i had originally sent this to Mustapha Obeid directly. feeling
that it is off-topic for firewalls. after reading others responses,
perhaps i was wrong ;^) i have added some security related material.
i will generally limit my comments to commercial operating systems (BSDI)
with only occasional references to either Linux or other non-commercial
operating systems
Ken Hardy <ken @
bridge .
com> raised a performance issue regarding
BSDI on a 386 20MHz (not an SX, i hope). that issue is addressed below
in parts labelled "performance" and "hardware".
Security:
(vunerbililty response time, possible +)
an operating system that provides source code (BSDI commerically,
FreeBSD, NetBSD, OpenBSD and Linux, non-commerically) is a significant
advantage over closed operating systems. CERT does not release
advisories until the vendor is prepared to deal with the vunerability, as
far as i know/have heard there is no time-limit on this policy. the
users are left vunerable until the vendor, with all its considerations--
not exclusively security, coordinates with CERT. in the meantime, those
with source code operating systems can try to address the problem themselves.
(os hardening, definite +)
source code access lets you "harden the os" as TIS has done
with BSDI for their Gauntlet product. simiarly, NCR chose BSDI for their
new commericalized SOCKS product--Private Net (?).
(code integrity, definite +)
source code available operating systems often have "live
filesystem" cdroms. you can run the machine off the cdrom and mount /tmp
(etc.) from a disk. hard to install a trojan, but also hard to update.
(NCR chose this route with BSDI. FreeBSD and Linux have "live
filesystem" cdroms.) tripwire not required.
(code quality, questionable)
commerical operating systems are products of companies. the
company may lose business if it fields a particularly buggy version.
this is often an argument against source code available operating systems.
However, BSDI flies in the face of this claim. BSDI is under
considerable pressure to write clear, concise, high-quality code--after
all their "dirty linen" is out in the open.
(support)
with a commercial operating system, you can purchase support.
depending upon the vendor and the problem, this may be more or less
effective. those non-commercial operating systems that have formal
releases and energetic mailing lists provide a higher level of support
than many commercial operating system vendors. in addition, you reach
the programmer that is responsible for the code and work with that person
to get the problem resolved. something that is often impossible with a
commercial operating system.
(summary of security)
there are three choices, commerical--no source,
commerical--source, and non--commercial--source. which one is "the right
one" for you is determined by your enviroment, not the techical merit of
the operating system. some businesses are not capable of accepting a
non--commercial product. for those businesses, BSDI may be the best
choice. BSDI provides many of the benefits of a source available
operating system without any of the drawabacks.
in the mail included below, i wrote to Mustapha Obeid about
performance, hardware, cost and some general issues.
Jonathan M. Bresler 202-452-2931 breslerj @
frb .
gov
MS-169, Federal Reserve Board of Governors, Washington DC 20551
I am speaking for myself only, not the Federal Reserve Board of Governors
---------- Forwarded message ----------
Date: Sun, 25 Feb 1996 11:27:53 -0500 (EST)
From: Jonathan M. Bresler <m1jmb00 @
irmmp1>
To: Mustapha Obeid <musta @
eve .
info .
umoncton .
ca>
Subject: Re: Linux Disadvantages (Edited Question)
On Sat, 24 Feb 1996, Mustapha Obeid wrote:
> Dear friends & enemies :-)
>
> Sorry for the last *vague* question.
> Again, here's the same question but, hopefully, with more details this
> time!
this is not really a firewalls question, i am responding to you
directly rather than the list.
> - What are the major three disadvantages of using Linux (1.2.3) instead
> of a SunOS ? That's disadvantages in terms of security (any serious
> security holes yet discovered ?), performance, reliability and
> processing speed. Comparisons should be based on a usual SPARC 20
> and a Pentium 75 MHz, whom one of them is supposed to be used as a
> medium size commercial Internet server (where medium size = an
> average of 40 active users at any time).
>
> Both of the SPARC 20 and the Pentium 75 are supported with 48 Megs of
> RAM, 128 Megs of swap memory and a fast HDD of 5 GB. Web, Mail and
> News Services are intended to be run on the chosen system which is
> supposed to support a number of 400 --> 500 users.
you may want to compare the operating systems on the same
hardware first. then compare the different hardware platforms (the price
difference is significant). finally you might compare sparc20 configured
as you want against an 80586 of equal cost (more disk, more memory, same
price.)
performance:
please read mary baker and kevin lai's paper presented at this
winter's usenix technical conference. http://plastique.stanford.edu/
(their web server seems to be having problems, i can email you
the paper. just ask.)
they tested Linux 1.2.8, Solaris 2.4, and FreeBSD 2.0.5R
all these tests were run on identical hardware--586-100, 32MB,
ncr 53c810 scsi controller, 2-2GB disks, 3c509 ethernet board.
hardware:
using the HINT benchmark available from scl.ameslab.gov and
recognizing that integer performance is your requirement.
a 586-90 (the one i am using now) outperforms a sparc20 (which i
use for floating point work) by a factor of 2:1. even in floating
point, the sparc20 is less than 20% faster than a 586 (high-quality
686 motherboards will be available soon)
cost:
i dont know your cost from sun, sorry. you will have to do this
comparision on your own. sun gives good deals on hardware trade-in
as well
general:
rather than purchasing a single large scsi disk, 2 or more disks will
serve you better, especially if you break up news across the disks.
Jonathan M. Bresler 202-452-2931 breslerj @
frb .
gov
MS-169, Federal Reserve Board of Governors, Washington DC 20551
I am speaking for myself only, not the Federal Reserve Board of Governors
|
|
