[TheDong]

We have finite energy and knowledge.

I know how to configure a firewall on linux. I don't know how to on plan9 and windows.

Should I run Windows, Plan9, Solaris, FreeBSD, NetBSD, and Linux on my 5 servers to ensure I have diversity?

To me, that makes it seem 5x as likely that I make a configuration error that leads to a critical vulnerability if I have to figure out 5 different ways to setup a firewall and sandbox.

What about using software that historically has been shown to have vulnerabilities? For example, wordpress has had a lot of vulns in the past, so should I host one of my blogs on ghost, one using jekyll, one using wordpress, or should I only use a static site made with jekyll because I know static sites are more secure?

If I'm allowed to eliminate wordpress there, why can't I eliminate diversity at other layers? I know linux is more secure than windows IME, so can't I just not run any windows hosts by the same argument that I won't use wordpress?

You mentioned "diversity at every level (network)". Do you mean I should run wireguard VPN for some of my networks, cisco for others, unencrypted for others, just so I have more diversity?

I'm genuinely curious because the model I've heard advocated so far is that a monoculture is more secure because you can eliminate less secure things (use wireguard instead of unencrypted traffic), and gain mastery of a small surface area to ensure it is harder to attack.

Adding diversity just for the sake of it, by its nature, adds more attack surface and requires more expertise to secure, so it seems to fly in the face of the common advice I normally hear.

[webmaven]

> Should I run Windows, Plan9, Solaris, FreeBSD, NetBSD, and Linux on my 5 servers to ensure I have diversity?

No. At the scale of five servers, a monoculture is acceptable risk, and as long as other businesses at that scale are choosing different monocultures, the systemic risk is limited as well.

But in analogy to agricultural monocultures, larger fields make monocultures more dangerous, and many adjacent fields with the same monoculture increase the risk even more.

But geographic continuity isn't necessary in our networked world, so the analogy is of limited use, and any vendor with enough customers, no matter how spread out, makes an attractive target.

[throw0101a]

> Should I run Windows, Plan9, Solaris, FreeBSD, NetBSD, and Linux on my 5 servers to ensure I have diversity?

Running Windows and Linux would be a good start. Plenty of business-y software runs on POSIX systems: perhaps your business processes don't have to run the same operating system as your desktops?

Having a file share appliance (e.g., TrueNAS, NetApp) would be a good step after that (if things get encrypted just revert to the last snapshot).

[TheDong]

You may have missed the point of the question. All my machines (business and servers) are currently linux because I know how to update and secure linux.

The parent poster is arguing for diversity for the sake of it. To me, moving from my linux monoculture to a linux+windows diaspora seems less secure.

I'm talking specifically about the idea of security through diversity, not about this specific incident, so backup recommendations aren't really related to this thread.

[fsflover]

You can run Qubes OS instead and enjoy security through isolation and diversity it provides by default.