Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

Most secure Linux or x86 Unix that are least prone to ransomware/malware

I'm exploring to set up a VM running a Linux or x86 UNIX (say x86 Solaris or x86 SCO UNIX if it's still around)
that's dedicated to browsing the Internet : using a VM because I could scale the vRAM, vCPU, storage &
I can always take a snapshot backup prior to applying security patches.

Is SCO UNIX an Opensource & do they release patches regularly?


Currently in our environment, it takes 3-6 months to assess & test patches before applying onto
Windows (& UNIX) due to past disruptions so dedicating a VM for everyone to remote in to browse
Internet will entail less of Change Management redtapes: only internet browsing function will be
affected in the event patches cause issues


I read that Chrome (& Chromium) & Firefox are much safer browsers than IE so I'll need a Linux/UNIX
(64 bit so that can support more RAM) flavor that could support Chrome/Chromium or Firefox : some
lesser known browsers like Konqueror may not work well with certain websites (or am I mistaken?).

Some time back Firefox was banned as I was told it has too many exploits??  But I tend to think IE
has much more, glancing from the monthly MS security patches (quite a number of them are IE.

So compare Solaris x86, RHEL, SCO, Debian, Ubuntu, CentOS : need to have support for a secure
browser & the OS has least malware/ransomware that could exploit/run on it & I'm contemplating
if an email client (that could connect to MS Exchange) could also be supported in future
Avatar of sunhux
sunhux

ASKER

& I don't want to compile Chrome/Chromium on an OS but want a ready-to-use
packages/RPMs that I could just install and use
Avatar of bbao
for personal use or a template computer for enterprise-wide deployment?
SOLUTION
Avatar of dbrunton
dbrunton
Flag of New Zealand image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Don't just switch because of some hearsay.  If you're not familiar with linux, you should just stick to using windows.  Linux can be hacked as well.  The reason linux has been "more secure" is because there are fewer users and those that use it tend to have more experience with it.  Those that are less knowledgeable will still get hacked.

If you're using a VM, you can always revert to the snapshot after you use it.  Just make new snapshots.  It makes no difference what you install in the VM.  You can stick with Windows if that's what you know better.  Honestly, if you're not browsing safely in Windows, you won't be browsing safely in linux.  The only advantage is that the attacks are directed to Windows more frequently.  It doesn't mean there aren't attacks to Linux.  I've seen users get attacked quite frequently on linux, because they're not familiar with it.
With any system (Windows, MAC or Linux) careful browsing, good spam filters and control, and user education are the only real ways to keep viruses away. I agree that switching just for this reason does not make a lot of sense.

We only use Windows at all our clients and have very few difficulties.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

Ok, just saw somewhere SCO is a No (I used it 16 yrs ago on Cyberguard firewall):
quite restrictive.

>for personal use or a template computer for enterprise-wide deployment?
I plan to deploy about 3 to 6 in our company for the 2000+ employees to
remote in to browse Internet (ie block their PCs/laptops from accessing
Internet), ie they have to go to one of these Linux to do Internet browsing.

So I'm settting up an "air-gap" Internet access
We are able to train our employees to ensure sensible use. I would be interested to know if browsing on a different machine will work.

How will employees who need internet for their jobs function?
Avatar of sunhux

ASKER

>Don't just switch because of some hearsay.
Not hearsay, FireEye told me & they don't feel a need to do IOC
assessments in our environment for Unix/Linux.

I personally manage an environment of 950 RHEL+Solaris x86
plus 1300 WIndows : the malwares/viruses that hit RHEL/Solaris
are all simply Windows malwares & they can't run/exploit while
the ones that hit Windows are all 100% meant for Windows.

MAC OSX is a flavor of Linux & my kid's school mandate them to
use MAC : I know at least a dozen over kids watch movies on the
highly malicious gooddrama.net & drama.net : nothing happens
to their MAC OSX which is without any AV
Avatar of sunhux

ASKER

We have leading brand antispam, AV, url defense & I see the reports blocking tens of thousands
of spam & thousands of malwares every month via emails : the users have always forward
our team 'suspicious' emails (ie fr unknown sender, too good to be true offers, mails with
dubious links) : thankfully not been hit via emails so far but when browsing "holiday or
hotel booking" sites, we got hit (despite a top-end proxy censoring sites that we could
visit) many times.

Ok, agree that this air-gap "reverse jumphost" can be a Windows as it could be just as good
in filtering out infections but we have IT team to support it if it's Linux
Avatar of sunhux

ASKER

> How will employees who need internet for their jobs function?
Doing research using google.

Though there are staff who use it to do shopping
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The air gap is good scheme but you will need to watch over (esp use of USB drive and network mapped shares) and allow authorised means to transfer information from internet to intranet only. Any lapses will negate the air gap scheme. Those point of entry need to be cleansed and inspect the load coming into the intranet. Check those system - the choice of OS is not really a factor in the safeguards as well as the choice of a more secure browser - mentioned lots of time, there is no foolproof vulnerable free system and application. You can check out Qubes
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
FireEye told me & they don't feel a need to do IOC assessments in our environment for Unix/Linux.

That just tells me that FireEye doesn't really know Unix/Linux.  I would not trust them about their assessments of anything that isn't Windows.  You need to get a 2nd opinion.  Windows is technically more secure from years of attacks.  It's just that it's a much bigger target because many more people use it, especially people with very little computer literacy.  That's the main reason windows in "insecure".
totally agree with Serialband.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

> you actually mean "remote in"?
Yes, sort of Rdp but plan is not to use Rdp but some other protocol/remoting tool with no file sharing.

Ok, given that Linux is more vulnerable than Windows, I still feel this is a good idea because I've not
heard of a malware that could hit both Linux AND Windows: so if the Linux got hit, the same malware
which is Linux specific is unlikely to attack Windows.  If it's a Windows malware/ransomware that got
into the Linux, it's not going to run/exploit on that Linux.

Ya, agree that in defense project, physical isolation is the safest but the comm protocol is a different
one that the regular RDP, this is going to make it more secure.

It is for this very similar idea that internal & external firewalls ought to be of different brands : if there's
a vulnerability (like the recent Cisco ASA) for one brand of firewall, at least the other layer of firewall of
a different brand is unlikely to have it.  A C&C attack that successfully gain control via a certain weakness
of one firewall will need a different vulnerability/weakness to exploit another brand of firewall : feel
free to disagree

I just learnt that there's a product called ISLA (Spanish for island) that is dedicated for users to 'remote'
in to do just Internet browsing, so some vendor out there must have the same idea
Avatar of sunhux

ASKER

> "internet jump servers"?
I wud call it 'reverse jump servers' because we're accessing a less secure environment (Internet browsing)
from the more secure PCs.  I suppose 'jump servers' is for accessing more secure environmt from the less
secure PCs.

Now the difficult part for me is : suppose users download files to the Linux & they want those files on their
PCs/laptops : if I stop them, there will be violent objections;  if I allow it,  'infected' files are going to get thru
tho I think in most cases, they can just do a "copy" from the Linux browser & then "paste" it into their
Windows PCs : I suppose not many malwares could get 'copied' & 'pasted' over via this way or am I
mistaken?
Avatar of sunhux

ASKER

So far all the successful malware/ransomware attacks we've seen are due to users browsing malicious/infected sites
& I'm trying to patch this loophole.  Attacks via emails : unheard of so far as users have been aware of unsolicited
& emails from unknown senders & have always reported them & not click anything in them : despite the product
filtered away more than 100,000 such emails monthly, some get thru
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Different brand of FW;

in a way yes that vulnerability in one FW brand normally does not affect the other brand. That is risk measured approach for segregating high and low risk network. But we also do not want to overdo it. Have the operation in mind too such that rules can still be reviewed for consistency and audit , siem can still oversight on correlated events for the FWs and admin account should be separated if possible to reduce threat of abuses.

Need to guard the Internet to intranet transfer of data (if that is required) and probably has to consider diode.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial