Devotees of the Linux operating system tout its security as being second to none. That message has been heard loudly and clearly by small and medium-sized businesses, many of whom rank Linux above Windows in security.
In April, SearchSMB.com polled its members with this question: Do you believe Linux beats Windows on security? Of the
202 IT professionals who responded, 60% said "Definitely." However, they also said that Linux's growing popularity could be its security Achilles heel. We asked some experts if Linux truly is a secure operating system and if so, why.
Linux's development history tells much about its reliability and security, experts said. The fact that Linux was developed and is constantly improved upon by thousands of developers in the open source community has made it a secure and stable operating system.
"The open source community does not have the pressure to rush a product to market, so there is generally time to do more thorough quality assurance, which helps to produce a more stable product," said Peter Harrison, author of Linux Quick-Fix Notebook, a new book from Prentice Hall PTR.
The community development model also keeps Linux security strong because so many people are checking for vulnerabilities, said consultant Bernard Golden, CEO of Navica Inc., a systems integrator in San Carlos, Calif. "The more eyes that look at something, the more it will be improved," said Golden, author of Succeeding with open source.
Almost always, fixes for Linux security patches are available within hours of their discovery, according to Bryan Tidd, director of technology for City of Canton, Ga. By contrast, "Microsoft has, in the recent past, taken 200 days to fix a known bug," he said. "The sheer number of Linux developers greatly improves fix times."
Too vulnerable?
Many people worry that Linux's open source code gives hackers too much information. "It's natural to think that open code is more vulnerable, but that's not the case," Golden said. All those friendly eyes on the code lead to stronger code that unfriendly eyes can't crack easily.
The architecture of Linux has given it yet another security boost, according to Golden. "Linux architecture separates the user level from the systems level," he explained. Mistakes made or attacks perpetrated on the user level do not easily penetrate to the system level.
Do these strong underpinnings mean that the security of Linux is set in stone? Not necessarily, as 23% of our poll respondents indicated. They sense danger ahead, saying that Linux is more secure than Windows "for now, but the exploits will catch up."
Golden agrees, noting that hackers have been less inclined to attack Linux than Windows. Thinking that this situation will continue is dangerous, however. "It might lead you to believe that you don't have to be that careful with Linux," said Golden. "There have been more attacks against Linux lately as more businesses have adopted it, and there will continue to be more."
Linux no exception
In short, SMBs will have to be as vigilant with Linux as with any operating system. "Security should be a concern, no matter the platform," said Tidd. "If you do not accept that then you are flirting with danger."
Tidd speaks from experience. In 2003, a City of Canton user opened an e-mail attachment, setting loose a virus that jumped from user to system level to infect a Microsoft Exchange Server log file. The result: five days of downtime. Tidd, who was already moving some of the city's servers to Linux, scrapped Exchange on Windows in favor of Oracle Collaboration Suite on Red Hat Linux. The switch has improved security – no disasters since then – and reduced license fee costs and administration time.
Taking his own advice about vigilance, Tidd used the time saved by the migration to change security authentication processes and enforced measures that prohibit users from not changing passwords and using the same logins for multiple systems.
Most Linux distributions include the core kernel, popular applications like the Apache Web server and programming languages such as C, PERL and PHP. "But other differences can be significant," he said.
Linux distributions' installation programs use different security levels, default applications and default hard disk layouts. "Though the same software may be installed, different combinations may be activated causing administrative and security difficulties," Peterson said. His advice is to stick with the most widely-used distributions: Mandriva, Novell SuSe and Red Hat.
Maxine Kincora is a contributing technology writer in Berkeley, Calif.
