on Fri, Aug 01, 2003 at 01:55:39AM -0700, Loren M Lang (lorenl@alzatex.com) wrote:
> Does anyone have recommendations about linux vs. openbsd? I have
> always used linux for everything and propably still will for the most
> part, but for security, would it be better to use openbsd? - From
> what I hear, openbsd is a variant off of netbsd, but built with
> security at it's top priority where linux is usually pushed more
> cutting-edge and I'm sure a little less stable at times compared to
> openbsd, but still much more stable then windoze. I don't know how
> the firewalls compare in features though. Would it be worth it to
> play with openbsd some or should I just stick with linux?
I've run OpenBSD. Just converted the box to Debian this past weekend
(after promising myself to do so for two years....)
OpenBSD isn't a bad system, far from it. I found it didn't suit my
needs.
Pros:
- Secure-by-default. The base system has had a very small number of
exploits, only one remote, in over seven years.
- Code audits. The development team actively audits the core OS
(what's distributed on media for install) for any potential security
holes. Many security reports are generated from OpenBSD security
reviews.
- Effective, and stable, IP filtering and NAT tools. For those who've
seen three generations of GNU/Linux based IP filtering tools already,
BSD's ip filtering has remained stable over the years (at least from
the user experience, despite a ground-up rewrite for licensing
reasons).
- Library rewrites. Several core system libraries have been rewritten
to be secure -- immune (or at least less vulnerable) to stack
smashing, buffer overflows, and the like.
- Intended as a secure / security system. OpenBSD's deployment
scenario _is_ as a secure Internet appliance / bastion host.
- Includes crypto tools -- OpenSSH is from OpenBSD, also IPsec, IPv6,
key engines, Kerberos, free-AFS, and other forms of strong crypto or
crypto-using systems.
- Multi-platform support: alpha, hp300, hppa, i386, mac68k, macppc,
mvme68k, sparc, sparc64, vax
- Source-based: Though binary distribution is possible, updates are
handled by source distribution and builds.
- Ports: the ports system is OpenBSD's packaging system.
- Docs: high-quality manpages and other system docs.
- Theo: Theo de Raadt is the driving visionary force behind OpenBSD,
and is committed to the goals of the project, which he will climb
mountains and nuke small countries to achieve.
Cons:
- BSD-style init. I find SysV far more manageable.
- Install is reasonable, but very limited. Overall, I'd say hardware
support in OpenBSD is more primitive than GNU/Linux.
- Updates are far more difficult than Debian. In theory, you use the
ports system. In practice, well, I never quite got that far. Major
version updates are a major affair.
- Code audits limited. The audit applies only to the core OpenBSD
software. Additional packages may _not_ be subject to these audits.
- GNU/GPL antagonism. Though the GNU GPL is an allowable license
within OpenBSD, it is strongly deprecated, and an active (and largely
successful) effort is being made to exclude GPLd tools and code from
BSD, largely on licensing grounds. Unfortunately this both deprives
the GNU project of the benefits of OpenBSD's audits, and OpenBSD of
the large base of IT professionals highly familiar with GNU tools and
utilities. As a result, OpenBSD has a...
- Very nearly, but not quite, familiar environment. The default root
shell is csh, not bash (or sh or ksh or...). ls is not colorized.
Various other utilities act in ways slightly different from what a
GNU/Linux user would expect, and worse, _the GNU alternatives are not
available as part of the audited OpenBSD packagebase_. *Yes*, you
can install many of these from ports or source, but it's a pain in
the ass, and you're obviating one of the key benefits of OpenBSD.
I'll emphasize this point further because operator familiarity with
an environment is IMO key to successfully keeping a tightly
maintained system. Stumbling around in unfamiliar rooms (filesystem)
with unfamiliar tools means you're going to make mistakes you
wouldn't in a more standard environment.
- Monolithic system. OpenBSD isn't like Debian in which you pick and
choose components to fit needs (e.g.: MTA can be provided by exim
(default), postfix, courier, sendmail, etc.). The MTA is Sendmail.
DNS is BIND. Webserver is Apache. While it's possible to replace
these, you have to go outside the distro to do so. Similarly, if you
want a nonstandard tool (in my case, Squid), it's also bolted on
separately. And you don't have SysV init to handle startup/shutdown,
etc. As a consequnce, the system is...
- Very inflexible. Or rather, you have to go through a lot more pain
to get the flexibility you'd have with Debian. Setting up minimal
systems or configuring a system for a specific niche is more
difficult.
- Devices and filesystem. Though to a certain extent, BSD is just
_different_ from GNU/Linux, there are cases in which the design
decisions are IMO inferior. An example I ran across was ethernet
configuration. Rather than knowing that your first ethernet device
is eth0 regardless of hardware or driver, in OpenBSD, the NIC device
file depends on the driver for the NIC. I prefer GNU/Linux's level
of abstraction here. Similarly, partitioning for OpenBSD is based on
BSD slices and partitions, which operate at a different level from
GNU/Linux partitions. Confusing.
Summarizing:
OpenBSD comes from the point of: harden the shit out of it, then lock
down the configuration, and ship it, but bolt on a modifications
infrastructure.
Debian GNU/Linux is more: try to avoid the obvious blunders, but
provide a high degree of configurability and have an updates system
which makes distribution of fixes trivial.
Or: preemptive security vs. adaptive security.
While I don't think one approach wins absolutely over the other, I see
the balance afforded by Debian to be easier to work with, and offering a
higher overall degree of useful security as a result. The final win
was: I'm running Debian on everything else. The one oBSD box was an
outlier and hassle to perform maintenance on. Not that it needed much
-- once configured, it just ran. But that's in part the point --
because updates were problematic, they simply didn't happen. Which made
me feel uncomfortable.
Don't let me talk you out of experimenting with OpenBSD, and note that
my experiences are a few years out of date (2.6).
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
LNX-BBC: Bootable GNU/Linux -- Don't leave /home without it.
http://www.lnx-bbc.org/
Attachment:
pgptc_WwUp677.pgp
Description: PGP signature