Solaris vs. Linux Security
in Large Enterprise Environment
Copyright 2004-2006, Dr. Nikolai Bezroukov. This is a copyrighted
unpublished manuscript. All rights reserved.
Table of Contents
- Comparative security matrix
The level of security achievable in
Linux in comparison with Solaris is discussed and the problems of Linux integration
into existing enterprise infrastructure are outlined. The author argues that
adding another OS to the large enterprise mix is a costly decision that has negative
side effects on security independently on what OS we are adding and those side
effects should not be taken lightly. That means that Solaris 10 significantly narrowed
the window of opportunity for Linux to penetrate into a large corporate environment.
We should clearly distinguish and separately
evaluate savings and security benefits of moving to EM64T architecture and savings
and benefits of moving to Linux as a new OS.
The key finding
is that the goal of diminishing (or at least not increasing) of the diversity of
operating system environments is a key prerequisite for the security of Unix infrastructure
on large enterprise level and that consideration should guide Linux deployment in
the large enterprise environment.
this goal to be more important for general level of security in the corporation
then individual qualities of Linux in security space (or its faults in the same
space). It also strongly affects potential savings.
We suggest that the following main points support this key finding:
Typical Linux security problems
are bigger compared with Solaris and AIX for all major dimensions of
enterprise security. The key issues include but are not limited to number of
vulnerabilities, complexity and frequency of patching, hardening procedures
as well as quality and stability of the major subsystems. The comparative
security matrix presented in the paper provides additional insight at Linux
security and suggest that it stand somewhere in between leading commercial Unixes
and Windows 2003 servers. The main conclusion is that currently Solaris 9 leads
in security in comparison to Linux (and Solaris 10 zones and AIX 5.3 partitions
promise additional significant improvements unachievable in Linux space), while
Windows 2003 server and Linux has generally similar level of security
with Linux having some advantages in certain areas and Windows 2003 server in
others. In no way Linux can be considered significantly more secure then
Windows 2003 in heterogeneous enterprise environment.
We judge that this to be an urban myth.
At the same time we judge that there is a noticeable weakness in the level of
security of the current versions of Linux in comparison with both Solaris 10
as well as AIX 5.3 and upgrades to those versions of existing servers (with the appropriate
consolidation efforts due to virtualization capabilities in those OSes) might
be a more suitable path of improvement enterprise security then the introduction
of an additional OS.
We suggest that in a large enterprise
environment a successful Linux deployment requires to "sacrifice" at lease
one existing enterprise Unix flavor. This requirement constitutes an most important
prerequisite for the secure large scale enterprise Linux deployment. There
is a saying that any enterprise that is using more then two flavors of Unix
is using just too many. And a valid consideration behind it is that system administers
outside of selected class of super-administrators are generally incapable to
muster more then two flavor of Unix into the level sufficient for maintaining
an adequate level of security. The difference are just too subtle and too numerous
to comprehend. Moreover a regular Unix administrator just cannot
became proficient in more then two flavors of Unix at the level necessary for
adequate administration (and that statement can be measured by the number of
people who hole more that two System administrator certifications: two are more
or less common, three are very rare). This "too many unixes on the floor"
factor alone can lead to significant deterioration of the general level of enterprise
security due to introduction of Linus. We note that Linux deployment
is further complicated by Linux internal fragmentation: the existence of two
competing enterprise distributions (Red Hat and Suse) and there is a risk that
should be properly understood by high level management that introduction of
a first flavor will eventually lead to the introduction of another due to application
requirements or preferences.
- As Linux has generally wider availability
of open source applications amount all Unfixes (including Solaris) in case this
factor is considered an important enough advantage to justify OS deployment
it might be wise to postpone Linux deployment until the point when Linux
gets lightweight VM capabilities competitive with the Solaris 10 zones or BSD
jails (for example XEN introduction into Red Hat Enterprise). Not only security,
but other benefits provided by Linux, should be carefully evaluated against
the ability to support virtual machine concept like Solaris 10 (lightweight
VM: zones) and AIX 5.3 (full VM: logical partitions). The paper stresses
any enterprise ready Unix now should provide VM capability out of the box like
is the case with Solaris and AIX. Otherwise securing the servers might be might
more complex job.
- Linux is surrounded by too much hype and
reality of large enterprise deployments looks drastically different from newspaper
articles. With Sun opening Solaris 10 and providing version of Solaris for
Intel EM64T hardware platform that supports zones, the possibility of using
Solaris 10 as an alternative to Linux should be considered in each individual
case due to definite security advantages of "zoned" applications deployments.
In case where Solaris is already used for a particular application (for example
e-commerce applications, SAP/R3, etc) just moving the hardware platform from
UltraSparc to EM64T architecture and "zoning" those applications looks like
significantly more secure deployment strategy. At the same time this strategy
provides cost savings comparable with those that are typically associated with
the conversion to Linux.
- Application security on Linux is generally
less than application security on UltraSparc Solaris or AIX due to the usage
of the most mass produced platform on the market and the freely available and
widely used GCC compiler. For most corporate applications securitywise Linux
is positioned in between RISK CPU based Unixes (AIX, HP-UX, Solaris) and Windows
2003 server. It is pretty close to Windows in general level of security
as well as in the recommended length of patch cycle. Linux applications compiled
using GCC compiler have a higher number of vulnerabilities per year (close
to Windows) then the same applications on commercial Unixes that run on different
architectures and use different compliers are a significant part of vulnerabilities
are related to buffer overflows. Moreover unlike Solaris Linux is still unable
to utilize the advantages of new EMT64T architecture with a MMU that can set
a no execute bit on a memory segment. On ETM64T Solaris (like on UltraSparc)
can disable execution from the stack. As a result Linux servers generally requires
more frequent patching (probably monthly like in case of Windows servers) in
enterprise environment. At the same time many enterprises are able to survive
with quarterly patching ( or even half a year) for all but the most critical
bugs (recommended cluster) for AIX and Solaris. Semiannual cycle is also the
most typical for HP-UX. We suggest that using proprietary compliers like Intel
complier or Sun Studio 10 complier might further improve the security
of open source applications, and first of all such widely used by enterprises
packages as bind, Sendmail, and Apache, against typical exploits.
- Linus servers and applications require more
frequent patching cycle. The latter is quite costly in a large enterprise
environment and their effect of savings expected from the Linux deployment should
be carefully evaluated. We judge that availability of high-quality open source
security tools and deep hardening can somewhat offset this patching period disadvantage
and might permit using quarterly patching cycle for internal firewall-protected
Linux servers. Linux has a weaker internal firewall (Solaris 10 is using
IPfilter, the best open source firewall available).
At the same time Linux has better selection of open security tools including
better selection of additional PAM modules then Solaris.
All-in-all, in security space large enterprises
can get additional benefits from the deployment of Linux,
if and only if such a deployment is strategically
aligned with the goal of diminishing the operating systems platforms diversity.
Adding Linux to the enterprise Unixes mix decrease the existing level of security
due to additional complexity of maintaining another flavor of Unix (often two additional
flavors of Unix: Red Hat and Suse) by the existing staff of system administrators.
Protecting IT infrastructure is a very challenging task
in a culture where easy access to information prevails over security concerns. The
key problem here is that the need for an efficient enterprise to provide relatively
unfettered access to data, combined with the highly decentralized nature of operations,
is irrevocably connected with the potential for serious security breaches. Maintaining
and, especially, improvement of large enterprises IT security is a huge challenge
and introduction of new OSes like Linux is only one relatively minor problem among
Still introducing Linux as an additional OS into enterprise
OS mix is a problem that, if not addressed properly, can lead to the deterioration
of existing level of security. We assess the following critical issues in
the executive evaluation of the security problems related to the introduction of
Linux-based servers in a large enterprise IT environment:
- The main security problem of introduction of Linux in a large corporation
IT infrastructure is the resulting increase of the diversity of existing Unix
platforms, which diminishes the amount of attention to the security issues on
The success of Linux deployment largely depends on the ability to preserve or,
better diminish the level of diversity of OSes deployed. It is recommended
to deploy Linux only in areas where is can replace, not to add to the mix of
the server operating systems currently used. In all other areas deployment Solaris
10 on EM64T hardware
can be a viable alternative to Linux deployment from the security standpoint
(depends on the availability of software for EMT64T version of Solaris).
Most large enterprises currently standardize on all three major flavors
of commercial Unixes (Solaris, AIX and HP-UX) as well as three other Intel-based
OSes (MS Windows, Novell, and VMware). This is already a very costly diversity
that stretches both administrators and security personnel too thin. Excessive
diversity implicitly creates a situation when only two most prominent OS platforms
are secured to any significant depth (for example Solaris and Windows, or AIX
and Windows); other platforms are relatively less secure due to lesser attention
to their security. If this is true, than adding Red Hat, Suse (or, most
probably, both) to the enterprise OS mix is a step that can backfire in security
That means that a large enterprise can get additional benefits from the
deployment of Linux, if and only if such a deployment
is strategically aligned with the goal of diminishing the operating systems
platforms diversity. Other things equal Linux deployment
is the most realistic option only for those enterprises that have substantial
HP-UX and Novell Netware deployment and are planning to consolidate both into
Linux as a cost saving measure: HP-UX and Novell are both moving toward Linux
space, so replacing their existing servers with Linux does not disrupt the relationships
with those companies; still there should be no rush in the deployment of Linux
servers until the corresponding firms make their Linux offering solid and robust
enough for the replacement of existing servers, which might take considerable
HP-UX is often used as Oracle platform in enterprise space. Oracle implements
large part of OS functionality within its database (there was a project in the
past to run Oracle directly on a hardware without OS layer) and also moves to
the Linux as their primary platform for development, non-critical midrange database
servers with HP-UX look like a natural target for Linux conversion that might
provide comparable security (as this will be the platform on which Oracle does
the development; such platform is inherently more secure then others even if
underling OS is not) and substantial (up to a hundred thousand dollars per midrange
server) hardware cost savings. Still for each such case Solaris on EMT64T should
be evaluated as an alternative, as Solaris was the platform on which Oracle
developed its database for a long time. For critical database servers Solaris
still should be used instead of Linux.
- Linux is just kernel is as packaged as a distribution by multiple competing
vendors. Thus it inherited "Unix curse" and is splintering into multiple only
partially compatible enterprise distributions. That means that enterprises
often need to introduce not one but two flavors of Linux into their environment.
From an enterprise standpoint Linux has too many filesystems.
Mostly for political reasons Linux vendors are promoting different, generally
inferior to SGI XFS filesystem in the enterprise environment. While both
ext3 (Red Hat) and Reiserfs (SuSE is the primary sponsor of
Reiserfs) support large files and volumes and are journaled they are not
safe to use in enterprise environment as there are no true stress tests available
to the general public to help them decide which one to use. For this reason
alone, the choice between Red Hat and Suse is not trivial and probably large
enterprises need to have both as different vendors prefer to certify their applications
for different Linux flavors (for example, currently Suse is preferable for SAP/R3,
Red Hat for Oracle).
Each distribution is creating its own installation and management tools and
there is no will among Linux vendors to fight the
NIH syndrome that is known to result in the spawning
of a myriad of incompatible, incomplete or ill-designed clones of many software
products created by or for a specific Linux distribution. Most tools are "80%
done" and this "80% done syndrome is pretty typical across the variety of Linux
distributions. When a closed source project gets 80% done, its
owner will redouble efforts to win market share. They will advertise heavily,
work hard on enhancements, and try to take over. When an open source project
gets most of the way there, its developer doesn't have a big incentive to make
changes ó it works fine for them. They may work on bugs, or assume that other
members of the community need to pull their load now. They may even move to
work on something else.
That "multiple personality" problem with Linux makes Solaris on
EM64T hardware platform especially attractive for large enterprises. Solaris
Sun formed a strategic alliance with AMD [AMD2004]and
it is reasonable to expect that the quality of EM64T version of Solaris will
quickly improve from the current level. Still currently Solaris compatibility
of non-Sun platforms remains limited, but this should be of a concern to large
enterprises as Sun usually belongs to the list of their approved hardware vendors
- The predictability of Sun as a vendor is better then either Red Hat (which
makes an unpredictable and damaging moves by trying to monopolize Linux space
and force their expensive consulting services to enterprise customers) or Novell
(which makes unpredictable and damaging moves because it is struggling financially).
While Red Hat is more close to a mutual fund then to the "for profit" company
and as such is more stable financially, with the recent arbitrary discontinuation
of Red Hat 9 support Red Hat seriously damaged
their brand and the loyalty they had for their distribution. Also RHEL licensing
costs exceeding licensing costs for Solaris. Many their former customers moved
to other distributions (Debian, Gentoo); some moved to FreeBSD.
That created an opening for Novell, but the general viability of Linux model
for Novell still needs to be tested on the marketplace. Some of their recent
moves created internal conflict of interests (for example KDE vs Gnome).
Also their long term financial viability depends on the success of other products
and first of all the success of NDS which is gradually pushed out of enterprise
space by Active Directory.
- While Linux is just a kernel, Solaris is a complete Unix system:
kernel, device drivers, libraries, userland, development environment, documentation,
and all the tools you need to continue doing development. Based just on completeness
of functionality, it is not handled like a Linux distribution. Solaris packaging
is fully controlled by Sun and that means that Solaris will have a single distribution
in a foreseeable future.
For example if Solaris development team need
to make a change (for example introduce ACL) they can therefore force such a
change into the system by changing it all the way to utilities. That means that
Solaris can react to new technical possibilities more quickly and this recently
has been shown to be the case with the introduction of zones in Solaris version
10. If something is designed wrong, and the proper fix depends on changes outside
the kernel, Solaris team still can fix it by changing all the required pieces
in the right places. They do not need clever kernel hacks in the wrong place
to fix a problem, that should be fixed in a more complete manner.
The quality (and security) of several major components in Solaris (NFS is
the most visible example) is far above anything in Linux space.
Solaris is better documented. The most important is the difference in the
quality of man pages. in Solaris everything has man pages, including the kernel
functions. Linux instead depends on FAQs, HOWTOs, and sparse documentation that
comes in many different formats.
- That maturity of a OS platform from the security standpoint is highly
dependent of the availability and quality of virtualization components and Solaris
10 zones represent significant security advantages over Linux.
While both kernels are "open source" kernels there are many
differences between the two kernels that are the consequences of when and how
the kernels were developed. In no way Linux kernel can be considered "problem
free" kernel (and OS) or the most technically advanced kernel (or OS) from the
technical standpoint. Parts of the Solaris source can be traced to more
than 30 years ago and has gone through many revisions. This has resulted in
excessive complexity in certain subsystems were the code is difficult to understand
and modify. Linux's kernel code is newer and it keeps constantly being re-factored
between versions. While this makes the code somewhat simpler at virtual machine
and filesystem API layers, stability is suffering. Especially troublesome
is general device driver stability. Every Linux 2.6 release so far has had bugs
that were fixed in the next minor release, while others got introduced.
Solaris has much better regression testing and this is not a problem for Solaris
customers. Still Linux has caught up a lot, especially with 2.6.In 2.4 Linux
kernel used to up to 12 copies of a single device driver -- one for each combination
architecture and bus supported. Now most drivers have one copy. The 2.4 I/O
performance issues have been largely addressed in 2.6. A major reason behind
Linux's improvement is the support from commercial vendors in the basic kernel
functionality (IBM), filesystems (XFS from SGI), and third-party drivers.
Light weight virtual machines constitute the most attractive path for
the improvement of application security in enterprise environment. While
virtualization does not prevent application-level exploits, it contains them
to a particular VM environment that can be pretty isolated from both the network
and other applications that are running on the same server.
Linux virtual machine components are still immature and far behind such OSes
as Solaris 10 (Solaris 10 zones are a very elegant implementation of a concept
of a light-weight VM, the concept originated in FreeBSD) and, especially, AIX
5.3 (which, before Solaris 10, along with FreeBSD was a leader in the Unix virtualization
race; AIX virtualization facilities are not a light-weight, but a full blown
VM and as such are not available for EM64T hardware).
This weakness can be particularly compensated by deploying Linux under third
party VM environment, for example provided by VMware. Still creating multiple
instances of Linux under VMware increases the complexity in comparison
with using a single OS. Essentially VMware in this case represents another addition
to the corporate OS mix. Moreover VMware licensing and support costs largely
eliminate cost advantages of switching to Linux. While using Linux under VMware
is attractive option of consolidating low load "one application" servers, here
Solaris 10 zones represent a more competitive solution.
Network infrastructure and server complexity in the large enterprises has
increased so significantly that it has become a constraint on how flexible a
business can be. Server consolidation based on virtual machine concept in a
large enterprise environment is the necessity that no large enterprise can avoid.
This movement already started in AIX space and Windows space (sometimes under
VMware, which is this case can be reused for Linux virtualization purposes),
but it will definitely accelerated in the future. Currently Linux is the weakest
Unix platform for virtualization and needs additional components (VMware)
to be viable in this space.
- The recommended hardware deployment platform (as well as Solaris on Intel)
from the security standpoint (as well as from cost/performance standpoint) should
be mid-range EM64T-based (AMD Opteron or Intel Nocona) servers.
Outside of areas where appliance-like hardening and configuration of the server
is possible (like WEB hosting) usage of production Linux servers on older 32-bit
Intel x86 architecture is not recommended because of higher security risks.
Usage of EM64T technology (Intel's name for its 64-bit extensions to
the x86 instruction set pioneered by AMD and adopted by Intel) somewhat diminishes
security risks for mass exploits and provides better price/performance ratio
then the traditional Intel X86 architecture. The EMT64T has a MMU that can set
a no execute bit on a memory segment. On ETM64T Solaris like it does on UltraSparc
can disable execution from the stack. That stops significant percentage of stack-overflow
type of attacks. Therefore the usage of EM64T should be considered to
be an important security requirement for all future projects that involve mid-range
Intel-based servers. Traditional 32-bit Intel X86 architecture, being
the most popular computer platform on the globe, significantly increases the
changes that a particular vulnerability will be hit with the exploit before
patching. It also does not scale well and this fact alone prohibits enterprises
from making significant cost savings for midrange servers.
- Availability of Solaris on EM64T platform by and large neutralizes Linux
advantage of running on Intel hardware. Opteron
currently has approximately 50% price/performance advantage over comparably
proceed UltraSparc CPUs (especially on an popular low level server enterprise
configuration: 2 1.5GHz CPUs with 2 or 4G of memory(V210) and 4 1.6 GHz CPUs
with 4-8G of memory (V440)). The four-way Opteron-based Sun Fire
server that is priced in the same range achieved world-record results on SPEC
OMPM2001 (a key benchmark for scientific applications in 2004) and is priced
competitively with both HP and Dell servers. The Sun Fire V20z was one of the
top-performing two-way x86 servers available in 2004.
There is no significant security or cost advantage of using Linux for typical
enterprise applications on lower end servers in comparison with Solaris 10 on
Intel or Windows 2003 (here "low end" means four or less CPUs and 4 or less
gigabytes of RAM). We judge that in this case from several important dimensions
of security, and first of all from the point of view of availability of qualified
security personnel and administrators, as well as availability of applications,
Windows 2003 is competitive with Linux. Solaris costs more to manage but is
more secure. As migration of Lotus Notes from Windows server to AIX/PowerPC
platform had shown, for certain applications even mid-range Windows servers
can be more stable and cheaper then Unix alternatives, while being reasonably
- Solaris has a significant "security via obscurity" advantage over Linux
and that advantage will be preserved in a foreseeable future.
Linux's growing popularity is attracting unwanted attention from virus writers,
script kiddies and criminal elements. In response, Linux advocates are
putting a new emphasis on security measures and working to reassure large enterprises
that the OS is secure for important enterprise applications. Still in 2003-2004
there has been a lot of change in the attractiveness of Linux from the security
standpoint due to its now established status as a favorable target for hackers/crackers,
the status second only to Windows. Chad Dougherty, an Internet security analyst
at the CERT Coordination Center, which tracks OS vulnerabilities stated that
"If you look over time, there has been a consistent level of vulnerabilities."
Several remotely exploitable problems in the Linux kernel and major Linux applications
are reported each year. Moreover some of the major applications vulnerabilities
are exploitable only on Linux as they depend on the kernel and/or the compiler
properties. For 2004 there were several reported kernel problems [Davis2004a,
Davis2004e]. In late
2003 there were several high-profile breaches. GNU project CVS repository
was compromised in early November of 2003. The compromise was discovered December
1, 2003 and Savannah was back online December 23, 2003. The last "known good"
backup was dated September 16. As a result a lot of patches for the projects
maintained on Savannah (for example
mc) were lost
[LWN2003]. Next, the
Debian Project had to take their servers down to clean out a remote vulnerability
Then, server at Gentoo project was compromised [Slashdot2003].
From both security and cost/performance standpoints Solaris on Intel remains
the major competitor to Linux in Intel-compatible hardware space. Just
having different from Linux format of executables (and using a different compiler
for kernel and other major subsystem) makes Solaris more "exploit resistant"
then Linux as this represents additional "security via obscurity" layer of defense
that we should not ignore. Taking about "security via obscurity" we should
state that it does provide enterprise customers an important additional layer
of defense the value of which is often underestimated. This layer is higher
on RISK-based platforms like UltraSparc (with its stack-overflow protection).
On AMD CPUs this layer is thinner, but The EMT64T has a MMU that can set a no
execute bit on a memory segment and at least on Solaris that permits blocking
all "Linux-exploits copycats" style of attacks. Also in case of Solaris there
is the "question of credibility" issue that dictates the necessity to make an
exploit portable to UltraSparc: in order to preserve/enhance his credibility
an exploit writer/porter needs to work simultaneously on two architectures.
For a student that means that one needs to shell out at least $500 to get a
decent (non crippled by an IDE controller) UltraSparc box (for example Ultra
30) or risk being caught abusing his/her office or University lab server/workstation.
Combine this with the necessity to learn different CPU architecture/compiler
and this combination means that the potential number of people who can write/port
to Solaris an exploit is several orders of magnitude less than for Linux or
Windows, where nothing prevents you doing this in a privacy of your home on
a regular PC. From my experience as a teacher I would suggest that it
protects from ambitious (and often reasonably capable) "exploit seekers" among
the students automatically channeling their "vanity fair" zeal to more popular
The important consideration here is that Solaris uses a different complier
from Linux. Many exploits are complier dependent and the necessity to cover
both gcc and Sun Studio 10 compliers significantly complicates the creation
of working exploit. For this reason large enterprises should consider using
Studio 10 complier for compiling open source applications on Solaris x86 whenever
possible or practical (for example it is definitely recommended for compiling
bind and Sendmail). Obscurity understood here as using less popular hardware
and software platforms with some additional security features is a viable method
to secure any complex operating environment and being off the most popular (and
the most vulnerable) platforms like Linux and Windows represents for a large
enterprise a strategic, not tactical advantage. This is especially true for
open source applications. Vulnerabilities "vanity fair" flourishes mainly
in Windows and Linux environments as for other environments the efforts will
never create the necessary for small security companies and individual consultants
PR return. But if open source applications are used then Solaris can be a direct
beneficiary of the "Linux vulnerabilities vanity fair": fixes can be available
at the same time but creation of exploits that can work on Solaris is more difficult
and requires knowledge outside of mainstream set of knowledge. Generally this
complier-based security is another example that outside specialized and narrow
areas like cryptographic algorithms "security via obscurity" is the essential
part of enhanced security. Actually even in cryptographic area "one time pad"
that represents one of the most secure cryptographic methods of encoding of
information and was used by such a formidable opponent as KGB, the organization
which probably has had specialists of very higher caliber in this particular
- We judge that on EMT64T-Opteron platform with the proper installation,
hardening, patching and maintenance procedures Linux has adequate security
for usage only in the following deployment areas:
- A low cost development workstation. The security of development
workstations represents an important and underappreciated part in a large
enterprise server park security. Linux is already successfully used in this
role and consolidation of development workstations under one operating system
might help to increase the current level of security in this area. The key
goal here are "proper installation, hardening, patching and maintenance
procedures" that, as practice suggest, are not that easy to achieve on workstations
but here Linux has some advantage over alternative OSes, because most of
the development tools can be installed by default and supposedly are installed
with less potential security problems than "ad hoc" installations of the
same tools on Solaris. Moreover applications installed are supported by
vendor patches while Solaris recommended patch clusters are limited to the
core OS and a handful of applications.
Linux workstation also can provide a better productivity for developers
due to its generally better selection of development tools that indirectly
might increase the security of developed applications. Also Linux workstation
significantly cuts corporate red tape and makes developers significantly
more production due to ability to bypass usual channels of software and
hardware acquisitions that often work ridiculously slow and inefficiently
in a large corporate environment. The capability of a regular desktop
computers currently are high enough for almost any pilot implementation
(with adequate memory and harddrive space). This is one area
were Linux really shines.
But that does not mean an endorsement of Linus on desktop. Linux on the
desktop has challenges still to overcome, especially on laptops. The technology
is not mature enough, and there are major areas of concern to address unless
the tasks are very structured and we essentially need an application terminal
instead of a real desktop. The Open/Star Office suite is still not
powerful enough to satisfy a advanced Microsoft Office users, especially
financial users of Excel. Few independent software vendors are on board
with software. Yes, open source alternatives exist, and are growing in maturity,
but that does not mean that Linux in a foreseeable future will be a viable
option for desktop. Even companies with high level
of computer expertise are experiencing huge pains with Linux desktop. For
example more than a year after IBM's chairman Sam Palmisano decided to move
to the Linux desktop by the end of 2005, IBM has toned down its rhetoric
and avoids further discussion of the issue [McMillan2005]
- Internal WEB servers. In the future it might be considered for running
external WEB servers. As a webserver platform, Linux can not only support
existing WEB development infrastructure (Java and Websphere-based), but
what is more important provide lightweight and secure alternatives based
on scripting languages (Perl and PHP; the latter is used by Yahoo for its
web infrastructure). Simpler more flexible applications in general
provide better security. Java is too heavyweight solution for many tasks
where Web presence is an advantage. Many Enterprise Java developers
are now struggling with the Java's spiraling complexity and have fallen
into the habit of choosing overly complicated solutions to problems when
simpler options are available. Building server applications with "heavyweight"
Java-based architectures, such as Websphere can be very costly and cumbersome.
Often developers spend more time writing code to support chosen framework
than to solve actual problems. Here Linux with its excellent scripting languages
support can provide a simpler more robust alternative. The example of Yahoo
which adopted PHP for its for its Web backend scripting suggests that this
is a viable and very cost-effective path even for extremely high volume
Web sites [Naraine2002].
Because PHP is embedded in HTML (similar to ASP and Cold Fusion)
developers can concentrate more on an actual task instead of having to spend
considerable amount of time developing code to output HTML. PHP is shipped
standard with all Linux flavors and is an installation option.
- File and print servers. As Novel naturally is moving into Linux
space with the acquisition of Suse from both security and TCO standpoint
converting Netware servers to Suse-based servers is probably the second
most promising avenue of deployment of Linux in a large enterprises that
use Netware. Consolidation of Novel into Linux increase the number
of qualified administrators available for the platform (Linux is a flavor
of Unix), simplifies testing of patching compliance (Unix-based tools can
be used) and software delivery (Tivoli can be used) and thus increase the
- It's very important to distinguish between security of the Linux itself
(OS platform) and security of major open source applications (like Apache, Bind,
Perl, PHP, Postgress, Sendmail, etc) , that can be used (often more securely)
with the other Unix flavors. Open Source applications security is
relatively independent from the issues related to the security of the Linux
kernel and filesystem (proper Linux) and actually can be improved by using Solaris
as a deployment platform. At the same time most vulnerabilities that are sited
as Linux vulnerabilities are actually are the vulnerabilities of the applications
that are deployed on Linux. That means that enterprises has flexibility of deploying
major open source applications on alternative platforms, for example, Solaris
(either on Intel or UltraSparc) or AIX depending on the security requirements
(DMZ or Intranet) and the cost-effectiveness of the resulting solution. A new
service expected in Solaris 10, codenamed "Project Janus" allows customers to
run x86 Linux applications (binaries) on Solaris x86 unchanged without recompiling.
The position any large enterprise needs to look at is whether there is a tactical
or strategic role for open source on existing platforms. In case Linux is used
as bargaining chip in negotiating with Microsoft and Unix vendors the platform
deployment can be minimal (webservers and development workstations) and its
safer to deploy major open source applications on existing platforms like Solaris
and Windows. In case Linux is a strategic platform, security become a
high priority issue and the recommended process of hardening needs to be fully
integrated into infrastructure. As we stressed before the decision to eliminate
of one of the exiting server platforms is a prerequisite to the successful deployment
of Linux in a large enterprise environment.
It's important to understand that the ROI on deploying open source applications
can be substantial. For example Bernard Golden recently
cited Oregon State University example, where the school first bought a
Google appliance for about $125K per year. Two years later, they replaced the
appliance with an open-source search product called Nutch (license cost: $0).
Nutch is not as easy to use as the Google software, so additional administration
overhead of $10K yearly. The overall five-year payback, however, even
when you consider additional hardware and engineering time, still produced an
internal rate of return of 2,300% [Golden2005].
LAMP stack, the combination of the Linux operating system, Apache Web server,
MySQL database, and scripting languages PHP, Perl or Python can be implemented
as SAPP stack (Solaris, Apache, Postgress database and the same scripting languages)
with additional advantages of Solaris stability, virtual machines capabilities
and kernel multithreading support
- Open Source software are ideal for quick prototyping and can help to
avoid costly deployment mistakes that often happen with proprietary products.
For this particular purpose Linux has an upper hand as most applications
were tested on Linux and work "out of the box" in a Linux environment; the current
Linux distributions can be installed on typical corporate PCs without problems
(this is not yet true for Solaris 10). The role of Linux as a antidote
to red-tape should not be underestimated in a large corporate environment.
Many prototypes on Linux can be created using regular workstations instead
of servers with zero or minimal (the cost of additional memory) acquisition
costs. Often early prototyping can prove that open source solution
are more economical than proprietary closed solutions or can deliver at
least 80% of functionality for, say, 20% of costs and thus can substantially
lower software acquisition costs. In case the decision is make to go with the
proprietary vendor experience gained with the open source prototype provides
a much more realistic estimate of deployment costs than any other method as
well as dramatically improves negotiating power in talks with the vendor and
help to avoid costly mistakes.
- As Solaris 10 can run on EM64T platform and with the decision by Sun
to open source their latest version of their software under very liberal license,
Solaris 10 represents a viable alternative to Linux enterprise deployment.
Looking at the advantage of going the Sun route versus the Linux route it
is hard to see why any organizations with a large Solaris presence would chose
to switch to Linux:
- By providing EM64T platform version of Solaris Sun largely eliminates
incentives for large enterprises to switch from UltraSparc to Intel hardware
to facilitate lower hardware costs.
- The dominant servers in most large enterprises are still Solaris, as
the most stable feature rich and scalable Unix flavor available for enterprise
- Management of Solaris servers is more mature than Linux servers with
Sun Management Center freely available (in basic edition). It can be
considered a lightweight (and somewhat more modern) alternative to extremely
heavyweight Tivoli. In most cases of enterprise high availability
applications one modern Sun series V servers that support hardware self-healing
can replace two Linux servers with the load balancing box making the hardware
cot difference negative or negligible.
- Because Sun by default is the only designated party managing the open
source software, there will be no risk of a fragmentation of the Solaris.
That provides Solaris important advantage in comparison with Linux that
is split between multiple partially compatible enterprise distributions
(Red Hat, Suse and Debian).
- Sun's pact with Microsoft creates a unique opportunity to improve interoperability
with Windows at the expense of other players hostile to Microsoft dominance
like Red Hat, Novell and IBM. Especially promising is cooperation
in interoperability with PC-NFS, further developments in
SunPCi card (brilliant but underutilized and poorly marketed technology),
system management, authentication, virtual machines; Sun can help Microsoft
to improve Unix services for Windows.
- Solaris 10 is more advanced OS that supports zones, privileges and hardware
self-healing (on UltraSparc platform). The Solaris OS is of proven quality
and in major technical areas is equal or superior to Linux; for example
the quality of NFS implementation in Solaris is far superior to the Linux
implementation (which before Fedora 3 did not even support version 4 of
the protocol); the open source model that was adopted for Solaris in late
2004 assures that it stays up there.
- So far there are very few enterprise applications that are available
on Linux and not on Solaris, although more might emerge in the future.
- Sun has a proven reputation in terms of quality of support and training.
In most typical areas of Unix administrators training Sun's offerings superior
to offerings from Novell or Red Hat. In the area of Unix security
administrators training Sun probably represents the most high quality vendor
among major Unix vendors with IBM as a close second: AIX security issues
are generally documented better and AIX Red Books exceed in quality and
quality Solaris documentation although some IBM Red Books suffer from "IBM-speak"
and can despite large number of pages be practically devoid of any useful
content (as famous phase "this page was intentionally left blank" catches
- Due to inherent limitations of scalability of open source development
Linux might not grow much beyond its current market share of about 10 %
leaving Red Hat and Novell with a cash flow problems that might negatively
influence the quality of support. Red Hat is involved in a costly
"war of clones" with CentOS and other "rebuilers" of its Enterprise Server
and Novell experiences a financial drain due to the decision of major customers
to move to Windows 2003 instead of Suse.
- Linux deployment requires re-training of system administration and security
staff to create and maintain the adequate level of security. While
being a flavor of Unix, Linux is different from Solaris, AIX and HP-UX; hardware
is also different from typical RISK servers ( but is the same as is used for
Novell and Windows servers). That means that deployment of Linux requires additional
training of Unix and security staff. The level of retraining required
is approximately the same as for transition from one brand of Unix to another,
for example, Solaris to AIX or vice versa.
Security of the Linux generally can be improved by the similar methods as in
Solaris and most tools used for improving Solaris security are applicable to
Linux. Still there are substantial differences in OS architecture and
the level of vulnerability of Linux servers is closer to the level of vulnerability
of Windows servers then Solaris. This generally requires to more frequent
patching and more complex, deeper hardening; Like Windows, Linux can benefit
from "on-availability" (via patching wizard) patching cycle instead of quarterly
patching cycle typically used for commercial Unixes.
- There is no substantial differences in the security of two major Linux
distributions: Red Hat Enterprise Server 3 and Suse Enterprise Server 9(SLES).
In the security comparison matrix (see below) they reached close scores (with
Red Hat slightly ahead of Suse). Red Hat Enterprise 3 has achieved Controlled
Access Protection Profile compliance under The Common Criteria for Information
Security Evaluation (CC), commonly referred to as CAPP/EAL3+ which formally
makes them adequate for non-military deployments like most deployments in large
enterprise space; Novell SLES 9 became the first Linux formally compliant with
the Common Criteria Evaluation CAPP/EAL 4 standards, which is a slightly higher
level of certification. This puts SLES9 in the same league as Windows 2000 for
sales in the government sector. SUSE LINUX Enterprise Server 9 was the first
Linux distribution to achieve an EAL4 certification.
For comparison, Sun Microsystems
announced that the Trusted Solaris 8 4/01 Operating Environment (Solaris
OE) received security certification under the Common Criteria Labeled Security
Protection Profile (LSPP) at Evaluation Assurance Level 4 (EAL4) in May 1, 2002.
AIX 5L for POWER V5.2 received a
Common Criteria EAL4 Augmented rating on Sept 8, 2003.
But those ratings does not tell the whole story about security as they ignore
several important dimensions of security as well as the security of applications.
In choosing Linux flavor for deployment one should take into account the development
platform that a particular application vendor is using in-house. For example
Oracle uses Red Hat as a development platform and that means that it is slightly
safer to use Red Hat as a deployment platform.
Still the mere fact of existence of two distributions of the same product makes
the Linux community and most of the independent software vendors (ISV) nervous.
There is a fear that one or other distribution will fold or that due to competitive
motives Red Hat and Suse will further diverge, repeating the path that commercial
Unix went more than two decades ago.
- In the future (three to five years) Linux also can be considered as a
platform for Oracle and SAP/R3 application servers. Among current enterprise
applications that in the future can me migrated to Linux from the security standpoint
the following should be considered:
- Small and midrange Oracle databases (some security benefits can
be achieved due to better availability of hardening tools on Linux and peripheral
standing of HP-UX in the Unix security space, see comparative security matrix).
This move might be facilitated by Oracle selection of Linux as the
development platform (Oracle plans to transfer most of its developers from
Solaris to Linux in 2005).
- SAP/R3 application servers. SAP supports mySAP Business Suite
on Linux since 2000 and recommends Linux for mission-critical environment;
security advantages of such migration are minimal and price/performance
ratio consideration should guide such a decision.
- Websphere application servers. IBM is a strong supporter of Linux
and pays a lot of attention for developing Websphere on this platform.
That deployment requires better thread support that is available with 2.4
- Linux distributions currently has the best selection and the level of
deployment of open source security tools of all platforms.
For example, Red Hat distribution has Tripwire pre-installed. SSH, sudo and
xinetd are also pre-installed. Powerful vulnerability scanners (nmap, Nessus,
etc) and intrusion detection system (Snort) are available with both Suse and
Red Hat at no charge. That means that some savings can be utilized in security
space by more wide usage of Linux-based open source security solutions, especially
vulnerabilities scanners and IDS sensors (Snort).
Most of those open source tools are available for Solaris too and perform
as well as in Linux in Solaris environment. But their availability is
lower and most documentation is explicitly Linux-oriented.
- We judge the risks of SCO lawsuit as minimal, but the uncertainly surrounding
GPL license as a real problem. The usage of GPL components need at least be
documented and understood, especially in the commerce and WEB-related code provided
by outsourcers. Copyright infringement suits related to open-source could
be a serious distraction and PR problem for large enterprises which widely embraced
the technology as a cost-saving measure. Behavior of FSF as GPL custodian
is largely unpredictable and it tends periodically launch GPL purity jihads
against arbitrary targets. That might be a part of their PR strategy.
Open-source has been around for two decades as a favorite tool of computer scientists
and technology-minded IS staff, but after IBM's decision to support Linux in
1999, partly as a counterweight to the Microsoft Windows, moved into enterprise
environment. Open-source software is freely available to use, distribute and
modify, but it is subject to restrictions set forth in several different open-source
licenses. The most restrictive open source license is so called General Public
License (GPL) which among other things require the company to open the code
if the code is using GPL-components and the company resell the software. As
most large enterprises generally do not resell the software the risk are minimal.
Still the fact that in March 2003 SCO sued IBM for more than $1 billion,
alleging that it had contributed to Linux proprietary code misappropriated from
SCO should serve as a warning that some litigation is possible against any large
enterprise with considerable Linux deployment. The heart
of SCO's argument is that it claims ownership of the copyrights to Unix System
V and that parts of that operating system have been illegally built into Linux
code. SCO claims it bought the rights to Unix from Novell, which had purchased
them from AT&T. U.S. District Court in Utah ordered that IBM must provide
SCO with source code for its AIX and Dynix operating systems. The ruling clears
the way for SCO to comb IBM's code for traces of proprietary SCO Unix code.
Whether infringing code is found remains to be seen, but the court action should
send a note of caution to IT departments everywhere.
In addition about 1,500 companies that widely deployed
Linux received warning letters from SCO. That resulted in businesses fear of
open source usage related lawsuits. And SCO has since sued DaimlerChrysler,
AutoZone and Novell.
Copyright infringement suits related to open-source could be a serious distraction
for large enterprises which widely embraced the technology as a cost-saving
measure. For example Wal-Mart uses Linux in its cash registers and due to its
size might be a potential target for a lawsuit.
Linux's potential risks for intellectual property infringement litigation and
the lack of indemnities and other legal protections extends to open-source software
in general, especially GPL-based software [Cassim&Overly2005].
That means that while usage of open source tools (often packaged with
other Unixes like in Solaris in addition to Linux) is generally safe,
the usage of GPL-based components in e-commerce and Web applications should
be subject to review due to possible misappropriation of somebody else intellectual
property in such components. If quality alternatives are available it
is recommended that large enterprises select open source products licensed under
BSD-derived licenses, Artistic license or their close derivatives, not GPL-based
It's clear that there might be additional costs the company that does not protect
itself from potential open-source usage related litigation. That's why code
reviews for commerce and web software developed by outsourcers are recommended
above. This is similar to buying insurance or the Sarbanes-Oxley compliance
audit. The problem is that offshore software developers working on web
and e-commerce applications routinely borrow pieces of open-source code as building
blocks. If proprietary code is mixed with the GPL code and
the software is to be redistributed or sold as a commercial product, a license
conflict is possible. The extreme solution would be explicit banning GPL components
in Web and e-commerce software produced by outsourcers. More moderate
approach would be use specialized scanning software to hunt for the GPL license
conflicts. An example of such software is
The most important aspect of the problem is that currently large corporations
often simply do not know whether GPL components are used in their e-commerce
or open source software.
FAIR USE NOTICE This site contains
copyrighted material the use of which has not always been specifically
authorized by the copyright owner. We are making such material available
in our efforts to advance understanding of environmental, political,
human rights, economic, democracy, scientific, and social justice
issues, etc. We believe this constitutes a 'fair use' of any such
copyrighted material as provided for in section 107 of the US Copyright
Law. In accordance with Title 17 U.S.C. Section 107, the material on
this site is distributed without profit exclusivly for research and educational purposes. If you wish to use
copyrighted material from this site for purposes of your own that go
beyond 'fair use', you must obtain permission from the copyright owner.
ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no
less then 90 days. Multiple types of probes increase this period.
Two Party System
as Polyarchy :
Corruption of Regulators :
and Control Freaks : Toxic Managers :
Harvard Mafia :
: Surviving a Bad Performance
Review : Insufficient Retirement Funds as
Immanent Problem of Neoliberal Regime : PseudoScience :
Who Rules America :
: The Iron
Law of Oligarchy :
War and Peace
Finance : John
Kenneth Galbraith :Talleyrand :
Oscar Wilde :
Otto Von Bismarck :
George Carlin :
Propaganda : SE
quotes : Language Design and Programming Quotes :
Random IT-related quotes :
Somerset Maugham :
Marcus Aurelius :
Kurt Vonnegut :
Eric Hoffer :
Winston Churchill :
Napoleon Bonaparte :
Ambrose Bierce :
Bernard Shaw :
Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient
markets hypothesis :
Political Skeptic Bulletin, 2013 :
Unemployment Bulletin, 2010 :
Vol 23, No.10
(October, 2011) An observation about corporate security departments :
Slightly Skeptical Euromaydan Chronicles, June 2014 :
Greenspan legacy bulletin, 2008 :
Vol 25, No.10 (October, 2013) Cryptolocker Trojan
Vol 25, No.08 (August, 2013) Cloud providers
as intelligence collection hubs :
Financial Humor Bulletin, 2010 :
Inequality Bulletin, 2009 :
Financial Humor Bulletin, 2008 :
Bulletin, 2004 :
Financial Humor Bulletin, 2011 :
Energy Bulletin, 2010 :
Malware Protection Bulletin, 2010 : Vol 26,
No.1 (January, 2013) Object-Oriented Cult :
Political Skeptic Bulletin, 2011 :
Vol 23, No.11 (November, 2011) Softpanorama classification
of sysadmin horror stories : Vol 25, No.05
(May, 2013) Corporate bullshit as a communication method :
Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000):
the triumph of the US computer engineering :
Donald Knuth : TAoCP
and its Influence of Computer Science : Richard Stallman
: Linus Torvalds :
Larry Wall :
John K. Ousterhout :
CTSS : Multix OS Unix
History : Unix shell history :
VI editor :
History of pipes concept :
Solaris : MS DOS
: Programming Languages History :
PL/1 : Simula 67 :
History of GCC development :
Scripting Languages :
Perl history :
OS History : Mail :
DNS : SSH
: CPU Instruction Sets :
SPARC systems 1987-2006 :
Norton Commander :
Norton Utilities :
Norton Ghost :
Frontpage history :
Malware Defense History :
GNU Screen :
OSS early history
Principle : Parkinson
Law : 1984 :
The Mythical Man-Month :
How to Solve It by George Polya :
The Art of Computer Programming :
The Elements of Programming Style :
The Unix Haterís Handbook :
The Jargon file :
The True Believer :
Programming Pearls :
The Good Soldier Svejk :
The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society :
of the IT Slackers Society : Computer Humor Collection
: BSD Logo Story :
The Cuckoo's Egg :
IT Slang : C++ Humor
: ARE YOU A BBS ADDICT? :
The Perl Purity Test :
Object oriented programmers of all nations
: Financial Humor :
Financial Humor Bulletin,
2008 : Financial
Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related
Humor : Programming Language Humor :
Goldman Sachs related humor :
Greenspan humor : C Humor :
Scripting Humor :
Real Programmers Humor :
Web Humor : GPL-related Humor
: OFM Humor :
Politically Incorrect Humor :
IDS Humor :
"Linux Sucks" Humor : Russian
Musical Humor : Best Russian Programmer
Humor : Microsoft plans to buy Catholic Church
: Richard Stallman Related Humor :
Admin Humor : Perl-related
Humor : Linus Torvalds Related
humor : PseudoScience Related Humor :
Networking Humor :
Shell Humor :
Financial Humor Bulletin,
2011 : Financial
Humor Bulletin, 2012 :
Financial Humor Bulletin,
2013 : Java Humor : Software
Engineering Humor : Sun Solaris Related Humor :
Education Humor : IBM
Humor : Assembler-related Humor :
VIM Humor : Computer
Viruses Humor : Bright tomorrow is rescheduled
to a day after tomorrow : Classic Computer
The Last but not Least
Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org
was created as a service to the UN Sustainable Development Networking Programme (SDNP)
in the author free time. This document is an industrial compilation designed and created exclusively
for educational use and is distributed under the Softpanorama Content License.
Original materials copyright belong
to respective owners. Quotes are made for educational purposes only
in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains
copyrighted material the use of which has not always been specifically
authorized by the copyright owner. We are making such material available
to advance understanding of computer science, IT technology, economic, scientific, and social
issues. We believe this constitutes a 'fair use' of any such
copyrighted material as provided by section 107 of the US Copyright Law according to which
such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free)
site written by people for whom English is not a native language. Grammar and spelling errors should
be expected. The site contain some broken links as it develops like a living tree...
The statements, views and opinions presented on this web page are those of the author (or
referenced source) and are
not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness
of the information provided or its fitness for any purpose.
Created May 1, 2004; Last modified:
October 11, 2015