Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Solaris vs. Linux Security
in Large Enterprise Environment 

Version 0.90

Copyright 2004-2006, Dr. Nikolai Bezroukov. This is a copyrighted unpublished manuscript. All rights reserved.

Table of Contents

1. Executive Summary

2. Introduction

3. Comparative analysis of Solaris and Linux security
4. Comparative security matrix
5. Comparative analysis of vulnerabilities in Linux and Solaris environment
6. Comparative analysis of Solaris and Linux patching frameworks
7. Comparative analysis of hardening

8. References

Abstract

The level of security achievable in Linux in comparison with Solaris is discussed and the problems of Linux integration into existing enterprise infrastructure are outlined. The author argues that adding another OS to the large enterprise mix is a costly decision that has negative side effects on security independently on what OS we are adding and those side effects should not be taken lightly. That means that Solaris 10 significantly narrowed the window of opportunity for Linux to penetrate into a large corporate environment. 

We should clearly distinguish and separately evaluate savings and security benefits of moving to EM64T architecture and savings and benefits of moving to Linux as a new OS.

The key finding is that the goal of diminishing (or at least not increasing) of the diversity of  operating system environments is a key prerequisite for the security of Unix infrastructure on large enterprise level and that consideration should guide Linux deployment in the large enterprise environment.

We judge this goal to be more important for general level of security in the corporation then individual qualities of Linux in security space (or its faults in the same space).  It also strongly affects potential savings.

We suggest that the following main points support this key finding:  

1. Typical Linux security problems are bigger compared with Solaris and AIX for all major dimensions of enterprise security. The key issues include but are not limited to number of vulnerabilities, complexity and frequency of patching, hardening procedures as well as quality and stability of the major subsystems.  The comparative security matrix presented in the paper provides additional insight at Linux security and suggest that it stand somewhere in between leading commercial Unixes and Windows 2003 servers. The main conclusion is that currently Solaris 9 leads in security in comparison to Linux (and Solaris 10 zones and AIX 5.3 partitions promise additional significant improvements unachievable in Linux space), while Windows 2003 server and Linux has generally similar  level of security with Linux having some advantages in certain areas and Windows 2003 server in others.  In no way Linux can be considered significantly more secure then Windows 2003 in heterogeneous enterprise environment. We judge that this to be an urban myth.
   
   At the same time we judge that there is a noticeable weakness in the level of security of the current versions of Linux in comparison with both Solaris 10 and AIX 5.3 and upgrades to those versions of existing servers (with the appropriate consolidation efforts due to virtualization capabilities in those OSes) might be a more suitable path of improvement enterprise security then the introduction of an additional OS.
    

2. We suggest that in a large enterprise environment a successful Linux deployment requires  to "sacrifice" at lease one existing enterprise Unix flavor. This requirement constitutes an most important prerequisite for the secure large scale enterprise Linux deployment. There is a saying that any enterprise that is using more then two flavors of Unix is using just too many. And a valid consideration behind it is that system administers outside of selected class of super-administrators are generally incapable to muster more then two flavor of Unix into the level sufficient for maintaining an adequate level of security. The difference are just too subtle and too numerous to comprehend.   Moreover a regular Unix administrator just cannot became proficient in more then two flavors of Unix at the level necessary for adequate administration (and that statement can be measured by the number of people who hole more that two System administrator certifications: two are more or less common, three are very rare). This "too many unixes on the floor" factor alone can lead to significant deterioration of the general level of enterprise security due to introduction of Linus. We note that Linux deployment is further complicated by Linux internal fragmentation: the existence of two competing enterprise distributions (Red Hat and Suse) and there is a risk that should be properly understood by high level management that introduction of a first flavor will eventually lead to the introduction of another due to application requirements or preferences.   
    

3. As Linux has generally wider availability of open source applications amount all Unfixes (including Solaris) in case this factor is considered an important enough advantage to justify OS deployment it  might be wise to postpone Linux deployment until the point when Linux gets lightweight VM capabilities competitive with the Solaris 10 zones or BSD jails (for example XEN introduction into Red Hat Enterprise). Not only security, but other benefits provided by Linux, should be carefully evaluated against the ability to support virtual machine concept like Solaris 10 (lightweight VM: zones) and AIX 5.3 (full VM: logical partitions).  The paper stresses any enterprise ready Unix now should provide VM capability out of the box like is the case with Solaris and AIX. Otherwise securing the servers might be might more complex job.
    
4. Linux is surrounded by too much hype and reality of large enterprise deployments looks drastically different from newspaper articles. With Sun opening Solaris 10 and providing version of Solaris for Intel EM64T hardware platform that supports zones, the possibility of using Solaris 10  as an alternative to Linux should be considered in each individual case due to definite security advantages of "zoned" applications deployments.  In case where Solaris is already used for a particular application (for example e-commerce applications, SAP/R3, etc) just moving the hardware platform from UltraSparc to EM64T architecture and "zoning" those applications looks like significantly more secure deployment strategy. At the same time this strategy provides cost savings comparable with those that are typically associated with the conversion to Linux.
    
5. Application security on Linux is generally less than application security on UltraSparc Solaris or AIX due to the usage of the most mass produced platform on the market and the freely available and widely used GCC compiler. For most corporate applications securitywise Linux is positioned in between RISK CPU based Unixes (AIX, HP-UX, Solaris) and Windows 2003 server. It  is pretty close to Windows in general level of security as well as in the recommended length of patch cycle. Linux applications compiled using GCC compiler have a  higher number of vulnerabilities per year (close to Windows) then the same applications on commercial Unixes that run on different architectures and use different compliers are a significant part of vulnerabilities are related to buffer overflows. Moreover unlike Solaris Linux is still unable to utilize the advantages of new EMT64T architecture with a MMU that can set a no execute bit on a memory segment. On ETM64T Solaris (like on UltraSparc) can disable execution from the stack. As a result Linux servers generally requires more frequent patching (probably monthly like in case of Windows servers) in enterprise environment. At the same time many enterprises are able to survive with quarterly patching ( or even half a year) for all but the most critical bugs (recommended cluster) for AIX and Solaris. Semiannual cycle is also the most typical for HP-UX. We suggest that using proprietary compliers like Intel complier or Sun Studio 10 complier might further  improve the security of open source applications, and first of all such widely used by enterprises packages as bind, Sendmail, and Apache, against typical exploits.
    
6. Linus servers and applications require more frequent patching cycle. The latter is quite costly in a large enterprise environment and their effect of savings expected from the Linux deployment should be carefully evaluated. We judge that availability of high-quality open source security tools and deep hardening can somewhat offset this patching period disadvantage and might permit using quarterly patching cycle for internal firewall-protected Linux servers.  Linux has a weaker internal firewall (Solaris 10 is using IPfilter, the best open source firewall available).
   
   At the same time Linux has better selection of open security tools including better selection of additional PAM modules then Solaris.

All-in-all, in security space large enterprises can get additional benefits from the deployment of Linux, if and only if such a deployment is strategically aligned with the goal of diminishing the operating systems platforms diversity. Adding Linux to the enterprise Unixes mix decrease the existing level of security due to additional complexity of maintaining another flavor of Unix (often two additional flavors of Unix: Red Hat and Suse) by the existing staff of system administrators.

Executive Summary

Protecting IT infrastructure is a very challenging task in a culture where easy access to information prevails over security concerns. The key problem here is that the need for an efficient enterprise to provide relatively unfettered access to data, combined with the highly decentralized nature of operations, is irrevocably connected with the potential for serious security breaches. Maintaining and, especially, improvement of large enterprises IT security is a huge challenge and introduction of new OSes like Linux is only one relatively minor problem among many others.

Still introducing Linux as an additional OS into enterprise OS mix is a problem that, if not addressed properly, can lead to the deterioration of existing level of security. We assess the following critical issues in the executive evaluation of the security problems related to the introduction of Linux-based servers in a large enterprise IT environment:

1. The main security problem of introduction of Linux in a large corporation IT infrastructure is the resulting increase of the diversity of existing Unix platforms, which diminishes the amount of attention to the security issues on each platform.  
   
   The success of Linux deployment largely depends on the ability to preserve or, better diminish the level of diversity of  OSes deployed.  It is recommended to deploy Linux only in areas where is can replace, not to add to the mix of the server operating systems currently used. In all other areas deployment Solaris 10 on  EM64T hardware can be a viable alternative to Linux deployment from the security standpoint (depends on the availability of software for EMT64T version of Solaris). 
   
   Most large enterprises currently standardize on all three major flavors of commercial Unixes (Solaris, AIX and HP-UX) as well as three other Intel-based OSes (MS Windows, Novell, and VMware). This is already a very costly diversity that stretches both administrators and security personnel too thin. Excessive diversity implicitly creates a situation when only two most prominent OS platforms are secured to any significant depth (for example Solaris and Windows, or AIX and Windows); other platforms are relatively less secure due to lesser attention to their security.  If this is true, than adding Red Hat, Suse (or, most probably, both) to the enterprise OS mix is a step that can backfire in security space.
   
   That means that a large enterprise can get additional benefits from the deployment of Linux, if and only if such a deployment is strategically aligned with the goal of diminishing the operating systems platforms diversity. Other things equal Linux deployment is the most realistic option only for those enterprises that have substantial HP-UX and Novell Netware deployment and are planning to consolidate both into Linux as a cost saving measure: HP-UX and Novell are both moving toward Linux space, so replacing their existing servers with Linux does not disrupt the relationships with those companies; still there should be no rush in the deployment of Linux servers until the corresponding firms make their Linux offering solid and robust enough for the replacement of existing servers, which might take considerable time.
   
   HP-UX is often used as Oracle platform in enterprise space. Oracle implements large part of OS functionality within its database (there was a project in the past to run Oracle directly on a hardware without OS layer) and also moves to the Linux as their primary platform for development, non-critical midrange database servers with HP-UX look like a natural target for Linux conversion that might provide comparable security (as this will be the platform on which Oracle does the development; such platform is inherently more secure then others even if underling OS is not) and substantial (up to a hundred thousand dollars per midrange server) hardware cost savings. Still for each such case Solaris on EMT64T should be evaluated as an alternative, as Solaris was the platform on which Oracle developed its database for a long time. For critical database servers Solaris still should be used instead of Linux.
    
2. Linux is just kernel is as packaged as a distribution by multiple competing vendors. Thus it inherited "Unix curse" and is splintering into multiple only partially compatible enterprise distributions.  That means that enterprises often need to introduce not one but two flavors of Linux into their environment.  From an enterprise standpoint Linux has too many filesystems. Mostly for political reasons Linux vendors are promoting different, generally inferior to SGI XFS filesystem in the enterprise environment. While both ext3 (Red Hat) and Reiserfs (SuSE is the primary sponsor of Reiserfs) support large files and volumes and are journaled they are not safe to use in enterprise environment as there are no true stress tests available to the general public to help them decide which one to use. For this reason alone, the choice between Red Hat and Suse is not trivial and probably large enterprises need to have both as different vendors prefer to certify their applications for different Linux flavors (for example, currently Suse is preferable for SAP/R3, Red Hat for Oracle).
   
   Each distribution is creating its own installation and management tools and there is no will among Linux vendors to fight the NIH syndrome that is known to result in the spawning of a myriad of incompatible, incomplete or ill-designed clones of many software products created by or for a specific Linux distribution. Most tools are "80% done" and this "80% done syndrome is pretty typical across the variety of Linux distributions.  When a closed source project gets 80% done, its owner will redouble efforts to win market share. They will advertise heavily, work hard on enhancements, and try to take over. When an open source project gets most of the way there, its developer doesn't have a big incentive to make changes — it works fine for them. They may work on bugs, or assume that other members of the community need to pull their load now. They may even move to work on something else.
   
   That "multiple personality" problem with Linux makes Solaris on  EM64T hardware platform especially attractive for large enterprises. Solaris Sun formed a strategic alliance with AMD [AMD2004]and it is reasonable to expect that the quality of EM64T version of Solaris will quickly improve from the current level.  Still currently Solaris compatibility of non-Sun platforms remains limited, but this should be of a concern to large enterprises as Sun usually belongs to the list of their approved hardware vendors anyway.
    
3. The predictability of Sun as a vendor is better then either Red Hat (which makes an unpredictable and damaging moves by trying to monopolize Linux space and force their expensive consulting services to enterprise customers) or Novell (which makes unpredictable and damaging moves because it is struggling financially).
   
   While Red Hat is more close to a mutual fund then to the "for profit" company and as such is more stable financially, with the recent arbitrary discontinuation of Red Hat 9 support Red Hat seriously damaged their brand and the loyalty they had for their distribution. Also RHEL licensing costs exceeding licensing costs for Solaris. Many their former customers moved to other distributions (Debian, Gentoo); some moved to FreeBSD.
   
   That created an opening for Novell, but the general viability of Linux model for Novell still needs to be tested on the marketplace. Some of their recent moves created internal conflict of interests (for example KDE vs Gnome).  Also their long term financial viability depends on the success of other products and first of all the success of NDS which is gradually pushed out of enterprise space by Active Directory. 
    
4. While Linux is just a kernel, Solaris is a complete Unix system: kernel, device drivers, libraries, userland, development environment, documentation, and all the tools you need to continue doing development. Based just on completeness of functionality, it is not handled like a Linux distribution. Solaris packaging is fully controlled by Sun and that means that Solaris will have a single distribution in a foreseeable future.

   For example if Solaris development team need to make a change (for example introduce ACL) they can therefore force such a change into the system by changing it all the way to utilities. That means that Solaris can react to new technical possibilities more quickly and this recently has been shown to be the case with the introduction of zones in Solaris version 10. If something is designed wrong, and the proper fix depends on changes outside the kernel, Solaris team still can fix it by changing all the required pieces in the right places. They do not need clever kernel hacks in the wrong place to fix a problem, that should be fixed in a more complete manner.

   The quality (and security) of several major components in Solaris (NFS is the most visible example) is far above anything in Linux space.

   Solaris is better documented. The most important is the difference in the quality of man pages. in Solaris everything has man pages, including the kernel functions. Linux instead depends on FAQs, HOWTOs, and sparse documentation that comes in many different formats.
    

5. That maturity of a OS platform from the security standpoint is highly dependent of the availability and quality of virtualization components and Solaris 10 zones represent significant security advantages over Linux.
   
   While both kernels are "open source" kernels there are many differences between the two kernels that are the consequences of when and how the kernels were developed. In no way Linux kernel can be considered "problem free" kernel (and OS) or the most technically advanced kernel (or OS) from the technical standpoint.  Parts of the Solaris source can be traced to more than 30 years ago and has gone through many revisions. This has resulted in excessive complexity in certain subsystems were the code is difficult to understand and modify. Linux's kernel code is newer and it keeps constantly being re-factored between versions. While this makes the code somewhat simpler at virtual machine and filesystem API  layers, stability is suffering. Especially troublesome is general device driver stability. Every Linux 2.6 release so far has had bugs that were fixed in the next minor release, while others got introduced.  Solaris has much better regression testing and this is not a problem for Solaris customers. Still Linux has caught up a lot, especially with 2.6.In 2.4 Linux kernel used to up to 12 copies of a single device driver -- one for each combination architecture and bus supported. Now most drivers have one copy. The 2.4 I/O performance issues have been largely addressed in 2.6. A major reason behind Linux's improvement is the support from commercial vendors in the basic kernel functionality (IBM), filesystems (XFS from SGI), and third-party drivers. [Matzan2005]
   
   Light weight virtual machines constitute the most attractive path for the improvement of application security in enterprise environment.  While virtualization does not prevent application-level exploits, it contains them to a particular VM environment that can be pretty isolated from both the network and other applications that are running on the same server. 

   Linux virtual machine components are still immature and far behind such OSes as Solaris 10 (Solaris 10 zones are a very elegant implementation of a concept of a light-weight VM, the concept originated in FreeBSD) and, especially, AIX 5.3 (which, before Solaris 10, along with FreeBSD was a leader in the Unix virtualization race; AIX virtualization facilities are not a light-weight, but a full blown VM and as such are not available for EM64T hardware). 
   
   This weakness can be particularly compensated by deploying Linux under third party VM environment, for example provided by VMware. Still creating multiple instances of Linux  under VMware increases the complexity in comparison with using a single OS. Essentially VMware in this case represents another addition to the corporate OS mix.  Moreover VMware licensing and support costs largely eliminate cost advantages of switching to Linux. While using Linux under VMware is attractive option of consolidating low load "one application" servers, here  Solaris 10 zones represent a more competitive solution. 

   Network infrastructure and server complexity in the large enterprises has increased so significantly that it has become a constraint on how flexible a business can be. Server consolidation based on virtual machine concept in a large enterprise environment is the necessity that no large enterprise can avoid. This movement already started in AIX space and Windows space (sometimes under VMware, which is this case can be reused for Linux virtualization purposes), but it will definitely accelerated in the future. Currently Linux is the weakest Unix  platform for virtualization and needs additional components (VMware) to be viable in this space.  
    

6. The recommended hardware deployment platform (as well as Solaris on Intel) from the security standpoint (as well as from cost/performance standpoint) should be mid-range EM64T-based (AMD Opteron or Intel Nocona) servers.  Outside of areas where appliance-like hardening and configuration of the server is possible (like WEB hosting) usage of production Linux servers on older 32-bit Intel x86 architecture is not recommended because of higher security risks. 

   Usage of  EM64T technology (Intel's name for its 64-bit extensions to the x86 instruction set pioneered by AMD and adopted by Intel) somewhat diminishes security risks for mass exploits and provides better price/performance ratio then the traditional Intel X86 architecture. The EMT64T has a MMU that can set a no execute bit on a memory segment. On ETM64T Solaris like it does on UltraSparc can disable execution from the stack. That stops significant percentage of stack-overflow type of attacks. Therefore the usage of  EM64T should be considered to be an important security requirement for all future projects that involve mid-range Intel-based servers.  Traditional 32-bit Intel X86 architecture, being the most popular computer platform on the globe, significantly increases the changes that a particular vulnerability will be hit with the exploit before patching. It also does not scale well and this fact alone prohibits enterprises from making significant cost savings for midrange servers.
    

7. Availability of Solaris on EM64T platform by and large neutralizes Linux advantage of running on  Intel hardware.  Opteron  currently has approximately 50% price/performance advantage over comparably proceed UltraSparc CPUs (especially on an popular low level server enterprise configuration: 2 1.5GHz CPUs with 2 or 4G of memory(V210) and 4 1.6 GHz CPUs with 4-8G of memory (V440)).  The four-way Opteron-based Sun Fire V40z server that is priced in the same range achieved world-record results on SPEC OMPM2001 (a key benchmark for scientific applications in 2004) and is priced competitively with both HP and Dell servers. The Sun Fire V20z was one of the top-performing two-way x86 servers available in 2004.
   
   There is no significant security or cost advantage of using Linux for typical enterprise applications on lower end servers in comparison with Solaris 10 on Intel or Windows 2003 (here "low end" means four or less CPUs and 4 or less gigabytes of RAM).  We judge that in this case from several important dimensions of security, and first of all from the point of view of availability of qualified security personnel and administrators, as well as availability of applications, Windows 2003 is competitive with Linux. Solaris costs more to manage but is more secure.  As migration of Lotus Notes from Windows server to AIX/PowerPC platform had shown, for certain applications even mid-range Windows servers can be more stable and cheaper then Unix alternatives, while being reasonably secure.
    
8. Solaris has a significant "security via obscurity" advantage over Linux and that advantage will be preserved in a foreseeable future. 

   Linux's growing popularity is attracting unwanted attention from virus writers, script kiddies  and criminal elements. In response, Linux advocates are putting a new emphasis on security measures and working to reassure large enterprises that the OS is secure for important enterprise applications. Still in 2003-2004 there has been a lot of change in the attractiveness of Linux from the security standpoint due to its now established status as a favorable target for hackers/crackers, the status second only to Windows. Chad Dougherty, an Internet security analyst at the CERT Coordination Center, which tracks OS vulnerabilities stated that "If you look over time, there has been a consistent level of vulnerabilities."  Several remotely exploitable problems in the Linux kernel and major Linux applications are reported each year. Moreover some of the major applications vulnerabilities are exploitable only on Linux as they depend on the kernel and/or the compiler properties. For 2004 there were several reported kernel problems [Davis2004a, Davis2004b, Davis2004c, Davis2004d, Davis2004e]. In late 2003 there were several high-profile breaches. GNU project CVS repository savannah.gnu.org was compromised in early November of 2003. The compromise was discovered December 1, 2003 and Savannah was back online December 23, 2003. The last "known good" backup was dated September 16.  As a result a lot of patches for the projects maintained on Savannah (for example mc) were lost [LWN2003]. Next, the Debian Project had to take their servers down to clean out a remote vulnerability breach [Debian2003]. Then, server at Gentoo project was compromised [Slashdot2003].

   From both security and cost/performance standpoints Solaris on Intel remains the major competitor to Linux in Intel-compatible hardware space.  Just having different from Linux format of executables (and using a different compiler for kernel and other major subsystem) makes Solaris more "exploit resistant" then Linux as this represents additional "security via obscurity" layer of defense that we should not ignore.  Taking about "security via obscurity" we should state that it does provide enterprise customers an important additional layer of defense the value of which is often underestimated. This layer is higher on RISK-based platforms like UltraSparc (with its stack-overflow protection). On AMD CPUs this layer is thinner, but The EMT64T has a MMU that can set a no execute bit on a memory segment and at least on Solaris that permits blocking all "Linux-exploits copycats" style of attacks. Also in case of Solaris there is the "question of credibility" issue that dictates the necessity to make an exploit portable to UltraSparc: in order to preserve/enhance his credibility an exploit writer/porter needs to work simultaneously on two architectures. For a student that means that one needs to shell out at least $500 to get a decent (non crippled by an IDE controller) UltraSparc box (for example Ultra 30) or risk being caught abusing his/her office or University lab server/workstation. Combine this with the necessity to learn  different CPU architecture/compiler and this combination means that the potential number of people who can write/port to Solaris an exploit is several orders of magnitude less than for Linux or Windows, where nothing prevents you doing this in a privacy of your home on a regular PC.  From my experience as a teacher I would suggest that it protects from ambitious (and often reasonably capable) "exploit seekers" among the students automatically channeling their "vanity fair" zeal to more popular OSes.

   The important consideration here is that Solaris uses a different complier from Linux. Many exploits are complier dependent and the necessity to cover both gcc and Sun Studio 10 compliers significantly complicates the creation of working exploit. For this reason large enterprises should consider using Studio 10 complier for compiling open source applications on Solaris x86 whenever possible or practical (for example it is definitely recommended for compiling bind and Sendmail).  Obscurity understood here as using less popular hardware and software platforms with some additional security features is a viable method to secure any complex operating environment and being off the most popular (and the most vulnerable) platforms like Linux and Windows represents for a large enterprise a strategic, not tactical advantage. This is especially true for open source applications. Vulnerabilities "vanity fair"  flourishes mainly in Windows and Linux environments as for other environments the efforts will never create the necessary for small security companies and individual consultants PR return. But if open source applications are used then Solaris can be a direct beneficiary of the "Linux vulnerabilities vanity fair": fixes can be available at the same time but creation of exploits that can work on Solaris is more difficult and requires knowledge outside of mainstream set of knowledge. Generally this complier-based security is another example that outside specialized and narrow areas like cryptographic algorithms "security via obscurity" is the essential part of enhanced security. Actually even in cryptographic area "one time pad" that represents one of the most secure cryptographic methods of encoding of information and was used by such a formidable opponent as KGB,  the organization which probably has had specialists of very higher caliber in this particular area.
    

9. We judge that on EMT64T-Opteron platform with the proper installation, hardening, patching and maintenance procedures  Linux has adequate security for usage only in the following deployment areas:
    
   • A low cost development workstation. The security of development workstations represents an important and underappreciated part in a large enterprise server park security. Linux is already successfully used in this role and consolidation of development workstations under one operating system might help to increase the current level of security in this area. The key goal here are "proper installation, hardening, patching and maintenance procedures" that, as practice suggest, are not that easy to achieve on workstations but here Linux has some advantage over alternative OSes, because most of the development tools can be installed by default and supposedly are installed with less potential security problems than "ad hoc" installations of the same tools on Solaris. Moreover applications installed are supported by vendor patches while Solaris recommended patch clusters are limited to the core OS and a handful of applications.
     
     Linux workstation also can provide a better productivity for developers due to its generally better selection of development tools that indirectly might increase the security of developed applications. Also Linux workstation significantly cuts corporate red tape and makes developers significantly more production due to ability to bypass usual channels of software and hardware acquisitions that often work ridiculously slow and inefficiently in a large corporate environment.  The capability of a regular desktop computers currently are high enough for almost any pilot implementation (with adequate memory and harddrive space).  This is one area were Linux really shines.
     
     But that does not mean an endorsement of Linus on desktop. Linux on the desktop has challenges still to overcome, especially on laptops. The technology is not mature enough, and there are major areas of concern to address unless the tasks are very structured and we essentially need an application terminal instead of a real desktop.  The Open/Star Office suite is still not powerful  enough to satisfy a advanced Microsoft Office users, especially financial users of Excel. Few independent software vendors are on board with software. Yes, open source alternatives exist, and are growing in maturity, but that does not mean that Linux in a foreseeable future will be a viable option for desktop. Even companies with high level of computer expertise are experiencing huge pains with Linux desktop. For example more than a year after IBM's chairman Sam Palmisano decided to move to the Linux desktop by the end of 2005, IBM has toned down its rhetoric and avoids further discussion of the issue [McMillan2005]
      
   • Internal WEB servers. In the future it might be considered for running external WEB servers. As a webserver platform, Linux can not only support existing WEB development infrastructure (Java and Websphere-based), but what is more important provide lightweight and secure alternatives based on scripting languages (Perl and PHP; the latter is used by Yahoo for its web infrastructure).  Simpler more flexible applications in general provide better security. Java is too heavyweight solution for many tasks where Web presence is an advantage. Many Enterprise Java developers are now struggling with the Java's spiraling complexity and have fallen into the habit of choosing overly complicated solutions to problems when simpler options are available. Building server applications with "heavyweight" Java-based architectures, such as Websphere can be very costly and cumbersome. Often developers spend more time writing code to support chosen framework than to solve actual problems. Here Linux with its excellent scripting languages support can provide a simpler more robust alternative. The example of Yahoo which adopted PHP for its for its Web backend scripting suggests that this is a viable and very cost-effective path even for extremely high volume Web sites [Naraine2002]. Because PHP is embedded in HTML (similar to ASP and Cold Fusion) developers can concentrate more on an actual task instead of having to spend considerable amount of time developing code to output HTML. PHP is shipped standard with all Linux flavors and is an installation option.
     
     
   • File and print servers. As Novel naturally is moving into Linux space with the acquisition of Suse from both security and TCO standpoint converting Netware servers to Suse-based servers is probably the second most promising avenue of deployment of Linux in a large enterprises that use Netware. Consolidation of Novel into Linux  increase the number of qualified administrators available for the platform (Linux is a flavor of Unix), simplifies testing of patching compliance (Unix-based tools can be used) and software delivery (Tivoli can be used) and thus increase the security.
      
10. It's very important to distinguish between security of the Linux itself (OS platform) and security of major open source applications (like Apache, Bind, Perl, PHP, Postgress, Sendmail, etc) , that can be used (often more securely) with the other Unix flavors.  Open Source applications security is relatively independent from the issues related to the security of the Linux kernel and filesystem (proper Linux) and actually can be improved by using Solaris as a deployment platform. At the same time most vulnerabilities that are sited as Linux vulnerabilities are actually are the vulnerabilities of the applications that are deployed on Linux. That means that enterprises has flexibility of deploying  major open source applications on alternative platforms, for example, Solaris (either on Intel or UltraSparc) or AIX depending on the security requirements (DMZ or Intranet) and the cost-effectiveness of the resulting solution. A new service expected in Solaris 10, codenamed "Project Janus" allows customers to run x86 Linux applications (binaries) on Solaris x86 unchanged without recompiling.
    
    The position any large enterprise needs to look at is whether there is a tactical or strategic role for open source on existing platforms. In case Linux is used as bargaining chip in negotiating with Microsoft and Unix vendors the platform deployment can be minimal (webservers and development workstations) and its safer to deploy major open source applications on existing platforms like Solaris and Windows. In case Linux is a strategic platform,  security become a high priority issue and the recommended process of hardening needs to be fully integrated into infrastructure. As we stressed before the decision to eliminate of one of the exiting server platforms is a prerequisite to the successful deployment of Linux in a large enterprise environment. 
    
    It's important to understand that the ROI on deploying open source applications can be substantial. For example Bernard Golden recently cited Oregon State University  example, where the school first bought a Google appliance for about $125K per year. Two years later, they replaced the appliance with an open-source search product called Nutch (license cost: $0). Nutch is not as easy to use as the Google software, so additional administration overhead of  $10K yearly. The overall five-year payback, however, even when you consider additional hardware and engineering time, still produced an internal rate of return of 2,300% [Golden2005].
    
    Also LAMP stack, the combination of the Linux operating system, Apache Web server, MySQL database, and scripting languages PHP, Perl or Python can be implemented as SAPP stack (Solaris, Apache, Postgress database and the same scripting languages) with additional advantages of Solaris stability, virtual machines capabilities and kernel multithreading support
     
11. Open Source software are ideal for quick prototyping and can help to avoid costly deployment mistakes that often happen with proprietary products.  For this particular purpose Linux has an upper hand as most applications were tested on Linux and work "out of the box" in a Linux environment; the current Linux distributions can be installed on typical corporate PCs without problems (this is not yet true for Solaris 10).  The role of Linux as a antidote to red-tape should not be underestimated in a large corporate environment. Many prototypes on Linux can be created using regular workstations instead of servers with zero or minimal (the cost of additional memory) acquisition costs.   Often early prototyping can prove that open source solution are more economical than proprietary closed solutions  or can deliver at least 80% of functionality for, say, 20% of costs and thus can substantially lower software acquisition costs. In case the decision is make to go with the proprietary vendor experience gained with the open source prototype provides a much more realistic estimate of deployment costs than any other method as well as dramatically improves negotiating power in talks with the vendor and help to avoid costly mistakes.
     
12. As Solaris 10 can run on EM64T platform and with the decision by Sun to open source their latest version of their software under very liberal license, Solaris 10 represents a viable alternative to Linux enterprise deployment.  Looking at the advantage of going the Sun route versus the Linux route it is hard to see why any organizations with a large Solaris presence would chose to switch to Linux: 
    
    • By providing EM64T platform version of Solaris Sun largely eliminates incentives for large enterprises to switch from UltraSparc to Intel hardware to facilitate lower hardware costs.
    • The dominant servers in most large enterprises are still Solaris, as the most stable feature rich and scalable Unix flavor available for enterprise applications.
    • Management of Solaris servers is more mature than Linux servers with Sun Management Center freely available (in basic edition). It can be considered a lightweight (and somewhat more modern) alternative to extremely heavyweight Tivoli.  In most cases of enterprise high availability applications one modern Sun series V servers that support hardware self-healing can replace two Linux servers with the load balancing box making the hardware cot difference negative or negligible.
    • Because Sun by default is the only designated party managing the open source software, there will be no risk of a fragmentation of the Solaris.  That provides Solaris important advantage in comparison with Linux that is split between multiple partially compatible enterprise distributions (Red Hat, Suse and Debian).
    • Sun's pact with Microsoft creates a unique opportunity to improve interoperability with Windows at the expense of other players hostile to Microsoft dominance like Red Hat, Novell and IBM.  Especially promising is cooperation in interoperability with PC-NFS, further developments in SunPCi card (brilliant but underutilized and poorly marketed technology), system management, authentication, virtual machines; Sun can help Microsoft to improve Unix services for Windows. 
    • Solaris 10 is more advanced OS that supports zones, privileges and hardware self-healing (on UltraSparc platform). The Solaris OS is of proven quality and in major technical areas is equal or superior to Linux; for example the quality of NFS implementation in Solaris is far superior to the Linux implementation (which before Fedora 3 did not even support version 4 of the protocol); the open source model that was adopted for Solaris in late 2004 assures that it stays up there.
    • So far there are very few enterprise applications that are available on Linux and not on Solaris, although more might emerge in the future.
    • Sun has a proven reputation in terms of quality of support and training. In most typical areas of Unix administrators training Sun's offerings superior to offerings from Novell or Red Hat.  In the area of Unix security administrators training Sun probably represents the most high quality vendor among major Unix vendors with IBM as a close second: AIX security issues are generally documented better and AIX Red Books exceed in quality and quality Solaris documentation although some IBM Red Books suffer from "IBM-speak" and can despite large number of pages be practically devoid of any useful content (as famous phase "this page was intentionally left blank" catches so well)
      
    • Due to inherent limitations of scalability of open source development Linux might not grow much beyond its current market share of about 10 % leaving Red Hat and Novell with a cash flow problems that might negatively influence the quality of support.  Red Hat is involved in a costly "war of clones" with CentOS and other "rebuilers" of its Enterprise Server and Novell experiences a financial drain due to the decision of major customers to move to Windows 2003 instead of Suse.
       
13. Linux deployment requires re-training of system administration and security staff to create and maintain the adequate level of security.  While being a flavor of Unix, Linux is different from Solaris, AIX and HP-UX; hardware is also different from typical RISK servers ( but is the same as is used for Novell and Windows servers). That means that deployment of Linux requires additional training of Unix and security staff.  The level of retraining required is approximately the same as for transition from one brand of Unix to another, for example, Solaris to AIX or vice versa. 
    
    Security of the Linux generally can be improved by the similar methods as in Solaris and most tools used for improving Solaris security are applicable to Linux. Still there are substantial differences in OS architecture and the level of vulnerability of Linux servers is closer to the level of vulnerability of Windows servers then Solaris. This generally requires to more frequent patching and more complex, deeper hardening; Like Windows, Linux can benefit from "on-availability" (via patching wizard) patching cycle instead of quarterly patching cycle typically used for commercial Unixes.
     
14. There is no substantial differences in the security of two major Linux distributions: Red Hat Enterprise Server 3 and Suse Enterprise Server 9(SLES). In the security comparison matrix (see below) they reached close scores (with Red Hat slightly ahead of Suse). Red Hat Enterprise 3 has achieved Controlled Access Protection Profile compliance under The Common Criteria for Information Security Evaluation (CC), commonly referred to as CAPP/EAL3+ which formally makes them adequate for non-military deployments like most deployments in large enterprise space; Novell SLES 9 became the first Linux formally compliant with the Common Criteria Evaluation CAPP/EAL 4 standards, which is a slightly higher level of certification. This puts SLES9 in the same league as Windows 2000 for sales in the government sector. SUSE LINUX Enterprise Server 9 was the first Linux distribution to achieve an EAL4 certification.
    
    For comparison,  Sun Microsystems announced that the Trusted Solaris 8 4/01 Operating Environment (Solaris OE) received security certification under the Common Criteria Labeled Security Protection Profile (LSPP) at Evaluation Assurance Level 4 (EAL4) in May 1, 2002.  AIX 5L for POWER V5.2 received a Common Criteria EAL4 Augmented rating on Sept 8, 2003.
    
    But those ratings does not tell the whole story about security as they ignore several important dimensions of security as well as the security of applications.  In choosing Linux flavor for deployment one should take into account the development platform that a particular application vendor is using in-house. For example Oracle uses Red Hat as a development platform and that means that it is slightly safer to use Red Hat as a deployment platform.
    
    Still the mere fact of existence of two distributions of the same product makes the Linux community and most of the independent software vendors (ISV) nervous. There is a fear that one or other distribution will fold or that due to competitive motives Red Hat and Suse will further diverge, repeating the path that commercial Unix went more than two decades ago.
     
15. In the future (three to five years) Linux also can be considered as a platform for Oracle and SAP/R3 application servers. Among current enterprise applications that in the future can me migrated to Linux from the security standpoint the following should be considered: 
     
    • Small and midrange Oracle databases (some security benefits can be achieved due to better availability of hardening tools on Linux and peripheral standing of HP-UX in the Unix security space, see comparative security matrix). This move might be facilitated by Oracle selection of  Linux as the development platform (Oracle plans to transfer most of its developers from Solaris to Linux in 2005). 
       
    • SAP/R3 application servers. SAP supports mySAP Business Suite on Linux since 2000 and recommends Linux for mission-critical environment; security advantages of such migration are minimal and price/performance ratio consideration should guide such a decision.
       
    • Websphere application servers. IBM is a strong supporter of Linux and pays a lot of attention for developing Websphere on this platform.  That deployment requires better thread support that is available with 2.4 Linux kernel.
       
16. Linux distributions currently has the best selection and the level of deployment of open source security tools of all platforms.

    For example, Red Hat distribution has Tripwire pre-installed. SSH, sudo and xinetd are also pre-installed. Powerful vulnerability scanners (nmap, Nessus, etc) and intrusion detection system (Snort) are available with both Suse and Red Hat at no charge. That means that some savings can be utilized in security space by more wide usage of Linux-based open source security solutions, especially vulnerabilities scanners and IDS sensors (Snort).

    Most of those open source tools are available for Solaris too and perform as well as in Linux in Solaris environment.  But their availability is lower and most documentation is explicitly Linux-oriented.
     

17. We judge the risks of SCO lawsuit as minimal, but the uncertainly surrounding GPL license as a real problem. The usage of GPL components need at least be documented and understood, especially in the commerce and WEB-related code provided by outsourcers. Copyright infringement suits related to open-source could be a serious distraction and PR problem for large enterprises which widely embraced the technology as a cost-saving measure.  Behavior of FSF as GPL custodian is largely unpredictable and it tends periodically launch GPL purity jihads against arbitrary targets. That might be a part of their PR strategy.
    
    Open-source has been around for two decades as a favorite tool of computer scientists and technology-minded IS staff, but after IBM's decision to support Linux in 1999, partly as a counterweight to the Microsoft Windows, moved into enterprise environment. Open-source software is freely available to use, distribute and modify, but it is subject to restrictions set forth in several different open-source licenses. The most restrictive open source license is so called General Public License (GPL) which among other things require the company to open the code if the code is using GPL-components and the company resell the software. As most large enterprises generally do not resell the software the risk are minimal.  

    Still the fact that in March 2003 SCO sued IBM for more than $1 billion, alleging that it had contributed to Linux proprietary code misappropriated from SCO should serve as a warning that some litigation is possible against any large enterprise with considerable Linux deployment. The heart of SCO's argument is that it claims ownership of the copyrights to Unix System V and that parts of that operating system have been illegally built into Linux code. SCO claims it bought the rights to Unix from Novell, which had purchased them from AT&T. U.S. District Court in Utah ordered that IBM must provide SCO with source code for its AIX and Dynix operating systems. The ruling clears the way for SCO to comb IBM's code for traces of proprietary SCO Unix code. Whether infringing code is found remains to be seen, but the court action should send a note of caution to IT departments everywhere.

    In addition about 1,500 companies that widely deployed Linux received warning letters from SCO. That resulted in businesses fear of open source usage related lawsuits. And SCO has since sued DaimlerChrysler, AutoZone and Novell.

    Copyright infringement suits related to open-source could be a serious distraction for large enterprises which widely embraced the technology as a cost-saving measure. For example Wal-Mart uses Linux in its cash registers and due to its size might be a potential target for a lawsuit.
     
    Linux's potential risks for intellectual property infringement litigation and the lack of indemnities and other legal protections extends to open-source software in general, especially GPL-based software [Cassim&Overly2005]. That means that while usage of open source tools (often packaged with other Unixes like in Solaris in addition to Linux) is generally safe,  the usage of GPL-based components in e-commerce and Web applications should be subject to review due to possible misappropriation of somebody else intellectual property in such components. If quality alternatives are available it is recommended that large enterprises select open source products licensed under BSD-derived licenses, Artistic license or their close derivatives, not GPL-based products.  



It's clear that there might be additional costs the company that does not protect itself from potential open-source usage related litigation. That's why code reviews for commerce and web software developed by outsourcers are recommended above. This is similar to buying insurance or the Sarbanes-Oxley compliance audit. The problem is that offshore software developers working on web and e-commerce applications routinely borrow pieces of open-source code as building blocks.  If proprietary code is mixed with the  GPL code and the software is to be redistributed or sold as a commercial product, a license conflict is possible. The extreme solution would be explicit banning GPL components in Web and e-commerce software produced by outsourcers.  More moderate approach would be use specialized scanning software to hunt for the GPL license conflicts.  An example of such software is Black Duck.  The most important aspect of the problem is that currently large corporations often simply do not know whether GPL components are used in their e-commerce or open source software. 

Created May 1, 2004; Last modified: March 15, 2008