Which Router for VPN and Webhosting

Discussion in 'Computer Security' started by wendy, Sep 12, 2003.

  1. On 17 Sep 2003 07:48:45 -0700, BC spoketh
    That's somewhat inaccurate. They didn't hide because of MSBlaster type
    probes, but because of the DDoS attack that was scheduled to happen on
    some given date against the Windowsupdate server(s). These servers were
    simply relocated to prevent these systems to be made unavailable to
    legitimate users in the event that the DDoS attack would take place.
    That fact that Akamai uses Linux to host their stuff is irrelevant. It's
    simply the one of the largest commercial content service provider
    around, and they were able to accommodate Microsofts request.

    Lars M. Hansen
    Lars M. Hansen, Sep 17, 2003
    1. Advertisements

  2. wendy

    BC Guest

    I wouldn't say that Akamai's use of Linux is all so
    irrelevant. Microsoft makes their own supposedly high
    end caching/firewall product called ISA Server -- where
    was that in all this? It's suppose to be competing with
    the like of Akamai's stuff and is allegedly used to
    protect Microsoft's servers, so you would think that
    Microsoft would have sufficient clout to get some
    content delivery service, Akamai or whoever, to use ISA
    for political reasons if nothing else. Akamai reportedly
    uses a bank of about 2000 Linux computers for content
    services. 2000 PC's would normally be a lot for most
    businesses, but that's a trivial amount for a company
    like Microsoft.

    So why does Microsoft have to rely on Linux-based systems
    for serious problems, with the Blaster issue being just
    the latest? Well, there are a few good reads here:


    In other words, Windows in any flavor simply isn't ready
    to play in the big leagues.

    BC, Sep 18, 2003
    1. Advertisements

  3. wendy

    Duane Arnold Guest

    In other words, Windows in any flavor simply isn't ready
    Yeah, right -- this is much to do about nothing. :)

    Duane :)
    Duane Arnold, Sep 18, 2003
  4. wendy

    Jim Watt Guest

    If they were expecting a one off delivery of shit, it might make
    sense to have it delivered to akami

    Indeed I took great joy in sending a client who wanted a system
    but was nrver going to pay to a new competitor ...
    Jim Watt, Sep 18, 2003
  5. On 17 Sep 2003 20:45:53 -0700, BC spoketh
    No firewall can counteract the effects of a DDoS attack. The webserver
    itself sitting behind the firewall may not be directly impacted, and the
    firewall (ISA or otherwise) will take the brunt of the attack. However,
    the wire will still be flooded with traffic. It is utterly irrelevant
    what brand of firewall you have, what OS the firewall is running on, and
    what web server you are using.

    Microsoft decided to temporarily relocate the windowsupdate site to
    somewhere that would not be impacted by a potential DDoS attack. You're
    reading why to much into that fact that the caching service was a Linux

    Windows, configured properly by someone who has a clue is just as secure
    as any Linux/Unix box.

    Lars M. Hansen
    Lars M. Hansen, Sep 18, 2003
  6. wendy

    Leythos Guest

    I can second what Lars has said - I've never seen a properly configured
    server with proper security measures compromised, and I've seen
    thousands of servers.
    Leythos, Sep 18, 2003
  7. wendy

    BC Guest

    Hmmm, if true, I guess that means nobody at Microsoft has a clue.
    Which in turn would mean all the rumors are true.... ;)

    BC, Sep 19, 2003
  8. wendy

    Jim Watt Guest

    I do not doubt that there are holes in Xitami as there is in all
    software, I found one in the payroll package we ran OK for
    ten years.

    However, the main reason that win98 is unstable is that it
    has problems managing memory, some applications take
    it and do not give it back on termination. This is a problem
    when switching between applications a lot.

    The NT design is much more robust.

    Something which
    Jim Watt, Sep 19, 2003
  9. On 18 Sep 2003 17:44:56 -0700, BC spoketh
    No, it means that all those boasting about Linux being a more secure
    platform has had their head up their asses for too long.

    Lars M. Hansen
    Lars M. Hansen, Sep 19, 2003
  10. wendy

    David Guest

    Have you used Linux yourself in order to verify that they are in fact the
    ones who can't breath?
    David, Sep 19, 2003
  11. On Fri, 19 Sep 2003 13:15:52 GMT, David spoketh
    Absolutely. I've installed and secured several Linux servers... I've
    also installed and secured a number of Windows servers, including domain
    controllers, Exchange servers, Domino servers and firewalls.

    Lars M. Hansen
    Lars M. Hansen, Sep 19, 2003
  12. wendy

    David Guest

    Did you compile your own kernels with "only" the necessary components?
    Disable loadable modules? Then add only what was needed on top?
    Set up the same type of server on a windows machine and see how much extra
    unnecessary BS you can get rid of.

    Kind of runs along the same lines as setting up a firewall with nothing
    allowed and then adding rules for only what is needed.....compared to
    allowing everything and they denying only the things the specific admin
    happens to know about.

    From there on its all same. Everything added to the machine is a potential
    problem. Tomorrow we may see a new IIS exploit, and the next day one for
    apache. There are lousy coders writing for both platforms and good ones
    Hell a lot of people don't take advantage of what Linux has above Windows.
    They see the "free" sign and use no discretion as to what they add to the
    machine. They use generic tools and scripts to set up netfilter never
    realizing how much more it has to offer. Many use it just like windows,
    default set up and I'm done. Lindows!!!

    But the fact that you can't take much of the unnecessary BS out of Windows
    is a huge problem. And the details to take some of it out is often only
    published after the exploits are known because of the tight controls on the
    source. Too much potential for too many people. Even for those who know what
    they are doing.

    Sure you can keep windows relatively safe but it is a PITA to keep patching
    and rebooting servers particularly for things you don't use but can't get
    off the system because of MS's flawed architecture.
    David, Sep 19, 2003
  13. wendy

    Duane Arnold Guest

    The main reason that any Win 9'x O/S is unstable is that the 16 bit DOS
    part of that O/S must share the same address space and processing thread
    with all 16 bit programs on the system. So, there is always the potential
    for any 16 bit program running in the same address space to hang the
    processing thread or take the thread down, which will hang or take DOS
    (the heart of the O/S) down with it. Any 32 bit process that needs to do
    16 bit processing is going to share the address space and 16 bit
    processing thread with all others and there is potential to hang the
    system again. This also means that those O/S(s) are not protected O/S(s)
    since they share address space and the processing thread with other 16
    bit programs. Many of device drivers for those O/S are 16 bit.

    This doesn't happen on the NT based O/S(s) because all processes running
    on the NT based O/S gets their own address space and processing threads
    16 or 32 bit, with the main reason being that NT uses individual VDM
    Virtual DOS Machines for each process requiring 16 bit processing. The NT
    based O/S is protected from any other process running, because it has its
    own address space and processing threads that are not shared.

    There are a lot of memory issues with NT processing too due to poor
    programming by programmers not destroying objects and releasing memory.
    But it doesn't lead to the entire O/S crashing on NT as it does with Win
    9'x or ME.

    Duane :)
    Duane Arnold, Sep 20, 2003
  14. wendy

    BC Guest

    Sorry, but that's a ridiculous statement. Extremely ridiculous.
    So ridiculous that I think I should contact someone at American
    Heritage Dictionaries and ask him/her to consider using this as
    an example for "ridiculous," as in:


    Deserving or inspiring ridicule; absurd, preposterous, or silly.
    "all those boasting about Linux being a more secure platform
    has had their head up their asses for too long" [syn: absurd,
    derisory, laughable, ludicrous, nonsensical, preposterous]

    ETYMOLOGY: L. ridiculosus, ridiculus, fr.ridere to laigh. Cf.
    OTHER FORMS: ri·dicu·lous·ly —ADVERB; ri·dicu·lous·ness —NOUN

    I know Linux, I know Windows, I know Netware. Netware is a pickup
    truck, Linux is a Monster Garage special, and Windows is a 5 yr
    old Alfa Romeo.

    Hope this clarifies and straightens.

    BC, Sep 20, 2003
  15. On 19 Sep 2003 18:09:43 -0700, BC spoketh
    Ok, so we know you are able to spell "ridiculous", but why don't you try
    to substantiate your claim that Linux is more secure than Windows...

    Lars M. Hansen
    Lars M. Hansen, Sep 20, 2003
  16. On 19 Sep 2003 18:09:43 -0700, BC spoketh

    I'd like to think that regardless of which OS you have, you can make it
    into an armored car or a beach buggy. It's really up to the person
    installing it.

    Granted, the default installations of Windows2K and WindowsXP has a lot
    of junk running, but in all fairness, so does a default installation of
    RedHat (at least the 3 versions that I've worked on; 7, 8 and 9) ...

    Lars M. Hansen
    (replace 'badnews' with 'news' in e-mail address)
    Lars M. Hansen, Sep 20, 2003
  17. wendy

    BC Guest

    Well... I have to say that I do know a fair amount about locking
    down Windows from my years of setting up secure public access
    Internet stations, and the fundamental reason why Windows can't
    possibly ever be made as secure as any Linux flavor is that
    you're very limited to what you can remove and turn off, and
    you're prety much kept entirely away from the low level, often
    competely undocumented kernel and communication functions.
    Linux/Unix-based OS's lend themselves well to frontline firewall
    apps and appliances because you can strip them down and make
    pretty much whatever low level configs you want, allowing you
    to harden them to your heart's content.

    Which brings me back to my original comment about Microsoft
    having to go use to Akamai's Linux caching firewalls for
    protection. You know full well that Microsoft has the resources
    to have set up a bank of ISA Servers somewhere to deal with the
    DDoS stuff, but they didn't. Because of time? Apparently they
    have been using Akamai for a while to deal with attacks and you
    don't need that many firewalls, even for a company the size of
    Microsoft So why then? Because their own stuff wasn't up for the
    job and it would have been mortifying for them to have to go
    out and buy Linux-based firewall systems, so contracting out
    the service was likely a face-saving gesture. If you look at all
    high-end firewall appliances and what they use for the underlying
    OS, that pretty does make your claim that Windows can be made as
    secure as any Linux/Unix box extremely ridiculous. How ridiculous?
    One can only count the ways....

    BC, Sep 20, 2003
  18. wendy

    Eirik Seim Guest

    I'll throw in some comments as well.

    Less bloat. According to Schneier[1], there are an average of five
    to 15 bugs in every thousand lines of code. In his book, "Secrets
    and Lies"[2], he estimates Windows 2000 to consist of somewhere
    between 35 and 60 million lines of code.

    Less security auditing. Linux is Open Source, which mean all of the
    source code is completely open for everyone to see. In contrast,
    no one outside Microsofts programming team has seen their source
    code[2, page 210]. This argument has lost some effect as Microsoft
    currently agree to let some (notably governments) see their code,
    but it's still not open for everyone to see. And it most likely
    never will be.

    This leads me to believe that _open source_ is in general more
    secure than _closed source_, and in particular: Small[3] open
    source products are more secure then big (bloated) closed source

    - Eirik

    1. http://dir.salon.com/tech/review/2000/08/31/schneier/index.html
    (page two)
    2. ISBN: 0-471-25311-1
    3. As in, less bloat than "big"
    Eirik Seim, Sep 20, 2003
  19. wendy

    David Guest

    But the difference is in the restrictions that MS has on what can be taken
    out. Add to that the fact that you can't run services in jails like you can
    with linux, and you realize it is much harder with windows to keep the
    compromise of a single service from leading to much much more.
    David, Sep 20, 2003
  20. wendy

    David Guest

    If you have ever used ISA server you would realize that it is geared for
    protecting workstations. It does have the capability to protect servers but
    in this respect probably best only for smaller businesses and not high
    traffic servers.

    Different firewalls are geared for different scenarios. So it's not a matter
    of MS not thinking their server couldn't handle it, it is a matter of MS
    knowing that their product wasn't design to be used for that specific
    purpose in the first place. And MS knowing that the problem would diminish
    quickly so renting services from elsewhere would be more cost effective than
    deploying their own equipment .
    David, Sep 20, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.