Comparing Linux and Microsoft Windows for Enterprise Usage
The Windows firewall included in Server 2008 and Windows 7 is a great improvement over previous incarnations. It filters on packets, IP addresses and source/destination program, and its management GUI is easy to use. However, it lacks some of the advanced features found in Linux-based firewalls. In contrast, Linux has been wed to open-source firewall development in near lockstep since ipchains and now iptables. Although many admins still prefer the text-based administration of iptables, there are many easy-to-use GUI-based interfaces, such as the one found in SUSE through Yet another Setup Tool (YaST, Figure 3). Unfortunately, these tools often limit access to advanced features, such as port redirection, IP translation and quality of service, which can be accessed from the command line. To be fair, some of these capabilities are available in Server 2008 by adding other modules (RRAS) or products (ISA), but that adds another layer of administration and cost where Linux possesses them out of the box. Some admins may feel that firewalls are not a significant factor in enterprise security except in the perimeter. Others suggest that firewalls are more important now than ever, because technologies like the cloud and mobile computing are erasing the traditional boundaries of the perimeter. Only time will tell.
The last decade easily could have been labeled the Decade of the Patch. Because of the ever-evolving security landscape, new vulnerabilities are discovered daily. Don't get me wrong. Security researchers provide an invaluable service to the industry, but sometimes when I have to push patches en masse daily, I pine for the old days when I could just push a single service pack every so often. Patching is not solely a Microsoft phenomenon. Vulnerabilities exist in Linux as well. Most modern operating systems worth their salt include a native updating mechanism to address flaws and vulnerabilities. In Windows, it is Automatic Updates for individual systems or Windows Software Update Services (WSUS) for managing a large number of systems. Microsoft has done well with both programs and should be applauded for their maturation in the last five years. Like its name implies, Automatic Updates automates the patching of host systems through a Control Panel interface. WSUS adds reporting features and the ability to centralize patch distribution, although the process for approving, denying and/or superseding patches can be kludgy.
Linux updating mechanisms vary by distribution, but share similar functionality with their Microsoft counterparts. Debian-based systems have apt, Red Hat-based systems have Yellowdog Updater Modified (YUM), and SUSE has YaST (which provides a graphical front end to the ZYpp package management engine). Each tool is easy to automate and includes the ability to resolve dependency issues prior to an update. They also share the ability to deploy local repositories to reduce bandwidth consumption as with WSUS, but to achieve the nicer dashboard and reporting features of WSUS requires subscription-based services, such as Red Hat Network (Figure 4) or Landscape from Canonical (Figure 5).
DNS and DHCP are production network roles where many Linux servers make their entry into an enterprise. Although these services may seem boring, they form the backbone of the modern enterprise. On the Microsoft side, we have the proprietary versions of DNS and DHCP included in Server 2008. Both are configured using the Server Manger utility and then administered through their respective mmc consoles. Microsoft has integrated its versions of DNS and DHCP deeply with Active Directory (AD) and a multitude of its proprietary network services. Although on the surface this may not seem like a problem, a single misconfiguration can affect multiple parts of the Microsoft infrastructure (AD, Exchange and so on). On the Linux side, we have the Berkeley Internet Name Domain (BIND), the standards-based market leader. BIND is a dependable workhorse that has enough flexibility to support Active Directory and keep DNS administration separate from other parts of the infrastructure. You can administer BIND through the command line or GUI tools like the Red Hat BIND Configuration Tool (Figure 6).
Alongside DNS, DHCP is a critical, though overlooked network service. It also is an excellent springboard for Linux in a new environment. It is low impact and can integrate into almost any existing network with little interruption. DHCP is available in most distros, and tools like those found in YaST make administration a snap (Figure 7). DNS and DHCP usually can be combined on a single server, as is found in many Microsoft environments, but with a smaller footprint.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- BitTorrent Inc.'s Sync
- The Humble Hacker?
- The Death of RoboVM
- The US Government and Open-Source Software
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- New Container Image Standard Promises More Portable Apps
- Open-Source Project Secretly Funded by CIA
- AdaCore's SPARK Pro
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide