Vulnerability numbers don't always favor Linux in Linux-vs.-Windows comparisons
: With the different types of distributions that are available for Linux, are you going to count every vulnerability on every possible distribution? Do you report all the applications that run on Linux? Then you have to include every application deployed on Windows as having vulnerabilities as well. You have to compare a single Linux distribution to a single Windows distribution. You can't combine Debian, Red Hat, and SuSE [into a single Linux vulnerability count] because they share the same package.
BM: Attributing vulnerabilities to applications and platforms can get kind of complicated. Apache can be run on Windows. [If that system is compromised] is that an Apache vulnerability or is it a Windows vulnerability?
How have distributors done with Linux security out of the box?
DT: There's been significant improvement. You pick up a current [Linux] distribution off the shelf, install it just by defaults, and hit it with a scanner, and you'll be impressed with what's not visible. [It used to be that] anything was visible by default. A two-year-old version of Red Hat would have SendMail on, FTP on, Telnet on, and by that point SSH was also several years old, and it was wide open to the world. Today, the basic principle is turn it all off and leave it to the individual to turn it on.
What's in store for Linux security rollouts over the next five years?
| Today, the basic principle is turn it all off and leave it to the individual to turn it on.
: What's coming up fastest is separation of authority or user separation, and buffer overflow protections within the actual kernel of Linux. So, although current buffer overflow attacks would be able to occur in the application, they wouldn't be able to affect the operating system.
BT: I think something else we're going to see is smarter firewalls and intrusion prevention. Right now, people say 'let's try to define what an attack packet looks like.' I think we're going to see a little more intelligence in terms of what kind of [traffic people] expect to pass through [their] Web servers.
Something I've been advocating for about four years is an adaptive firewall. If someone's been attacking you for a half an hour, [an adaptive firewall would make it] easy to say let's just block his IP and we're done with him at that point.
BM: There are third-party patches available for Linux kernels. I anticipate those will be rolled into major Linux distributions and that will make a real difference in security in terms of upping the ante on the developers of the exploits.