Every once in a while the powers that be throw something at you to make you realize what a bubble you live in. Today was my day.
One of my clients is a bank whom I've installed a Linux based firewall for. Earlier this month they contracted a "Security Expert" to audit their entire network. They start off by saying how the firewall is a security risk because "Linux is a public domain operating system where information on firewalls that run on Linux is easily found." Let me just quote here some of their recomendations:
Currently, firewall protection is running on a 386 clone running Linux Slackware version 7. After discussing the firewall configuration with the Internet Service Provider, it was determined that IP Chains are implemented for protection against outside intruders. IP Chains is an access-list only based application that does not monitor stateful sessions. This makes the firewall vulnerable to attacks where the TCP sequence numbers can be guessed and potentially compromise [The Bank]'s security.And of course it just so happens that it is not Slack 7.0 and it is not using IPChains...
[name of security company] recommends the purchase of a certified firewall capable of the following features:
Implement an ICSA certified firewall capable of initiating and monitoring stateful IP sessions
Implement a firewall capable of randomizing TCP sequence numbers.
Last time I checked things out with nMap the TCP sequence numbers generated by the Linux TCP/IP stack were "Random Positive Increments." ...
For most things I do Linux is the best tool for the job, and my customers respect my ability, so it has been a long time since I was actually slapped in the real world with "Linux is less secure because anyone can look at it."