Comparing Microsoft infrastructure security with Open Source software

Recently Nick over at WiKID Systems blogged about How to get Microsoft-esque security with open-source software. Now, to be fair WiKID is an open source company and has an interest in such a post, and has plenty of experience behind it. However, I had to comment because I feel it just wasn't a fair comparison, especially when considering two factor authentication in small business environments that leverage Windows environments like SBS 2003.

I am posting the comment here, for many of my readers that don't visit Nick's blog.

No, its not as simple as Plone vs Sharepoint.

Trying to compare SquirrelMail to Outlook over RPC/HTTPS is just insane. Hell Squirrelmail vs Outlook Web Access isn't even close to the same thing. If you are on the Windows stack, Microsoft solutions work just as well for small business as it does at scale.

I know both Linux and Windows. We use both in our network. And I can say without quarrel that a deployment, including TCO, of Small Business Server 2003 is MUCH more effective than a custom built Linux box, ESPECIALLY if you use Microsoft technology in the office such as Outlook, Sharepoint, SQL Server and Exchange together.

I remember using this argument when I was in the grass roots movement for Linux years ago. Why fret about all the insecurities and problems with Windows when there were open source counterparts. But the reality is... there ISN'T a heterogeneous solution like what Microsoft offers. Find a REAL replacement for Exchange. And Sharepoint. And Office. And .NET. All tied together. It doesn't exist. Yes great technology like Mono, Apache and PostgreSQL exist, but in the greater scope of things in a business trying to leverage their IT resources as an asset and not a burden... its much easier AND cheaper to deploy a Windows solution with SBS2003 than Linux. And MUCH easier to maintain.

Adding two-factor authentication (2FA) on either solution makes total sense. And you can indeed deploy strong authentication in small business environments for under $100 a user. The trick is finding the right solution for your needs. If you are going to deploy the solution, you have to weigh the 2FA server against its agents. If you want just a web based strong authentication server (SAS), your choice will be different than a solution that works with Windows logon, IIS/Apache agents and PAM modules. Now I know WiKID is in the business of 2FA, but I don't think its very balanced to recommend open source blindly without telling the whole story. You still need a SEPERATE 2FA server if you want to leverage your Windows network. Instead... why doesn't WiKID build agents for those Windows networks? Example: Why tunnel over SSH when you can simply use the secure comms in RDP with a strong authentication logon agent? Eliminates the need for another port to be opened through the firewall that's not needed. If you use Microsoft's ISA Server you can even proxy filter the Active Directory Logon credentials in a way so an adversary won't even GET to the real resources until authenticating via AD at the firewall. Guess what, you can't do that in an open source environment. Even with Samba, you cannot leverage your AD infrastructure for security policy enforcement at the firewall (be it iptables, ipf or what have you).

It's all about using the right tool for the right job. You typically have interesting and relevant content on your blog. However I gotta call you on your comparison of the Microsoft infrastructure vs open source. It's not a practical comparision in the REAL world of SMB networks, and really is inaccurate in the definitions of what the technologies offer the business.