Selecting OS for High-availability/mission-critical web portal



Dear all,

I am a new system administrator for a company planning to create a web portal
which provides email, IM, e-buisness, and search engine. Liferay is our
portal management tool.

I am searching for the best OS to be our platform. The required featuers are :

Attack resistance (I expect lot of attacks specially DoS).
Stability.
Performance.

Linux and OpenBSD are the main candidates for this mission.
Here I am listing my findings.


OpenBSD:
Pros
^^^
Security oriented on its base level (compilers, syscalls).
System over all stability.

Cons
^^^
Performance is not the first priority. Benchmarks shows clear performance
degradation when compared to Linux 2.6.x.
Package management is not easy to handle like (e.g. apt-get and yum).
User community/developers are quite small.
By using third-party packages (e.g. liferay, apache), system security falls
back to those applications security level. (The system is secure as the
weakest link in the chain).
The project has financial problems (e.g.
http://www.linuxsecurity.com/content/view/122166/169/) which means that it
might not survive.



Linux Debian with SELinux:
Pros
^^^
Apply mandatory access control (SELinux)
SELinux improves access control as whole, and immunity towards malware
(proactive approach).
Larger community, more howtos.
Stability.
Tons of ready made packages.
Very easy security patching system, supported by good security team.
Our main services (Apache MySQL, Tomcat, and Liferay) were tested mostly for
Linux boxes.

Cons
^^^^
Performance degradation of 7% (SELinux)
(http://www.crypt.gen.nz/selinux/faq.html#WWW.14).


My thoughts are that:

*OpenBSD will become vulnerable as much as the running service on top of it.
Hence I will lose the legendary security it has.

*When I look at top 51 (http://uptime.netcraft.com/perf/reports/Hosters) Linux
had 45% share. Which means that it is highly secure.

* With OpenBSD I am not going to spend time hardening it but rather trying to
get the services (MySQL, Apache, ...) running on top of it. While in Linux
installing the services is easy but I need to spend good time hardening the
OS itself.

Any hint/comment is welcome.



Best regards,
Mohammad



Relevant Pages

  • RE: Selecting OS for High-availability/mission-critical web portal
    ... Any one of the good Linux distros would suit you fine. ... if you have no experience with any of these security won't matter. ... Linux and OpenBSD are the main candidates for this mission. ... Linux Debian with SELinux: ...
    (Focus-Linux)
  • Re: OS to know.
    ... SELinux is a project concerned with bringing ... several of the Linux distributions now, ... something I'd look at since it involves various security enhancing ... >> private sector versus the government sector? ...
    (Security-Basics)
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    ... Would there be a reason to implement floating labels in SELinux? ... In this case fireflier would need to do only this: ... To have all tasks assigned a security structure, ... * A task has accessed this file, add the task's SID to the group SID of ...
    (Linux-Kernel)
  • RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, he lp the cause
    ... supply of patches (Windows NT4/95/98) these systems should go offline ... Security is always a trade-off. ... This is how Linux and other ... Apache virtually owns the market with more than 60%. ...
    (Full-Disclosure)
  • SecurityFocus Linux Newsletter #39
    ... Subject: SecurityFocus Linux Newsletter #39 ... Need to keep track of the latest vulnerability information? ... vulnerabilities for both security product vendors and corporate security ... NEW PRODUCTS FOR LINUX PLATFORMS ...
    (Focus-Linux)