How does Linux architecture compare with Windows in terms of security?
: Linux has the advantage of transparency. With most of the Linux configuration items, you can look inside it and audit it better than a Windows system. My recommendation would be to embrace platforms that have transparency and "auditability" because then you can have more confidence in the security of your network.
You can open up a Linux system. You can automate the automated Linux system to a degree that, to my knowledge, is impossible with the proprietary formats and the undocumented structures that inhabit the Microsoft operating system.
| A major difference where security is involved is the modularity of Linux. |
: Structurally, a major difference where security is involved is the modularity of Linux. It was piecemeal from the beginning and it will continue to be so. And, therefore, it's very modular, which means if I don't want something I can tear it out and tear it down to just what I need, down to very bare minimum, which means it allows me to control exactly what it does, security-wise. On Windows, I can't do that.
BT: With Linux, each service (Web service, mail service, DNS service, etc.) is a separate program that you can run as a separate non-group user. Therefore, if any one of them gets compromised, it doesn't have to affect the other services running, and it's not going to affect the kernel for the vast majority of vulnerabilities. So, really, you have much tighter security. With IIS and IE, they essentially run with all privileges. So using the vulnerabilities in IIS and IE, the attacker basically gets control of that whole system.
An audience member named Jim Dennis, who was attending the conference on behalf of Linux Gazette, had this to add: "The modularity also gives you diversity. You don't have as much of a mono-culture. Sure, Apache runs on about 50-something percent of all Web sites visible in the world, but it's not always running on Linux and not all Linux boxes are running Apache. One exploit isn't going to take down everybody."