[Tfug] Multiple distros for security?

Matt Jacob matt at mattjacob.com
Thu Jan 22 21:54:52 MST 2009 

Thanks for the suggestions, but I'm not really looking to switch to
something else. I'm wondering if 3 locked-down Debian boxes, or 3
locked-down CentOS boxes, or 3 locked-down FreeBSD boxes are
inherently any less secure than 3 boxes comprised of 1 of each of
those.

I'm aware that some distros are more secure than others out of the
box, but like I said, the distro isn't important. This is more about
theory.

Matt

On Thu, Jan 22, 2009 at 9:49 PM, Tyler Nienhouse
<flakeparadigm at gmail.com> wrote:
> Agreed. As I have heard, OpenBSD is one of, if not the most, secure
> operating system out there.
>
> -Tyler
>
>
> On Thu, Jan 22, 2009 at 21:44, Jordan Aberle <jordan.aberle at gmail.com>
> wrote:
>>
>> If you want a locked down secure server I would recommend openbsd,
>> http://www.openbsd.org/
>> They have only had two remote exploits in the last ten years, and even
>> those never made it past proof of concept.
>>
>>
>> -Jordan
>>
>> On Thu, Jan 22, 2009 at 8:40 PM, Matt Jacob <matt at mattjacob.com> wrote:
>>>
>>> Hi everybody,
>>>
>>> An issue came up at work recently while discussing the architecture
>>> for a new DNS server deployment. It was suggested that using different
>>> distros (Debian, FreeBSD, and probably CentOS) across each DNS server
>>> would provide greater security in the event of a 0-day exploit against
>>> a particular distro. While I don't disagree with that thinking, an
>>> obvious con is that maintenance will take longer, software versions
>>> will be out of sync, and admins will be forced to manage systems
>>> they're not comfortable with.
>>>
>>> The question, then, is whether there is enough merit in distro
>>> diversification to outweigh the added complexity and management time.
>>> My feeling is that proven distros such as Debian, CentOS, Fedora,
>>> SUSE, etc. are secure enough to stand on their own, and I think we've
>>> seen this verified in the wild. However, I can't forget about the
>>> Debain OpenSSL vulnerability not so long ago that seems to disprove my
>>> theory. On the other hand, attacks against a particular piece of
>>> software would apply to any system (Apache, MySQL, PowerDNS, etc.).
>>>
>>> Alright, enough of me thinking out loud. Spark some discussion and try
>>> to convince me one way or the other.
>>>
>>> Thanks!
>>>
>>> Matt
>>>
>>> _______________________________________________
>>> Tucson Free Unix Group - tfug at tfug.org
>>> Subscription Options:
>>> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>>
>>
>> _______________________________________________
>> Tucson Free Unix Group - tfug at tfug.org
>> Subscription Options:
>> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>>
>
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
>

More information about the tfug mailing list