[Tfug] Multiple distros for security?

Matt Jacob matt at mattjacob.com
Thu Jan 22 20:40:03 MST 2009


Hi everybody,

An issue came up at work recently while discussing the architecture
for a new DNS server deployment. It was suggested that using different
distros (Debian, FreeBSD, and probably CentOS) across each DNS server
would provide greater security in the event of a 0-day exploit against
a particular distro. While I don't disagree with that thinking, an
obvious con is that maintenance will take longer, software versions
will be out of sync, and admins will be forced to manage systems
they're not comfortable with.

The question, then, is whether there is enough merit in distro
diversification to outweigh the added complexity and management time.
My feeling is that proven distros such as Debian, CentOS, Fedora,
SUSE, etc. are secure enough to stand on their own, and I think we've
seen this verified in the wild. However, I can't forget about the
Debain OpenSSL vulnerability not so long ago that seems to disprove my
theory. On the other hand, attacks against a particular piece of
software would apply to any system (Apache, MySQL, PowerDNS, etc.).

Alright, enough of me thinking out loud. Spark some discussion and try
to convince me one way or the other.

Thanks!

Matt




More information about the tfug mailing list