Cisco IT Manager Targeting 70% Linux

RMX writes "LinuxWorld Australia has an interesting article discussing Linux Desktop adoption in Cisco. Cisco "already converted more than 2,000 of its engineers to Linux desktops...plans to move many laptop users to the platform over the next few years...the driver for Linux on the desktop is not cost savings, but easier support. Manning estimates that it takes a company approximately one desktop administrator to support 40 Windows PCs, while one administrator can support between 200 and 400 Linux desktops.'"

40:1 ?

[Heem]

Ha, 40:1 ratio for desktop support personell for windows? Tell that to alot of IT managers, in particular, my former employer. Try 200:1

TCO

[Docrates]

I wonder if those microsoft studies that show Windows' TCO better than Linux's account for the "productivity" of a linux engineer...

What i'm sure it doesn't show is that a linux engineer handling 200 computers can provide a much better service (due to the fact that more is "known and controllable" in linux than windows) than a windows sysadmin handling the same amount of computers, resulting in lower costs of security, less costs related to spywares, viruses, user support calls, etc.

Cost Savings

[p0rnking]

"... the driver for Linux on the desktop is not cost savings, but easier support. Manning estimates that it takes a company approximately one desktop administrator to support 40 Windows PCs, while one administrator can support between 200 and 400 Linux desktops."

Isn't this still Cost Savings, when you don't need to hire as many admins?

Re:Critical mass...

[MPHellwig]

Okay by this you assume that the (security) design of windows, unix and all other OS'es out there are the same and have the same effects? Naïve at least.
Frankly 2003 with SP1 and XP with SP2 is getting there, it only took them a while.

License management...

[DrDribble]

Apart from the ease of creating a company software update ftp (apt-get, yeast, swaret, slapt-get, etc), I really think the license and CD administration to be a pain in the Windows admin's butt.

My Windows co-workers often need a CD either because they need new software, or due to their computer requesting a CD due to some function not already installed. Finding the RIGHT CD (they are like 1000 cd's every month, and they are neatly marked in INVISIBLE, but very fancy, writing) is a total pain. Then, there is the issue of which key is used for this one (oh, you used the english version!) really turns this into a nightmare.

Folks running windows run all kinds of different versions of their software. Why, upgrading costs time and money. On my Slackware machines, swaret has done all upgrades for me, totally automatically! Just upgraded one PC from Slackware 9.0 to 10.1 - swaret --upgrade wait for a while (was a 200mhz...) and reboot when all is done. No keys, no CDs, no cost. Totally brilliant!

Re:Critical mass...

[Waffle Iron]

and what exactly is going to happen when a non rooted user executes that worm?

Little if any functionality of most worms requires root privileges. They could run just fine as a user process.

about the worst thing that can happen is the home directory to be wiped out

Which is usually the only directory on a workstation that contains any information of value.

Delete all your home directories, rsync or rdiff your backup in and magically things just work.

You could restore the entire filesystem on any computer to achieve the same thing.

There are many factors that make Linux less worm-prone than windows. Taken together, they add up to a huge disparity in malware prevalence between the two OSes. However, no single factor is a magic bullet, and that includes the relative difficulty of running with root privileges. It's just one small piece of the puzzle.

Right,

[warrax_666]

but usually patches for OSS vulnerabilities are not bundled along with all sorts of other updates. This means that far less testing is usually needed for OSS security patches. (Or, that's the theory, anyway.)

Linux on the Desktop will Accelerate

[reporter]

Linux's eventual success on the desktop will be due largely to IBM. As a company, it has made a disproportionately large contribution of programmers and money to the development of Linux. IBM just announced that it will spend an additional $100 million for the sole purpose of proliferating Linux onto the desktop [informationweek.com].

Linux is easier to maintain than Windows, largely thanks to IBM. Linux is more reliable and is less prone to infection by viruses and malware (e.g. spyware) than Windows. IBM ensures that any OS (whether it is commercial or free) shipped to customers on its computer systems meets stringent requirements for reliability.

IBM has been vindicated. IBM initially tried to dethrone Microsoft by producing OS/2, but it was a failure. Now, IBM has thrown its weight behind a product (i.e. Linux) developed outside of IBM, and that product is succeeding in hurting Windows.

Re:Critical mass...

[SunPin]

So when linux reaches critical mass and people spend as much time searching for/writing worms for it as they do for windows, how's that support ration going to look?

Considering that Linux is not monoculture and Linux machines never run as root the way Windows machines do, the support ratio will not change. Cisco's internal distribution might be monoculture but how do you suppose virus writers will figure out company changes? They won't.

Virus and general malicious software is difficult to write when everyone is running Linux. People will continue to try but only the hardcore. Script kiddies, in contrast, would become extinct.

Look at a vulnerability

[warrax_666]

lists and you'll find that most vulnerabilities are either buffer overflows or string format vulnerabilities. There are very few circumstances where fixing those with a one-liner patch would change behavior in a way that other code depends on. If there were any such code then that in itself indicate possible data corruption bugs in the currently running software.

In short: When you don't bundle fixes you typically have one-line fixes which don't break code which isn't already broken (by relying on buggy behavior). Hence, testing time is minimized.

Re:Critical mass...

[Apreche]

Why do people keep bringing this up? It's a logical fallacy. I understand that it seems to make sense that if more people use linux, as much as they use windows, it will be a bigger target and easier to hit.

However, this is simply not the case. Windows is a very homogenous system. Every win2k box is a win2k box. The only differences are slight differences in configuration.

Linux is heterogenous. I mean even if you take a distribution like fedora core 3. Every FC3 box has the same kernel. And if they are up to date they all have the same versions of stuff like glibc. A linux box is a collection of many small pieces of software. Windows is one giant blob of software. So maybe you find a hole in a particular version of openssh. Lots of linux boxes have openssh of varying versions. So you might be able to hit a bunch of them. But it is very difficult to target linux the way you target windows because the number of systems that are similar enough is very small, even if the whole world used it.

You would literally have to find a hole that is present in all 2.4 an 2.6 kernels regardless of patches applied in order to get enough of the linux boxen. And some people still use 2.2. 2.0?

Re:40:1 ?

[Radical Rad]

Ha, 40:1 ratio for desktop support personell for windows?

I used to work in an all-microsoft shop back when Nt4 was new and at that time the ratio for us was about 20-30 users to 1 support person. However we did more than just helpdesk support. But when I left to come to a NetWare shop I was amazed at how many more users were being supported per number of IT people. It was at least triple. And to top it off, at the NetWare shop we are responsible for much more than at the other place. In addition to data we also handle phone and security and support users at remote locations. So I think the ratio will differ from company to company depending on various things but I know from experience that Windows is support intensive.

Support cost less not due to windows per se...

[SdnSeraphim]

What about this idea...
If a support tech can only support 40 windows PCs, but another support tech can support 200 Linux PCs, is the difference the amount of support or the intelligence of the tech.

Now I run windows, and have administered windows and I develop software for windows. However, Linux is not as straightforward to administer as windows. I think it requires someone with more skills to administer a Linux box than a windows box.

Someone with more skills will likely be better at administration in general, regardless of which OS. So it is kind of a split problem. To administer linux boxes, you need someone with a good skill set, but they can administer more boxes, but probably at a higher salary. To administer windows boxes, you may not have to pay as much but each tech supports fewer boxes.

If done right, Windows workstations aren't bad..

[cbreaker]

At my company, we have over 5,000 Windows XP workstations; notebooks and desktops. A team of about 10 people manage the entire system.

With the help of Active Directory, some really neat software (Marimba) and some planning, you can manage thousands of Windows workstations with a minimal staff.

You lock down the machines (no admin logins) you manage the software versions and patches (centralized software distribution) and you don't allow users to install software on their own.

Denying admin logins alone stops 95% of all spyware.

40 workstations without any control WOULD be all an admin could handle, but when you deploy them correctly you can support over 10x that - just like any other system.

Re:but microsoft....

[Anonymous Coward]

Just like the Bible is the word of God according to the Bible. Some morans will believe anything

Re:40:1 ?

[flithm]

All of you people who are balking at the 40:1 ration need to grow up. No offense to you or your little piddly-ass companies, but this is an article about Cisco.

Every company is different, and I guarantee you most of the people at Cisco are doing a hell of a lot more interesting things that answering email, writing word documents, and scheduling meetings.

You really have to consider all the factors involved, of which we don't have many, so if the IT manager at Cisco says he need 1 support person for every 40 machines, he's probably not lying.

Maybe instead of merely slamming his numbers you could try to extrapolate and learn from.

A pipe dream?

[pangur]

I work for a Cisco reseller, and I see Cisco sales guys all the time.

There are rumors that the CallManager software (Cisco's IP PBX) will be ported from Windows 2000 to Linux. As it is, to run this box safely today requires having the box on its own subnet with access lists, running anti-virus software on the box(es), running Cisco Security Agent (looks for anamolous behavior of running programs), and running the boxes in a redundant fashion. Not that porting to Linux would solve all problems, but a box that runs a web server, SQL2000, and Windows 2000 has a fair number of issues that could r0x the b0x. Not the least is that if you download a patch from Microsoft that Cisco hasn't approved, and it breaks the box, Cisco TAC will wash its hands of you.

However, Cisco and Microsoft are not only in bed with each other, they are spooning. Part of Cisco's new security initiative involves running Cisco software on desktops to check if the anti-virus and CSA software are up to date, and not allow them to join the network until they are. This is part of those Cisco commercials where the "Self-defending Network" comes in and stops attacks. Getting Cisco software to use the Microsoft API in a world where MS could simply roll their own software just like it for free is a tricky business. Cisco needs to know what Microsoft is doing, and Microsoft could just as easily start doing more business with Juniper should they want to.

What I'm saying is that Cisco uses Linux today for a good number of its products (Content Networking, CallManager, etc) because of its stability. However, the aims of this guy to publically change internal desktops to Linux would be nullified by just one phone call from Gates to Chambers (Cisco CEO).

Re:I work for Cisco...

[Anonymous Coward]

cisco guys are going to be more technical. Such windows "power users" are much harder to support than office clerks. 200 or so was the norm in a big bureaucratic non-computing-industry corporation I once worked for - but the support necessary was just for windows, office (including Access) and IE, and various intranet web apps (IE-specific craptivex based, of course).

The requirements for supporting an engineer's windows desktop securely would be much higher, if you support them at all. Whereas on linux, package management that actually works (.msi exists, but it's a whole lot worse than .rpm...), clear segregation of admin and ordinary users, etc., makes support linux workstations for technical people much easier than windows workstations. At my present work, 2 people admin about a hundred physicists' linux desktops, and about 20 windows ones. The linux ones are a centrally-administered breeze, even though each desktop has a different installation profile. So do the windows ones. They aren't a breeze.

Re:1:40 ?

[gabebear]

Seems pretty low to me, but I've heard of much worse, although I really don't see how they improved by switching. You have to take in to consideration what their tech support does; support ratios alone don't mean anything;

• How often are computers replaced? You can no longer easily ghost Windows between different computers.
• How many computers per user?
• laptops generally require more support
• How bad is employee turnover?

Re:If done right, Windows workstations aren't bad.

[Anonymous Coward]

>>Denying admin logins alone stops 95% of all spyware.

Hmm. Are you sure that wouldn't be 96.3% or 93.7%, or did you just pluck that percentage out of thin air?

OF COURSE no sysadmin worth the name (and its not much of a name in the first place seeing as how they are the bottom feeders of the IT world) would allow admin privileges for standard logins.

Re:40:1 ?

[LnxAddct]

It really depends on the company and skill level of the admin. The typical person on slashdot is not the typical windows admin. I've seen plenty of shops where the ratio was as low as 1:12 and the admins were still freaking out and had no idea how to handle themselves. On a side note however, not only is the ratio of admin to user better for linux because of easy administration tools and things that just work(tm) but its also much easier to just say "okay here is your home directory, have fun" Lock them from the rest of the system (every distro I've seen does this by default more or less). Do an incremental rsync of their home directories everynight and if something ever goes wrong just delete their home and replace it with a good copy. The nice thing about linux is that once it gets running, it stays running. This is from experience of setting up shops with Fedora or Red Hat Enterprise Desktop depending on their needs and level of necessary suport etc...
Regards,
Steve

Re:40:1 ?

[rtphokie]

Yup, it's the secretaries and managers (the higher they are, the worse the problems) that cause the trouble. Unlike engineers, they the ones who get most of the viruses. The secretaries and managershey are the ones that are least able help themselves.

Wrong!

[soloport]

As the poster says, the driver for Linux on the desktop is not cost savings, but easier support

And EVERYONE knows that easier support doesn't save any cost.

Re:Critical mass...

[digidave]

Umm.. no. The home directory is mostly personal preferences and documents. They should be backed up regularly anyway, so an admin just needs to replace with a last known good backup.

The key is that it's very hard to destroy a system with a Linux virus.

Re:Support cost less not due to windows per se...

[jtev]

Where are you coming up with this? It's harder to PROPERLY administer a windows box than to PROPERLY administer a Linux box. Doing many administrative tasks in Linux is far more straighforward than in windows, there are a few that aren't but those are all one shot, then leave it the hell alone forever tasks. Once a Linux machine is set up, it's pretty simple to just leave alone. It's also very simple to configure multiples of the same machine without buying new software, just install, insert identical hard drive to secondary master, cp /dev/hda /dev/hdc then move the secondary master into a new computer, insert identical disk again, repeat until finished. You can also do a netboot or floppy boot that connects to an ftp server with the disk image on it and copy from there. Or the other option is a totaly diskless workstation where you simply have one server with all the files, or multiple servers with the files, and netboot everything.

Re:40:1 ?

[captwheeler]

so if the IT manager at Cisco says he need 1 support person for every 40 machines, he's probably not lying.

Because no manager ever fudges the staff numbers to make a case, right?

Re:Different perspective...

[Anonymous Coward]

It seems like this discussion is basically going like this:

"Linux is easy because we set up proper polcies and enforce them. Windows is hard because we haven't bothered to do so."

In other words, you guys are proposing a technological solution (Linux) to a political problem (user desktop control, admin saavy).

Re:Different perspective...

[cduffy]

"Windows is hard because we haven't bothered to do so."

More akin to: Windows is hard because users have expectations, gained based on home use, which are broken by proper security policies, and IT doesn't have the political clout to transitions those users to an environment that breaks their expectations. There are also cost issues -- getting Windows equivalents to some of the functionality we use for managing our Linux systems would imply going to Windows Server 2003, buying a bunch of Windows licenses, buying a bunch of 3rd-party tools with licenses for those, etc. For the time being, we're a fairly low-budget operation.

In other words, you guys are proposing a technological solution (Linux) to a political problem (user desktop control, admin saavy).

Damn straight, but it works! We sit the user down in front of a Linux desktop, and they don't expect to have administrative rights, so the political issue is entirely circumvented.

Re:40:1 ?

[LnxAddct]

On the east coast of the States, Philadelphia, New York, Boston, and the other big cities are really picking up pace in the linux arena, more so on the server side but every now and then on the client side as well. I don't know if it'd be a feasible business model to focus solely on consulting for linux based businesses or businesses that are interested in linux, but it definilty helps to add it to your "bag of tricks". Pretty much as a consultant you should recommend the best tool for the job and increasingly this is becoming linux. If I were you, I'd definitly start consulting on linux systems, its a fairly small market right now so you might not want it to be your only focus, but their is room for ton's of growth and according to forecasts, by 2008 the business should be huge.
Regards,
Steve

Re:Look at a vulnerability

[runderwo]

You're being stupid.

The choice is between having a security hole in a deployed piece of software, and running the risk of breaking applications that depend on that security hole. It's your choice whether or not to install security updates. How is the community supposed to regression test against your buggy closed source in-house software? Obviously, they can't. That's one of the responsibilities that you took upon yourself by standardizing on a poorly-supported proprietary application in-house.

It's ridiculous to blame the community for not having a magic wand to detect how every deployed site is using the software internally. If you want to do more regression testing than the community is able to do, then you are free to do it yourself before you deploy the fix.

Re:40:1 ?

[shaitand]

"Does Cisco *really* emply such a large team of nothing-but Windows admins? At my work, we have about 200 Windows PCs... and Wayne, the admin."

In order for a windows admin to support 200 pc's he has to be EXTREMELY overworked, and the setup has to be very simple and streamlined.

Now I'll grant that 40-1 is low, but that is about what it would take to be able to deliver IMMEDIATE response to technical problems without users being able to install/configure software themselves (meaning at any given moment there will be someone sitting around waiting for a call) which is probably what cisco is looking for when it comes to its Engineers. The higher the ratio goes, the more it becomes about setting up a queue of tasks, the admin's ability to juggle tasks, and reasonable rather than immediate response times.

Cisco admins are probably making 40k/year and the engineers are making 250+k/year each... they probably figure this is worthwhile to minimize downtime.

At 400-1 a linux admin will probably have reasonable idle time, but you can't guarantee that two problems will come at once. This is where having 5 admins who administer 2000 pcs come in, ONE of them will be more likely have idle time when that second problem comes in. Of course those 5 admins are probably making $80k/year rather than $40k/year like the windows admins were but the salary of 10 admins with only 5 sets of benefits is a great deal less than 50 salaries and 50 sets of benefits.

"His poor admins who now have to support linux with inadequate training..."

Keeping the same admins would be categorically stupid. You simply get rid of the windows admins (they did not have the knowledge needed to perform their job function, no unemployment for you!) and hire in real linux admins. Or maybe discover that some of your windows admins were really linux admins who took the job to get Cisco on their resume.

Since the support costs of linux ARE lower than the support costs of windows I doubt he is fudging the data.

Re:1:40 ?

[Fallen_Knight]

There are alot of things you CAN do with a windows box (ghosting for instance) that you need to buy software for most of the time, but then with linux you get the same tools and abilities for free and built in.

Re:Get the Facts(TM)!

[einhverfr]

Wow. You didn't get the joke about Ballmer acting like a Chimpanzee ;-)

A couple of points:

1) I hold the following certs: MCSE, MCSA. LPIC-2, A+, Network+, Server+, Inet+

2) I spend at least as much time as a consultant working with Windows as I do helping my customers with Linux. I can design Windows networks and troubleshoot them with the best.

3) I used to work at Microsoft.

Ok...... Now for my opinions:

1) Windows sucks because it is TOO COMPLICATED.

2) Windows security sucks because Windows is too complicated and interdependent.

3) Windows is getting more technician/admin friendly but it is still full of braindead dependencies. This ensures a Sendmail-like security record on both the server and the desktop.

4) Linux costs less to support because it is simpler.

5) Training costs for corporate workstations is less with Linux than Windows because it is less complicated.

6) Linux is more predictable due to better quality code and more simplicity. This makes it easier than Windows for a newbie to learn.

The above comparisons assume that one can readily run similar programs on both operating systems. In areas where this is not the case, YMMV.

Sometimes I think that MS shills are invading slashdot!