not all security experts are comfortable with a description that Linux is more iron-clad than Windows. Some even mock the popular explanation that Linux is more secure because attackers are not drawn to its much smaller user base compared to Windows.
"It doesn't matter what operating system is used. They are all subjected to potential intrusion," disputed Steinberg. "Linux is not any more secure than Windows."
Hackers capitalize on the exploits they find in the Windows environment but deliberately do not dwell on the known weaknesses in Linux because they use that operating system themselves, according to Steinberg.
"The only time people fix flaws in an operating system is when those flaws cause an inconvenience," Steinberg claimed. "The lower incidence of Linux attacks has nothing to do with the user base being less than Windows."
The biggest design flaw in Linux is its over-reliance on code scripts. Linux is far more scripted than Windows, he noted. Because of this heavy reliance on scripting, nothing is checking its lines of code compared to the amount of code-checking done in Windows when it is compiled.
Using thin clients with on-demand applications delivered over the Internet are now mainstream in the corporate world, Steinberg emphasized. Thin clients are all Linux boxes.
"Corporations are deploying Linux over Windows. It is only a matter of time before Linux attacks become more prevalent and publicized," he warned.
Battle Hardened Linux
Savant Protection's malware software offers enhanced Linux desktop security to enterprise users by enabling a lockdown mode during everyday use. It has what Steinberg called a battleship mode to prevent new programs from being added.
The product, called "Savant," runs Linux in the equivalent of a white listing mode. Users can choose a blacklist analysis on demand. This white list approach keeps Linux systems clean 99 percent of the time, Steinberg said.
"There is no way to get rid of all the vulnerabilities or to make any OS perfectly safe. Accept the fact that there is no Nirvana. For hackers the the goal is maliciousness and money," he added.
Some software developers argue that new technologies are making moot the question of whether Windows Vista and XP platforms can be made more secure. Similarly, it should not be an issue if Linux desktop has exploitable weaknesses.
New technology could minimize, if not fully eliminate, computer security problems, suggested Eran Heyman, CEO of Ericon Software. His company provides terminal emulation solutions for both Windows and Linux platforms.
"We can bring Linux to the next level of security by removing the desktop from the physical machine. A new trend is security of data to the server," Heyman told LinuxInsider. "The virtual Linux environment is filtered and re-imaged each time a connection is made to wipe out any existing bad code running on the operating system."
Small businesses through large enterprise configurations can use virtualization to run Xen, VMWare and Windows Server installations. Virtualization technology moves the operating system to a centrally-managed location. It mimics behavior on the local machine, but the operating system is not there, said Heyman.
This method Works on a PC, thin client, via SSL VPN, even kiosks in an airport. Users can connect securely to the virtual desktop, he said, adding that virtualization is not a traditional security approach nor is it available to individual users.