[plug] Installfest - distributions

[Christian]

On Fri, Aug 25, 2000 at 01:25:09PM +0800, Bret Busby wrote:
 
> The point that I ws trying to make, was that my understanding that a
> firewall, reasonably setup, should reduce the risk of anyone
> unauthorised, getting beyond it. If people cannot get beyond a firewall,
> then I am wondering at the "least stringent security", as it supposedly
> applies to Red Hat. I was querying the degree of security, and, whether
> it was a security issue, that applied to people breaching a firewall (in
> other words, that the Red Hat ipchains is inferior to the ipchains of
> other distributions), or to people breaching host security within a LAN,
> or, whether it applied to people sitting at a terminal to a RH Linux
> box, and logging in when unauthorised. I was wanting to seek
> clarification of what was meant by the "least stringent security".
> However, the person who made the claim, appears to have not been
> interested in clarification.

Setting up a firewall, while not being a major chore, is quite difficult
to do properly -- I doubt most newbies could do it at all.  The ipchains
program is probably almost identical from distribution to distribution
(noting that the real world for ipchains is actually done in the kernel)
but, as I tried to say, ipchains only helps if it is installed and
configured properly.  On the *vast* majority of systems, this is not the
case.  Therefore, ipchains has almost no impact on security and other
things count more.  On the whole I think Leon was trying to describe a
very complex situation and he did quite a good job.  Red Hat does tend
to be worse than other distributions (almost not enormously).

Note that the "security is a process not a program" concept is
illustrated perfectly in the case of ipchains: if you don't know how to
use it and how to manage it, the program itself is useless.

> It is interesting, that Christian, in the response above, stated "All
> Linux distributions are mediocre, at best, when it comes to security.". 
> My understanding is that security is relative, and can never be absolute
> (except in the case of the absolute security implemented by MS - the
> blue screen of death). Having said that, whilst, according to Christian,
> the security of Linux distributions is mediocre, and, whilst my
> understanding of computer security is much less than Christian's, it is
> my understanding, that Linux is much more secure than other, inferior
> operating systems that are acknowledged as having not been designed with
> security in mind at the time of design, and, that Linux security is
> generally sufficient for most people, with the included facility of
> firewall creation, via ipchains, and previously, ipfwadm.

As I said above, ipchains is nearly always irrelevant.  In general I'd
say Linux and NT security is much the same, although NT would be far
worse overnight if it's source code were to be anonymously posted to
usenet.  As for Linux vs Windows 95, it's probably fair to say that
Linux represents a bigger security risk given that remote login to
Windows 95 systems is not very common (BackOrifice narrows the gap
though) and Win95 systems run very few services by default while Linux
lights up like a Xmas tree (no pun intended)...

 
Regards,

Christian.