Conversion to Linux

Jeffrey Watts jeffrey.w.watts at gmail.com
Sun Nov 2 15:27:48 CST 2008


With all due respect, having worked in a corporate environment for the last
ten years I can say that these things are probably not things that
corporations emphasize.

In regards to uniquely compiled binaries - this would make auditing and
testing a nightmare.  If you have 100 identical webservers, having 100
different Apache binaries is a terrible idea.  You want to have a test
environment where you test ONE binary and deploy that ONE binary across the
entire platform.  You can then guarantee that that tested binary will work
properly and is secure.

As far as branding goes, unless the product a company is selling is an
operating system, using Linux From Scratch to have a "branded" OS doesn't
seem very useful.  After all, if ZapperTed's wants a snazzy corporate themed
desktop they can always just modify SLES, RHEL, or Ubuntu to use the corp's
logo as a wallpaper and have fancy icons and such.  But to be perfectly
honest the most that any company really does is put a corp wallpaper on a
desktop, and you can do that with any distribution.

The StackGuard thing is a good point, though, but I feel that given the
nature of most corporate environments where you can have systems as old as
10 years still in use most security efforts rely on securing the network,
not the systems.  Yes, system security is important, but there are usually
many systems that can't be upgraded and thus the #1 emphasis is the firewall
and access security.

Here is a short (and undoubtely incomplete) set of things that corporations
desire:

1) Vendor support
2) 3rd Party support
3) Stability
4) Length of support (EOL)
5) Scalability
6) Security
7) Compatibility

The only two distributions that really fit this bill right now are Red Hat
Enterprise Linux and SuSE Linux Enterprise Server.  My opinion is that of
these two, RHEL is the better product.

Wearing my Linux advocacy hat, I'd recommend NOT doing business with Novell
(SuSE) since they sold out to Microsoft.  I'd also not recommend using
CentOS, as they're undercutting Red Hat's business model and I think that's
really uncool (sure it's legal, but it's not moral).  I think most
businesses serious about their IT but interested in saving money should use
Fedora for the clients, RHEL for the server.  Best of both worlds.

As far as security goes, I'd argue that RHEL and Fedora can probably be made
more secure than any other distribution because of the fact that they were
the first to support SELinux.  SuSE does not.  Ubuntu does, but to be honest
given how recent their support of it is, I wouldn't want to use an Enforcing
mode SELinux on Ubuntu yet, as it takes quite a long time to get the kinks
worked out.

Michael, in case you don't know what Security Enhanced Linux is, it's a set
of kernel-level high security modules developed by the NSA.  In my opinion
it's absolutely essential for core network servers.

SELinux can be very confusing to even experienced Unix admins on first using
it, but once you get the hang of it it's actually really slick.  All of Red
Hat's training teaches how to provide services that are secured via TCP
wrappers, ipchains, and SELinux.  Their training is excellent - best I've
ever been through, hands down (I've taken SGI and Sun training as well as
internal Sprint training).

Again, if you're new to Linux and your business is thinking of using Linux,
I can't recommend Red Hat enough.  When I was on the Sprint Linux Evaluation
team four years ago they were the stand-out vendor (with the notable
exception of the IBM mainframe world, where SuSE had an edge).

In terms of support contracts, many companies offer authorized RHEL
support.  I'd recommend looking at getting support from Red Hat directly,
however, as my company has had some mediocre experiences with getting RHEL
support from HP.  IBM may be better, as they're very well known for their
professional services and support, but you can't go wrong with getting
support directly from Red Hat.

Let me know if you have any more questions.  I work for Sprint on extremely
mission critical systems, and we're got a project to move my platform from
SGI IRIX on Origin hardware to RHEL on HP Integrity systems in 2010.  My
systems alone do about $12 billion a year in business, so if your management
has any concerns about the ability of Linux to do "real work", you can take
it from me that yes, it can.  :)

Good luck Michael.
Jeffrey.

On Sun, Nov 2, 2008 at 10:40 AM, David Nicol <davidnicol at gmail.com> wrote:

>
> The things a corporate environment could use that gentoo offers are:
>
>    centralization of configuration management (although this is also
> offered by others)
>    more secure because not using widely distributed binaries;
> possible  to enforce that
>    all systems corp-wide are compiled using
> [http://en.wikipedia.org/wiki/Stack-smashing_protection StackGuard or
> similar]
>
>    If you want full control, though, "Linux From Scratch" recipes may
> be better.  Gentoo offers a LFS-like situation where a lot of the
> groundwork is already  done, and everything can get branded OurCorp
> instead of Fedora.
>
>
-- 

"He that would make his own liberty secure must guard even his enemy from
oppression; for if he violates this duty he establishes a precedent that
will reach to himself." -- Thomas Paine
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kclug.org/pipermail/kclug/attachments/20081102/4355a2b3/attachment.htm>


More information about the Kclug mailing list