[Tfug] Multiple distros for security?

Brian Murphy murphy+tfug at email.arizona.edu
Fri Jan 23 10:14:58 MST 2009


I agree with all of the points leading to a single locked down distro.
Being less familiar with a distro and dividing your focus in 3
directions is worse than locking down a single distro.  Because it's
going to be a bad day if even 1 of the 3 boxes gets exploited.  Regular
people won't understand that 2/3 of the infrastructure is functioning
okay.

Besides your standard iptables and running BIND in a chroot jail, there
is an additional step to a secure DNS implementation.  Seperate your
external facing authoritative servers (the ones in the NS records) from
your internal-only facing recursive servers (the ones config'd in
resolv.conf/windows control panel/DHCP).

When you split your authority and caching servers you eliminate the
entire class of recursive poisoning attacks sent to your public
servers.

Brian

Quoting Matt Jacob <matt at mattjacob.com>:
> Thanks for the suggestions, but I'm not really looking to switch to
> something else. I'm wondering if 3 locked-down Debian boxes, or 3
> locked-down CentOS boxes, or 3 locked-down FreeBSD boxes are
> inherently any less secure than 3 boxes comprised of 1 of each of
> those.
>
> I'm aware that some distros are more secure than others out of the
> box, but like I said, the distro isn't important. This is more about
> theory.
>
> Matt
>
> On Thu, Jan 22, 2009 at 9:49 PM, Tyler Nienhouse
> <flakeparadigm at gmail.com> wrote:
>> Agreed. As I have heard, OpenBSD is one of, if not the most, secure
>> operating system out there.
>>
>> -Tyler
>>
>>
>> On Thu, Jan 22, 2009 at 21:44, Jordan Aberle <jordan.aberle at gmail.com>
>> wrote:
>>>
>>> If you want a locked down secure server I would recommend openbsd,
>>> http://www.openbsd.org/
>>> They have only had two remote exploits in the last ten years, and even
>>> those never made it past proof of concept.
>>>
>>>
>>> -Jordan
>>>
>>> On Thu, Jan 22, 2009 at 8:40 PM, Matt Jacob <matt at mattjacob.com> wrote:
>>>>
>>>> Hi everybody,
>>>>
>>>> An issue came up at work recently while discussing the architecture
>>>> for a new DNS server deployment. It was suggested that using different
>>>> distros (Debian, FreeBSD, and probably CentOS) across each DNS server
>>>> would provide greater security in the event of a 0-day exploit against
>>>> a particular distro. While I don't disagree with that thinking, an
>>>> obvious con is that maintenance will take longer, software versions
>>>> will be out of sync, and admins will be forced to manage systems
>>>> they're not comfortable with.
>>>>
>>>> The question, then, is whether there is enough merit in distro
>>>> diversification to outweigh the added complexity and management time.
>>>> My feeling is that proven distros such as Debian, CentOS, Fedora,
>>>> SUSE, etc. are secure enough to stand on their own, and I think we've
>>>> seen this verified in the wild. However, I can't forget about the
>>>> Debain OpenSSL vulnerability not so long ago that seems to disprove my
>>>> theory. On the other hand, attacks against a particular piece of
>>>> software would apply to any system (Apache, MySQL, PowerDNS, etc.).
>>>>
>>>> Alright, enough of me thinking out loud. Spark some discussion and try
>>>> to convince me one way or the other.
>>>>
>>>> Thanks!
>>>>
>>>> Matt
>>>>
>>>> _______________________________________________
>>>> Tucson Free Unix Group - tfug at tfug.org
>>>> Subscription Options:
>>>> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>>>
>>>
>>> _______________________________________________
>>> Tucson Free Unix Group - tfug at tfug.org
>>> Subscription Options:
>>> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>>>
>>
>>
>> _______________________________________________
>> Tucson Free Unix Group - tfug at tfug.org
>> Subscription Options:
>> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>>
>>
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org




The opinions or statements expressed herein are my own and should not be
taken as a position, opinion, or endorsement of the University of
Arizona.






More information about the tfug mailing list