Solved

Most secure Linux or x86 Unix that are least prone to ransomware/malware

Posted on 2016-09-10
24
140 Views
Last Modified: 2016-09-15
I'm exploring to set up a VM running a Linux or x86 UNIX (say x86 Solaris or x86 SCO UNIX if it's still around)
that's dedicated to browsing the Internet : using a VM because I could scale the vRAM, vCPU, storage &
I can always take a snapshot backup prior to applying security patches.

Is SCO UNIX an Opensource & do they release patches regularly?


Currently in our environment, it takes 3-6 months to assess & test patches before applying onto
Windows (& UNIX) due to past disruptions so dedicating a VM for everyone to remote in to browse
Internet will entail less of Change Management redtapes: only internet browsing function will be
affected in the event patches cause issues


I read that Chrome (& Chromium) & Firefox are much safer browsers than IE so I'll need a Linux/UNIX
(64 bit so that can support more RAM) flavor that could support Chrome/Chromium or Firefox : some
lesser known browsers like Konqueror may not work well with certain websites (or am I mistaken?).

Some time back Firefox was banned as I was told it has too many exploits??  But I tend to think IE
has much more, glancing from the monthly MS security patches (quite a number of them are IE.

So compare Solaris x86, RHEL, SCO, Debian, Ubuntu, CentOS : need to have support for a secure
browser & the OS has least malware/ransomware that could exploit/run on it & I'm contemplating
if an email client (that could connect to MS Exchange) could also be supported in future
0
Comment
Question by:sunhux
  • 8
  • 4
  • 3
  • +4
24 Comments
 

Author Comment

by:sunhux
ID: 41792785
& I don't want to compile Chrome/Chromium on an OS but want a ready-to-use
packages/RPMs that I could just install and use
0
 
LVL 37

Expert Comment

by:bbao
ID: 41792849
for personal use or a template computer for enterprise-wide deployment?
0
 
LVL 48

Assisted Solution

by:dbrunton
dbrunton earned 150 total points
ID: 41792952
>>  Is SCO UNIX an Opensource & do they release patches regularly?

NO, NO, NO
SCO is proprietary and costly.  Stay away from it.  Unclean.  Burn with fire.

Solaris

Stay away from that as well.  Probably you may have driver problems.

CentOS and RHEL are basically the same.  CentOS is a repackage/rebuilt of RHEL.
Ubuntu is based on Debian but with nicer features.

As for which Linux/Unix distribution is less malware/ransomware prone or insecure I don't believe there is any data out there on that.

Chrome can be got for Debian or Ubuntu.  See https://www.google.com/chrome/browser/desktop/

Email clients on Linux for MS Exchange are hit and miss.  Some people have had luck with various plugins, others don't.  It also depends on the version of Exchange and other factors ... (from a quick Google search on the matter, see https://www.reddit.com/r/linux/comments/37mkd2/linux_mail_client_that_handles_exchange/ for example).
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 29

Expert Comment

by:serialband
ID: 41792979
Don't just switch because of some hearsay.  If you're not familiar with linux, you should just stick to using windows.  Linux can be hacked as well.  The reason linux has been "more secure" is because there are fewer users and those that use it tend to have more experience with it.  Those that are less knowledgeable will still get hacked.

If you're using a VM, you can always revert to the snapshot after you use it.  Just make new snapshots.  It makes no difference what you install in the VM.  You can stick with Windows if that's what you know better.  Honestly, if you're not browsing safely in Windows, you won't be browsing safely in linux.  The only advantage is that the attacks are directed to Windows more frequently.  It doesn't mean there aren't attacks to Linux.  I've seen users get attacked quite frequently on linux, because they're not familiar with it.
0
 
LVL 94

Expert Comment

by:John Hurst
ID: 41792992
With any system (Windows, MAC or Linux) careful browsing, good spam filters and control, and user education are the only real ways to keep viruses away. I agree that switching just for this reason does not make a lot of sense.

We only use Windows at all our clients and have very few difficulties.
0
 
LVL 63

Accepted Solution

by:
btan earned 170 total points
ID: 41793054
Since your purpose is browsing stay away fro SCO UNIX and SOLARIS. You are not building a backend farm unless you are intended too. But note that ransomware can be just as platform agnostic - past feedback when CryptoWall came out after Cryptolocker

It is coded to run on both 32-bit and 64-bit systems, which increases its chances of running on whatever computer it infects, Carter said. Newer versions of Mac OS X and Windows are 64-bit operating systems
As for browsers, like Firefox which I do not really see ot being 'banned' though there are past boycott calls such as this (http://whyfirefoxisblocked.com) and also rumoured US agency has kept FF vulerability as in there is FF

Overall, I suggest you can stay clean if your browsing experience does not have sensitive data for storing - meaning separate your network from internal and Internet and use different machine or VM. Likewise has strict control over the USB device and access control righra only as user and not default admin.

See possible candidates deployment of kinda LIVECD style (dont really save files...)

a) boot using TAILS which is highly customized Debian, which itself is just GNU/Linux. It is not foolproof (likewise for others) since there exist the past "torsploit" attack which exploited an outdated version of Tor Browser may have been able to attack Tails, however the Tails firewall was able to block it. Having said that, in general, there will likely be little general-purpose malware which is effective against Tails.
https://tails.boum.org/

Another is separation through isolation
b) Qubes is a desktop environment based on Fedora that's all about security through isolation. Qubes assumes that there can't be a truly secure operating system, so instead it runs everything inside of virtual machines. This ensures that if you are victim to a malicious attack, it doesn't spread to the operating system as a whole.
For example, you could create a "Work" virtual machine that includes Firefox and Thunderbird, a "Shopping" virtual machine that includes just Firefox, and then whatever else you need. This way, when you're messing around in the "Shopping" virtual machine, it's isolated from your "Work" virtual machine in case something goes wrong. You can create virtual machines of Windows and Linux. You can also create disposable virtual machines for one time actions.
The major concern (for some) with Qubes is the fact that you need to do everything manually. For e.g. Setting up virtual machines secures your system as a whole, and you have to architect and guide in deployment and change in experience in using them.
https://www.qubes-os.org/doc/user-faq/#does-qubes-run-every-app-in-a-separate-vm

support for TOR based browser (http://motherboard.vice.com/read/the-fbi-may-be-sitting-on-a-firefox-vulnerability).

Though not entirely malware free, holistically you should also in your planning have means to protect users' privacy and add on to browser that can useful..
https://www.experts-exchange.com/articles/18652/Privacy-protection-practices-and-tools.html
0
 

Author Comment

by:sunhux
ID: 41793292
Ok, just saw somewhere SCO is a No (I used it 16 yrs ago on Cyberguard firewall):
quite restrictive.

>for personal use or a template computer for enterprise-wide deployment?
I plan to deploy about 3 to 6 in our company for the 2000+ employees to
remote in to browse Internet (ie block their PCs/laptops from accessing
Internet), ie they have to go to one of these Linux to do Internet browsing.

So I'm settting up an "air-gap" Internet access
0
 
LVL 94

Expert Comment

by:John Hurst
ID: 41793294
We are able to train our employees to ensure sensible use. I would be interested to know if browsing on a different machine will work.

How will employees who need internet for their jobs function?
0
 

Author Comment

by:sunhux
ID: 41793296
>Don't just switch because of some hearsay.
Not hearsay, FireEye told me & they don't feel a need to do IOC
assessments in our environment for Unix/Linux.

I personally manage an environment of 950 RHEL+Solaris x86
plus 1300 WIndows : the malwares/viruses that hit RHEL/Solaris
are all simply Windows malwares & they can't run/exploit while
the ones that hit Windows are all 100% meant for Windows.

MAC OSX is a flavor of Linux & my kid's school mandate them to
use MAC : I know at least a dozen over kids watch movies on the
highly malicious gooddrama.net & drama.net : nothing happens
to their MAC OSX which is without any AV
0
 

Author Comment

by:sunhux
ID: 41793300
We have leading brand antispam, AV, url defense & I see the reports blocking tens of thousands
of spam & thousands of malwares every month via emails : the users have always forward
our team 'suspicious' emails (ie fr unknown sender, too good to be true offers, mails with
dubious links) : thankfully not been hit via emails so far but when browsing "holiday or
hotel booking" sites, we got hit (despite a top-end proxy censoring sites that we could
visit) many times.

Ok, agree that this air-gap "reverse jumphost" can be a Windows as it could be just as good
in filtering out infections but we have IT team to support it if it's Linux
0
 

Author Comment

by:sunhux
ID: 41793301
> How will employees who need internet for their jobs function?
Doing research using google.

Though there are staff who use it to do shopping
0
 
LVL 48

Assisted Solution

by:dbrunton
dbrunton earned 150 total points
ID: 41793312
MAC OS X is NOT a flavour of LInux.

It is a flavour of BSD.   Similar to Linux/Unix but it isn't them.  The standard browser for MAC OS X is Safari which is considered insecure and viruses DO exist for MAC OS X.  Do not consider OS X or Safari to be secure or/and safe.

If your IT team supports RHEL then they can/should be able to support Debian or Ubuntu.  Ubuntu has paid support plus some of its releases have long term support (LTS) which is roughly about five years.
1
 
LVL 63

Expert Comment

by:btan
ID: 41793315
The air gap is good scheme but you will need to watch over (esp use of USB drive and network mapped shares) and allow authorised means to transfer information from internet to intranet only. Any lapses will negate the air gap scheme. Those point of entry need to be cleansed and inspect the load coming into the intranet. Check those system - the choice of OS is not really a factor in the safeguards as well as the choice of a more secure browser - mentioned lots of time, there is no foolproof vulnerable free system and application. You can check out Qubes
0
 
LVL 37

Assisted Solution

by:bbao
bbao earned 60 total points
ID: 41793321
> The standard browser for MAC OS X is Safari which is considered insecure and viruses DO exist for MAC OS X.

agree. one of my personal practices is, i never run OS built-in browser on any platform. for OSX and iOS, it is Safari; for Windows, it is IE.
0
 
LVL 29

Expert Comment

by:serialband
ID: 41793611
FireEye told me & they don't feel a need to do IOC assessments in our environment for Unix/Linux.

That just tells me that FireEye doesn't really know Unix/Linux.  I would not trust them about their assessments of anything that isn't Windows.  You need to get a 2nd opinion.  Windows is technically more secure from years of attacks.  It's just that it's a much bigger target because many more people use it, especially people with very little computer literacy.  That's the main reason windows in "insecure".
1
 
LVL 37

Expert Comment

by:bbao
ID: 41793625
totally agree with Serialband.
0
 
LVL 27

Assisted Solution

by:tliotta
tliotta earned 60 total points
ID: 41796993
...employees to
remote in to browse Internet (ie block their PCs/laptops from accessing
Internet), ie they have to go to one of these Linux to do Internet browsing.
"Remote in"? Do you actually mean "remote in"? Or will they physically need to walk over to one of your proposed systems to access the internet, and those proposed systems are on a physically separate network?

So I'm settting up an "air-gap" Internet access
If they're going to "remote in", then there is no "air gap". If the proposed systems are on the same physical network separated only by firewall rules, there is no "air gap".

So, are you actually intending an "air gap" between employee systems and the internet? Or do you essentially only want a few "internet jump servers"? (I know they won't technically be "jump servers", but I'm not sure a better term applies.)
0
 

Author Comment

by:sunhux
ID: 41798291
> you actually mean "remote in"?
Yes, sort of Rdp but plan is not to use Rdp but some other protocol/remoting tool with no file sharing.

Ok, given that Linux is more vulnerable than Windows, I still feel this is a good idea because I've not
heard of a malware that could hit both Linux AND Windows: so if the Linux got hit, the same malware
which is Linux specific is unlikely to attack Windows.  If it's a Windows malware/ransomware that got
into the Linux, it's not going to run/exploit on that Linux.

Ya, agree that in defense project, physical isolation is the safest but the comm protocol is a different
one that the regular RDP, this is going to make it more secure.

It is for this very similar idea that internal & external firewalls ought to be of different brands : if there's
a vulnerability (like the recent Cisco ASA) for one brand of firewall, at least the other layer of firewall of
a different brand is unlikely to have it.  A C&C attack that successfully gain control via a certain weakness
of one firewall will need a different vulnerability/weakness to exploit another brand of firewall : feel
free to disagree

I just learnt that there's a product called ISLA (Spanish for island) that is dedicated for users to 'remote'
in to do just Internet browsing, so some vendor out there must have the same idea
0
 

Author Comment

by:sunhux
ID: 41798305
> "internet jump servers"?
I wud call it 'reverse jump servers' because we're accessing a less secure environment (Internet browsing)
from the more secure PCs.  I suppose 'jump servers' is for accessing more secure environmt from the less
secure PCs.

Now the difficult part for me is : suppose users download files to the Linux & they want those files on their
PCs/laptops : if I stop them, there will be violent objections;  if I allow it,  'infected' files are going to get thru
tho I think in most cases, they can just do a "copy" from the Linux browser & then "paste" it into their
Windows PCs : I suppose not many malwares could get 'copied' & 'pasted' over via this way or am I
mistaken?
0
 

Author Comment

by:sunhux
ID: 41798311
So far all the successful malware/ransomware attacks we've seen are due to users browsing malicious/infected sites
& I'm trying to patch this loophole.  Attacks via emails : unheard of so far as users have been aware of unsolicited
& emails from unknown senders & have always reported them & not click anything in them : despite the product
filtered away more than 100,000 such emails monthly, some get thru
0
 
LVL 48

Assisted Solution

by:dbrunton
dbrunton earned 150 total points
ID: 41798357
>>  Ok, given that Linux is more vulnerable than Windows,

That's a debatable and controversial statement.  Rather than debate it, best to say that BOTH have vulnerabilities.  Now the vulnerabilities that do exist in BOTH aren't necessarily the OSes but rather the applications that run on them.

>>  I still feel this is a good idea because I've not heard of a malware that could hit both Linux AND Windows:

They do exist but are mostly in applications.  For example, Flash, PDF, Java, Javascript, Word documents, ZIP files are all good containers for malware for both OSes.

See https://blogs.sophos.com/2015/03/26/dont-believe-these-four-myths-about-linux-security/ and the section 3 – Windows malware cannot run on Linux for cross platform threats.
0
 
LVL 48

Assisted Solution

by:dbrunton
dbrunton earned 150 total points
ID: 41798372
Malicious internet sites:

You can disable Flash, you can use ad blockers (a number of attacks are through malicious ads) but ad blockers can cause problems with some sites, you can disable Javascript (but I do not recommend this), you can stop the use of Java (recommended).
0
 
LVL 63

Expert Comment

by:btan
ID: 41798984
Different brand of FW;

in a way yes that vulnerability in one FW brand normally does not affect the other brand. That is risk measured approach for segregating high and low risk network. But we also do not want to overdo it. Have the operation in mind too such that rules can still be reviewed for consistency and audit , siem can still oversight on correlated events for the FWs and admin account should be separated if possible to reduce threat of abuses.

Need to guard the Internet to intranet transfer of data (if that is required) and probably has to consider diode.
0
 
LVL 29

Assisted Solution

by:serialband
serialband earned 60 total points
ID: 41799110
Ok, given that Linux is more vulnerable than Windows,
You have a misunderstanding.  They have different vulnerabilities and are affected differently.  One is not necessarily more vulnerable than the other.  Switching to linux just because FireEye told it was safer was incorrect.  Linux has different vulnerabilities and needs patching and protecting as well.  They just won't suffer from Windows viruses.  They can still be attacked.  The attack vectors are different.  If you're unfamiliar with Linux, you will get hacked on Linux.  Stick with what you know.

Security is a process.  You need to have firewalls, antivirus, and adblockers to protect your systems.  Users also need to be educated about not clicking random stuff.  There are hardware firewalls that have subscriptions to update their block lists and prevent access to malicious sites.  There are software firewalls and antivirus that will scan for incoming junk.  You need them all to be more secure.  Don't leave out the user training.

If your uses are not careful, no amount of software or hardware will protect them.  All scanners can do is block users and systems from known attack vectors.  New viruses and malware are being written all the time that will slip past existing protections.  A user just need to click on any one of those that have slipped through and they're down.  You can't just rely on the technical solutions to protect your users.  A big part of it is user education.  If you don't click on junk, you could theoretically run without any antivirus or firewall(as long as you don't run services that open ports) and never get infected.  Unfortunately, you do need adblockers, unless you run a browser that never loads plugins or runs scripts, which fully limits access to some sites.  Many of them are still readable if you load the source, but some are not.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
OfficeMate Freezes on login or does not load after login credentials are input.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question