FAQ: Inside Microsoft's Client Protection

TalkBack 26 of 69:: Next »; « Previous

Thread View
Flat View

Actually... yes.: I am more than willing to use Linux without a firewall. Its not a big deal. Most people technically don't need firewalls the way you think they do or for the reasons you think(at least inbound), this is a common misconception. The only way an attacker can conenct remotely to your computer is if you're running a service that listens on some port. A firewall simply blocks that port so that even if you are listening on it, the attacker can't touch it. In Windows this is usually necessary because many services start up and actively listen for connections. Also, these services usually run under an administrative account so if they are breached then your whole system is tainted.

In Linux the story is quite different. A default install of linux (unless you're installing a server or something obvious like that) for most distributions will not have any services listening publically. If you have no services listening then a firewall is pointless, there is nothing for it to do. (Some firewalls do protocol filtering and blocking, but that is technically not a firewall) Now assume that you do want services to listen, in Linux its very easy and clear to know what is running and what port it is listening on. Since you know all the services that are listening for connections, then a firewall is pointless. Firewalls are only there to block services that are accidentally listening on the network. Often times a firewall is still put in place for a worst case scenario... but it isn't by any means a "holy grail".

Another security design in linux is that services don't have to run as an administrator, and most of the time they don't (It is a rare exception to see someone run a service as root, extremely rare, and often times if it does happen then its a mistake... which is why quite a few services will refuse to run if they are being ran under an administrative account). Since the services aren't ran with administrative privileges, the worst thing that happens is that the service is affected, but not your system. This assumes that the service has an exploit that can be taken advantage of. In Linux there are several security measurements that protect programs from being exploited, two off the top of my head are ExecShield and SELinux. ExecShield randomizes memory mappings and some other things so that even if the attacker does find a buffer overflow or most other types of exploits... its useless because he won't know what memory he is in. The service will likely crash, but you will not have been intruded and you can just restart the service. SELinux is a joint project by the NSA and Red Hat and some others that implements security features not found in any other operating system. If gives you complete control of the system. You can define things like "This user can run this program if these conditions are set, and that program can only access this file and the files in this directory. That program cannot interact with other programs and cannot access any external devices that are plugged in through USB." Essentially what I'm pointing out is the level of fine grained control that you have over everything in your system under linux. It truly is a completely different world then Windows and I could go on and on about more security features. Most of these things are things that you would never realize you didn't have if all you used was Windows, but the second you do use them then you really can't live without them.

Windows is not an advanced operating system, it has some truly horrendous design decisions. The fact that its file systems have to be defragmented says it all. Most windows users think that defragmenting is a necessary thing... its only necessary under Windows because they chose a bad file system design. There is not a Unix file system that I know of that needs to be defragged, ever. Most of them take care of allocating data themselves and they make sure that it is done in a good way. More recent filesystems for linux, like ReiserFS take this to an even higher level. Linux is used in production environments... you can't just take down a server to defrag it, the idea is absurd and the fact that Windows makes its users do that says alot about the company.

As far as viruses go, Linux is implemented with a least privilege design, in contrast with Windows model of most privilege. What this means is that in Linux you run things as a non-privileged user, i.e. a regular user. If you somehow download a malicious file, set the file to executable, then execute it... the worst thing that happens is that the files in your home directory can be altered, deleted, read, e-mailed etc... In Linux you run with the least amount of privileges that you need to get a job done, if you need more privileges then you can add them. In Windows, you are by default an administrator. By default if you download a file and execute it, it has full system access and can do anything it wants. In Linux, it only has access to your home folder, not the system.

Linux takes security much more serious than Microsoft. Hopefully this post made some sense, if it didn't then let me know. In linux, it is extremely hard to be infiltrated which is completely opposite in Windows. One thing that is important though is that the learning curve for Linux, and Unix in general, is higher than for Windows. It is worth taking the time to learn it though, it pays off greatly and makes your life much easier. I honestly have not been concerned about security for like 5 years now, where as Windows users go out and spend all this money or download all these products just to protect the computer. What is the point of buying a PC if most of the processor is going to be spent on dumb little things like that. Also, if you want to see the currently most secure OS you may want to check out OpenBSD, it hasn't had a single remote vulnerability in over 8 years, however usability is a pain.

Regards,
Steve; Posted by: sgk284 Posted on: 10/07/05 You are currently: a Guest | Members login | Terms of Use