I'm slowly working through the last few days' developments while I attended my 10th reunion at the US Air Force Academy. I recently received the following email:
"I have been reading your book on The Tao of NSM. I am an amateur but very interested in the subject. My only issue is that I am very uncomfortable with your bias against Windows and for the OpenSoftware. [sic] In our market, 95% of the desktops and 55% of the servers are Windows. We do not want to be caught in the emotional battle of OS. Any chance you can recommend a Windows zealot that is as good with the NSM subject as you are?"
This is an interesting question, as I directly address my sentiments on operating systems in chapter 3 of my book. I was also "quoted" on Slashdot recently about OpenBSD, but I can't remember making that statement. (If you know where it came from, email taosecurity at gmail dot com.)
Several factors drive my personal preference for UNIX, or more specifically, FreeBSD-based sensors. Some are personal and some are universal. Many places where BSD appears, Linux and in some cases Mac OS X also applies.
1. Platform Security: One of the primary responsibilities of a security professional is to avoid introducing additional vulnerabilities while deploying people, processes, and products to improve security. The Hippocratic Oath, "First, do no harm," applies. I am not confident that a Windows system can defend itself on the Internet. Configuring a Windows system such that it can operate independently, outside of the protection of a firewall, is not easy. I can quickly disable all services except OpenSSH on a FreeBSD or OpenBSD platform, and not need a host-based firewall. With Windows, unless I deploy a host-based firewall, it is difficult to disable all unnecessary services. Furthermore, Windows' security record pales in comparison to FreeBSD or OpenBSD. A security professional should not have to worry about monthly security updates for his security platform.
2. Network Performance: Aside from the work of people like Fulvio Risso and the Winpcap team, I do not see the level of attention paid to Windows network performance as I do for FreeBSD. I know of a proprietary military intrusion detection system, a commercial packet capture device (Sandstorm NetIntercept), and other platforms deployed on FreeBSD specifically for the robustness of its TCP/IP stack and network performance. On the Linux side work done by Phil Wood and Luca Deri also point to specific network performance enhancements. One of the primary reasons to deploy a sensor is to collect traffic, and no one ever cites traffic collection capabilities as a strength of Windows.
3. Ease of Deployment: Many assume Windows must be the easier OS to deploy since it uses a GUI. Nothing could be further from the truth. GUIs are helpful because they tend to put options in front of the user in menu format. CLIs tend to be difficult because the user must know what series of commands and options must be passed to accomplish a given task. Once the CLI is understood, however, it is easier to accurately replicate and track the actions taken on a CLI system. How does one run script to record actions taken on a Windows GUI?
Beyond the GUI vs CLI, I believe the UNIX model and especially the BSD's OS installation process to be much more suited for building sensors. For example, it is trivial to deploy a very stripped down FreeBSD or OpenBSD sensor using built-in installation options. Fanatics are free to go the extra mile to remove tools in preselected packages, but that is not always necessary. Even deploying the most minimal Windows system still installs a graphical subsystem as part of the Windows kernel.
4. System Administration: I think it is easier to administer BSD or UNIX systems in general. I can do everything I need over OpenSSH, which is installed on the OS (unlike OpenSSH added to a Windows box). I can use OpenSSH over a low bandwidth link if necessary, unlike Terminal Services (VNC is another matter, but is again an add-on). I can check critical configuration files into RCS and track or roll back changes. I can copy these config files easily among machines. There is a defined and well-understood separation between user roles and root users. There is no ports tree for Windows, giving easy access to almost 12,000 applications.
5. Diverse Tools: Most of the tools in my book are UNIX-based because the majority of network security monitoring tools were developed by UNIX programmers. Besides the other four reasons given, this one is a major reason why I know of no "Windows zealot that is as good with the NSM subject" as me. Commercial tools exist, but with ever tighter security budgets I don't see many enterprises having the money to buy them. Open source is more than free -- it's also the power to change tools that don't do what you want. Although I don't see the value in Web-based alert browsers like ACID, I appreciate that a project like Basic Analysis and Security Engine (BASE) could fork the ACID code base to continue development of that tool. Such innovation is just not possible with proprietary tools.
These are the reasons I am an open source advocate and user. I know of several very smart people working for Microsoft and this critique is not intended to attack them. However, I am more confident that my BSD-based security appliances will do the job they were built for, and not become a liability when I deploy them.