RE: Selecting OS for High-availability/mission-critical web portal



Here's a better question. How experienced are you with either? Why those two
for a comparison? If I were going to do anything with OpenBSD it might be a
firewall on a low bandwidth network. It isn't much use for anything else
with FreeBSD being available. It's legendary security comes from having
everything turned off by default, turn it back on then it's no better than
any other. It's a gimmick with the whole "default" wordplay. Performance as
you said is terrible.

Any one of the good Linux distros would suit you fine. A 2.6.x kernel is a
2.6.x kernel no matter which company ships it. Make sure your source
directories stay up to date with the STABLE release of whichever OS you
choose. If you are stuck on BSD FreeBSD is the best current option. However
if you have no experience with any of these security won't matter. A simple
mistake could let the whole world in or cause it to crash (IE- using the
wrong compiler flags while trying to squeeze performance out of a system)

If I were you and had this task I'd get a copy of your own favorite linux
and strip the kernel down to what is only needed to run whatever software
you're running, recompile, then keep an eye on your applications security
advisories and update as necessary. Don't run software that you don't need.
SELinux always broke whatever it was I was trying to use so I don't have any
good stories about it. A small kernel, limited applications, and common
sense go a long way with security and stability.

Terry

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Mohammad Halawah
Sent: Wednesday, November 29, 2006 8:14 AM
To: focus-linux@xxxxxxxxxxxxxxxxx
Subject: Selecting OS for High-availability/mission-critical web portal

Dear all,

I am a new system administrator for a company planning to create a web
portal
which provides email, IM, e-buisness, and search engine. Liferay is our
portal management tool.

I am searching for the best OS to be our platform. The required featuers are
:

Attack resistance (I expect lot of attacks specially DoS).
Stability.
Performance.

Linux and OpenBSD are the main candidates for this mission.
Here I am listing my findings.


OpenBSD:
Pros
^^^
Security oriented on its base level (compilers, syscalls).
System over all stability.

Cons
^^^
Performance is not the first priority. Benchmarks shows clear performance
degradation when compared to Linux 2.6.x.
Package management is not easy to handle like (e.g. apt-get and yum).
User community/developers are quite small.
By using third-party packages (e.g. liferay, apache), system security falls
back to those applications security level. (The system is secure as the
weakest link in the chain).
The project has financial problems (e.g.
http://www.linuxsecurity.com/content/view/122166/169/) which means that it
might not survive.



Linux Debian with SELinux:
Pros
^^^
Apply mandatory access control (SELinux)
SELinux improves access control as whole, and immunity towards malware
(proactive approach).
Larger community, more howtos.
Stability.
Tons of ready made packages.
Very easy security patching system, supported by good security team.
Our main services (Apache MySQL, Tomcat, and Liferay) were tested mostly for

Linux boxes.

Cons
^^^^
Performance degradation of 7% (SELinux)
(http://www.crypt.gen.nz/selinux/faq.html#WWW.14).


My thoughts are that:

*OpenBSD will become vulnerable as much as the running service on top of it.

Hence I will lose the legendary security it has.

*When I look at top 51 (http://uptime.netcraft.com/perf/reports/Hosters)
Linux
had 45% share. Which means that it is highly secure.

* With OpenBSD I am not going to spend time hardening it but rather trying
to
get the services (MySQL, Apache, ...) running on top of it. While in Linux
installing the services is easy but I need to spend good time hardening the
OS itself.

Any hint/comment is welcome.



Best regards,
Mohammad