Linux vs Windows based DVR, the debate continues.....

[neugent 0]

I stumbled across this site. Linux OS vs Windows OS, which is better for DVRs? Your comments would be most welcome. Thank you

[IcemanX 0]

stil the best is windows..linux..limited applications.

[sinbad 0]

linux for me. our company actually did try neugent cards.

The GUI is very nice and seems user friendly, however we could only get 15FPS with full D1 so we dropped it for favor of GV.

 

The day you'll manufacture 30FPS on full D1 on all channels we are in.

[dnieweg 0]

4CIF is pretty close to full D1.

 

16 channels at 4CIF @ 30fps/channel PLUS 16 IP cameras including megapixel at full resolution PLUS 16 or 32 channels of audio PLUS full POS or connection to any open database PLUS full logging of incoming and out going Caller ID data PLUS ... well the list goes on.

 

3xlogic

[kalpesh_nikumbh 0]

I prefer Windows!!

 

Just could not reliaon Linux embadded systems.......

 

Kalpesh

 

India

[cctv_down_under 0]

I think both have their advantages, however I dont think it is as important as having whichever OS embedded on chip.

 

If left alone XP Embedded is very stable, but it is scucceptable to change and virus, so both are good but both should be on chip...until more DVR's adopt XP or Vista on chip I am sticking to Linux

[dnieweg 0]

As far as I know, a Linux-based DVR is much more stable compared to a Windows-based DVR.

 

I think your logic is flawed for several important reasons:

 

1) Both operating systems present a variety of on-going security flaws.

2) Most of the flaws discussed in the Windows vs Linux debate revolve around applications and not the OS itself.

3) Nearly every discussion out there is comparing Linux/Apache against Windows/IIS which is totally inaccurate for Windows-based DVR's that have all commonly exploitable technologies disabled.

4) Most Windows implementations are managed in some fashion, with many setup for automatic update.

5) I've yet to find an end-user who regularly applies Linux vulnerable security patches to their DVR's or their Linux-based IP cameras. Do most end-users even know which open-source group provided the Linux build they are using? Would they know where to go for the patches they need?

 

You may think from the above that I am plugging Windows and really I am not. My argument is that the end-security of a product actually has very little to do with the OS it is built on and EVERYTHING to do with how the manufacturer built it, how it was installed and how it is maintained.

 

Here are some important questions to ask:

 

Does the manufacturers’ development process have security considerations built into the architecture, the code and the solution as a whole including how it is deployed and maintained?

Manufacturers that provide secure products spend incredible amounts of money considering the how their application interacts with the OS, how it is going to be deployed and thousands of other considerations including who has access to the code and so forth. How do you know that the Linux DVR you bought from Korea or China does not have a Trojan or back-door? Does the manufacturer really understand the architecture of your network? Do they understand your governance requirements? Do they understand how you maintain your installation? Did they provide training and guidance on a secure installation? Do they regularly communicate with you when someone reports a security flaw?

 

What is the manufacturers’ implementation of the OS? Is it some off-the-shelf package that has not been hardened? Does it even have the latest OS code installed?

Many of the installations I see contain old unpatched code .. right out of the box. It doesn't matter if it's Windows or Linux. If it comes out of the box with exploitable software .. it's exploitable.

 

Did the manufacturer rely on commonly exploited technologies?

Some manufacturers build the entire user interface including the remote client from proprietary technologies. Some manufacturers rely on web-browsers, web servers, and dozens of services provided by the operating system for which vulnerabilities are routinely discovered. This applies to BOTH operating systems.

 

Does it run a web server on the DVR for remote access?

Regardless of the OS, web applications are the single most vulnerable and exploited technology today and in fact the maintenance burden (meaning how much time you must spend to keep it secure) is phenomenal. You might have it super secure today, and yet by tomorrow morning a new flaw will have been discovered. Again this applies to both OS's. Does your DVR have port 80 open? Does it allow remote access using or relying on OS resources? This is the single most overlooked issue when trying to select a secure solution.

 

This list could go on, but again, my point is that in my (not so humble?? ha ha) opinion is that OS selection has so very little to do with the security of one DVR against the other. It has everything to do with software, configuration, architecture, deployment and maintenance.

[neugent 0]

Agree with dnieweg..... but the misconception lies from common experiences with Windows (see attachment ,more users, ergo more chances of having issues including our good friend), true, manufacturers should market hardenned systems.

 

How about cost?

[Thomas 0]

Agree with dnieweg..... but the misconception lies from common experiences with Windows (see attachment ,more users, ergo more chances of having issues including our good friend), true, manufacturers should market hardenned systems.

 

How about cost?

 

Windows will be more expensive from the cost per unit. Linux is going to have higher capital costs for development and higher long term costs for technical support. Depending on how many units you're talking about, it's a wash.

[cctv_down_under 0]

1) Both operating systems present a variety of on-going security flaws.

Correct......however there are more virus's for Windows and many more exploits...again...if on chip it is less likely to be affected, solid state OS is much more secure.

 

4) Most Windows implementations are managed in some fashion, with many setup for automatic update.

Agreed...again...on chip fixes this as it requires a firware upgrade

[Thomas 0]

1) Both operating systems present a variety of on-going security flaws.

Correct......however there are more virus's for Windows and many more exploits...again...if on chip it is less likely to be affected, solid state OS is much more secure.

 

Solid state OS is not any more secure then putting the OS on hard drive. That's a completely retarded statement. If there are any write permissions I can place an exploit in the system. Permissions don't change because you're using a different media.

 

4) Most Windows implementations are managed in some fashion, with many setup for automatic update.

Agreed...again...on chip fixes this as it requires a firware upgrade

 

How does making it more likely to brick the system with a faulty firmware upgrade increase the security? Given that it requires the manufacturer to release upgrades, your caught weeks behind any security issues.

[cctv_down_under 0]

Becasue if the OS in on chip, and firmware can only be upgraded while in front of the box through serial connection, it cant be affected.

 

Unless its allowing firmware upgrade through the net it cant be hurt or vulnerable..correct?

 

Perhaps I am wrong....really would like to know..

[dnieweg 0]

Becasue if the OS in on chip, and firmware can only be upgraded while in front of the box through serial connection, it cant be affected.

 

Unless its allowing firmware upgrade through the net it cant be hurt or vulnerable..correct?

 

Perhaps I am wrong....really would like to know..

 

Thomas is absolutely correct. Putting the OS on a chip is the opposite of adding security. I believe what you are thinking is that if the OS is locked in stone that other programs can't come along and change the OS code which is correct, BUT that is not the problem.

 

The problem is that the OS's already have the exploits built into them .. they just have not been discovered yet. Everyday new ways to attact the OS are discovered so we have to respond by releasing patches to fix the vulnerability.

 

Having your OS in firmware means that it you have to go out to every location to re-bake the OS onto the firmware for every patch. Not likely to happen on a regular basis as is required for effective patching.

 

Also, you are thinking that the security of the OS itself is the goal and it's not ... it's the security of the data that resides on the system as well as the ability to gain root access to the system so that further control of your network can take place. In other words, if I am an attacker and I cannot change the OS code because it is in firmware, it make no difference to me if I have the ability to log into the system with root access, obtain all the data in the system and poke around your businesses network.

 

As for the number of flaws discovered in Windows vs Linux, you are right .. over time more flaws have been discovered in Windows due to the large amount of people working everyday to find them by trying every combination of hacking possible. But the fact remains that Windows flaws are historically resolved and deployed much faster than Linux flaws, most times before they are exploited on a wholesale basis.

 

I will again restate what people don't seem to realize ... The greatest security threat to your network and your data really have very little to do with the OS and much more to do with the applications and how they are deployed. Windows greatest threat has been Outlook. If you take the Microsoft applications, including web applicaitons, out of the picture an argument could certainly be made that Windows is ultrasecure by comparison.

 

I will also restate that most of the Linux DVR's being sold are manufacturered in asia, and the people who buy them have no clue what open-source version of Linux has been used, have no idea what patches are missing, have no idea what additional software is running in their DVR, and certainly have no idea where to get patches or how to apply them. This makes these "solutions" an obvious problem for corporate security.

[Thomas 0]

Becasue if the OS in on chip, and firmware can only be upgraded while in front of the box through serial connection, it cant be affected.

 

Unless its allowing firmware upgrade through the net it cant be hurt or vulnerable..correct?

 

Perhaps I am wrong....really would like to know..

 

The problem is that you magically assume that the serial connection works without touching the OS. And that's not the case. Which means the OS has write privileges to the chip. So any interaction with the OS remotely, or any application sitting on top of it runs the risk of being hijacked.

 

And that assumes all attacks require writing to the drive. Attacks like the Slammer worm stayed only in RAM.

 

And on the Linux side, while the OS tends to be more secure, the applications sitting on top of it tend not to be. Apache for instance. It's a great and amazing web server. Extremely powerful, very stable. But it's like any really powerful tool. If you don't know what the fuck you're doing with it then it will bite you on the ass.

 

Now keep in mind that the vast majority of the embedded units are made in China. A country noted for taking short cuts, poor quality control, and the odd inserted Trojan. Do you really think the code they produce is high quality?

[cctv_down_under 0]

I can agree with most that is above....I disagree that windows is more secure...perhaps patches are produced quicker....but there are sooo many vulnarabilities for all the apps in windows.....agreed that most standalones are made in Asia, but not mine....as for updates, we remote into a pc that has a serial cable connected to the dvr, but it is never attached by default....as for loss of datab, we run to local san, all connections on our private IP and no outside access, so pretty darn secure.

You can say what you like but

I would prefer to only have to reflash than reload windows and there are millions more virus's written for windows than Linux derivitives....all PC's are vulnerable, I prefer windows based pc's for features but you can't beat an embedded standalone for stability and the ability to be secure

[Thomas 0]

I can agree with most that is above....I disagree that windows is more secure...perhaps patches are produced quicker....but there are sooo many vulnarabilities for all the apps in windows.....agreed that most standalones are made in Asia, but not mine....as for updates, we remote into a pc that has a serial cable connected to the dvr, but it is never attached by default....as for loss of datab, we run to local san, all connections on our private IP and no outside access, so pretty darn secure.

You can say what you like but

I would prefer to only have to reflash than reload windows and there are millions more virus's written for windows than Linux derivitives....all PC's are vulnerable, I prefer windows based pc's for features but you can't beat an embedded standalone for stability and the ability to be secure

 

Vulnerabilities are all in how you define them. Take Apache (and it's most likely going to have on an embedded unit) for instance. It's a fairly secure application if configured correctly. The major problem is that unless you really know what you're doing with it, it's amazingly hard to configure correctly. And problems from poor configuration aren't generally listed as a vulnerability because if you configured it wrong, that's not a program fault, or a code fault, it's a user fault.

 

And reflashing a system may not be an option open to you. If the malicious code decides to overwrite the chip with zero's then the machine is bricked. The serial port is going to be useless. If you load a corrupted firmware, then your most likely going to brick the system. If you have a tech who screws up and loads the wrong firmware altogether, you have a good chance of bricking the system.

 

You aren't going to remove the chip, so for a bricked system you're looking at a motherboard replacement. Which is cheaper, a hard drive or a motherboard. And keep in mind, I know who you use, and I know they aren't charging what the motherboard costs on newegg.

 

So by perfering to use an OS on a chip you don't gain any security. You do add some extra chances to fail, and your requiring a more expensive replacement part to fix it if it does fail.

 

And, with the networking setup you describe, would a windows based machine be vulnerable? Not really, that's a fairly locked down box.

[dnieweg 0]

I can agree with most that is above....I disagree that windows is more secure...perhaps patches are produced quicker....but there are sooo many vulnarabilities for all the apps in windows.....agreed that most standalones are made in Asia, but not mine....as for updates, we remote into a pc that has a serial cable connected to the dvr, but it is never attached by default....as for loss of datab, we run to local san, all connections on our private IP and no outside access, so pretty darn secure.

You can say what you like but

I would prefer to only have to reflash than reload windows and there are millions more virus's written for windows than Linux derivitives....all PC's are vulnerable, I prefer windows based pc's for features but you can't beat an embedded standalone for stability and the ability to be secure

 

I would agree that given enough resources and attention any system can be made rather secure, which it sounds like you have worked towards. The issue is that mainstream corporate America does not.

 

One of my original points was that we have all these people out there buying Linux-based systems because they heard they were more secure but do not have any real possibility of deploying them securely for all the reasons previously listed.

 

As for your OS being on a chip, you are a unique organization since you don't mind cruising around from site to site reflashing each time a security update comes out. Well heck ... you are unique just due to the fact that you apply Linux updates at all. But the truth is that most organizations would not be able to bear the expense of visiting 50, or 150 or perhaps 500 sites to reflash even once a month. In addition, there is great value for our industry thanks to the Windows security update capability because it makes it easier, quicker, and less expensive for 99% of corporate America to deal with.

 

As for the multitude of security flaws routinely discovered in Windows apps such as Exchange, IIS, IE, Media Player and Office .... um ... why would you have those on your DVR? Most manufacturers I know, including my company, use an extremely hardened core configuration of the OS with all non-essential or potentially exploitable apps removed or shut down. In addition, we do not rely on OS resources for external communications, choosing instead to write proprietary apps for external facing activity. We would never even consider running Exchange or IIS so it's not really accurate to compare the security of a Windows-based DVR to a typical office computer running all the typical Windows apps.

[cctv_down_under 0]

As for your OS being on a chip, you are a unique organization since you don't mind cruising around from site to site reflashing each time a security update

 

Incorrect, I am not sure you understand me, we have two types of networks that we deploy our DVR's on....#1 Our own network, we work like a ISP in that we hold a large network of our own and place the companies we sell to on that network with thier own private IP, for instance my office may be 192.168.10.xxx and client A might be 192.168.20.xxx, we resell the network infrastructure and place our clients that we aquire on OUR network...not that I have a lot to do with that side of things...now obviously this is a Private IP not a VIRTUAL Private Network, so its pretty darn secure...so the DVR's that exist on this type of connection ...have a unique feature..the caddy the DVR sits in has set of dip switches with represent a binary number, this means we can update a group of DVR's at once and choose the ones we want to update and the ones we dont want to...very handy indeed. So we dont drive anywhere..even training is done remotely.

 

The second type of deployment is when they are placed on the customers standard internet, when this is done we use one of our PC's onsite (they usually have one of our other products as well, so one of our PC's is always there)...we remote through the internet, using a secure connection (as secure as can be) and we log into this PC...before doing that we have called the customer and asked them to connect the serial cable between that PC that we remote into...and the DVR, we then flash the device...I dont like to flash through the net..I know it can be restored but I dont want a DVR becoming a toaster..that way the UPS should last long enough to handle power fluctuations.

 

So we dont drive anywhere..

 

I admit most DVR's have a stripped XP or windows whatever...but not all...I bet 90% of people installing Geo cards, simply do a default windows install...in fact I bet that 70% of the 90% even get their pc built for them with a standard install of windows then throw in the card.

 

There are many windows parts that Geo and Others use that can be exploited...but the truth is ..if you want a way for video to get out then there is always a way to get in.....the best you can hope for is to make it hard as hell.

 

The safest is to own the network...own the san sites and charge to be on a secure network...also makes support realy easy!

[robg 0]

Linux will be more stable and reliable. It always has been in my experience. The appliances out there typically use embedded linux.