[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian & OpenBSD (was Re: Linux firewall vs Windows and Hardware based firewalls)



on Fri, Aug 01, 2003 at 01:55:39AM -0700, Loren M Lang (lorenl@alzatex.com) wrote:

> Does anyone have recommendations about linux vs. openbsd?  I have
> always used linux for everything and propably still will for the most
> part, but for security, would it be better to use openbsd?  - From
> what I hear, openbsd is a variant off of netbsd, but built with
> security at it's top priority where linux is usually pushed more
> cutting-edge and I'm sure a little less stable at times compared to
> openbsd, but still much more stable then windoze.  I don't know how
> the firewalls compare in features though.  Would it be worth it to
> play with openbsd some or should I just stick with linux?

I've run OpenBSD.  Just converted the box to Debian this past weekend
(after promising myself to do so for two years....)

OpenBSD isn't a bad system, far from it.  I found it didn't suit my
needs.

Pros:

 - Secure-by-default.  The base system has had a very small number of
   exploits, only one remote, in over seven years.

 - Code audits.  The development team actively audits the core OS
   (what's distributed on media for install) for any potential security
   holes.  Many security reports are generated from OpenBSD security
   reviews.

 - Effective, and stable, IP filtering and NAT tools.  For those who've
   seen three generations of GNU/Linux based IP filtering tools already,
   BSD's ip filtering has remained stable over the years (at least from
   the user experience, despite a ground-up rewrite for licensing
   reasons).

 - Library rewrites.  Several core system libraries have been rewritten
   to be secure -- immune (or at least less vulnerable) to stack
   smashing, buffer overflows, and the like.

 - Intended as a secure / security system.  OpenBSD's deployment
   scenario _is_ as a secure Internet appliance / bastion host.

 - Includes crypto tools -- OpenSSH is from OpenBSD, also IPsec, IPv6,
   key engines, Kerberos, free-AFS, and other forms of strong crypto or
   crypto-using systems.

 - Multi-platform support:  alpha, hp300, hppa, i386, mac68k, macppc,
   mvme68k, sparc, sparc64, vax

 - Source-based:  Though binary distribution is possible, updates are
   handled by source distribution and builds.

 - Ports:  the ports system is OpenBSD's packaging system.

 - Docs:  high-quality manpages and other system docs.

 - Theo:  Theo de Raadt is the driving visionary force behind OpenBSD,
   and is committed to the goals of the project, which he will climb
   mountains and nuke small countries to achieve.


Cons:

 - BSD-style init.  I find SysV far more manageable.

 - Install is reasonable, but very limited.  Overall, I'd say hardware
   support in OpenBSD is more primitive than GNU/Linux.
 
 - Updates are far more difficult than Debian.  In theory, you use the
   ports system.  In practice, well, I never quite got that far.  Major
   version updates are a major affair.
   
 - Code audits limited.  The audit applies only to the core OpenBSD
   software.  Additional packages may _not_ be subject to these audits.

 - GNU/GPL antagonism.  Though the GNU GPL is an allowable license
   within OpenBSD, it is strongly deprecated, and an active (and largely
   successful) effort is being made to exclude GPLd tools and code from
   BSD, largely on licensing grounds.  Unfortunately this both deprives
   the GNU project of the benefits of OpenBSD's audits, and OpenBSD of
   the large base of IT professionals highly familiar with GNU tools and
   utilities.  As a result, OpenBSD has a...

 - Very nearly, but not quite, familiar environment.  The default root
   shell is csh, not bash (or sh or ksh or...).  ls is not colorized.
   Various other utilities act in ways slightly different from what a
   GNU/Linux user would expect, and worse, _the GNU alternatives are not
   available as part of the audited OpenBSD packagebase_.  *Yes*, you
   can install many of these from ports or source, but it's a pain in
   the ass, and you're obviating one of the key benefits of OpenBSD.

   I'll emphasize this point further because operator familiarity with
   an environment is IMO key to successfully keeping a tightly
   maintained system.  Stumbling around in unfamiliar rooms (filesystem)
   with unfamiliar tools means you're going to make mistakes you
   wouldn't in a more standard environment.

 - Monolithic system.  OpenBSD isn't like Debian in which you pick and
   choose components to fit needs (e.g.:  MTA can be provided by exim
   (default), postfix, courier, sendmail, etc.).  The MTA is Sendmail.
   DNS is BIND.  Webserver is Apache.  While it's possible to replace
   these, you have to go outside the distro to do so.  Similarly, if you
   want a nonstandard tool (in my case, Squid), it's also bolted on
   separately.  And you don't have SysV init to handle startup/shutdown,
   etc.  As a consequnce, the system is...

 - Very inflexible.  Or rather, you have to go through a lot more pain
   to get the flexibility you'd have with Debian.  Setting up minimal
   systems or configuring a system for a specific niche is more
   difficult.

 - Devices and filesystem.  Though to a certain extent, BSD is just
   _different_ from GNU/Linux, there are cases in which the design
   decisions are IMO inferior.  An example I ran across was ethernet
   configuration.  Rather than knowing that your first ethernet device
   is eth0 regardless of hardware or driver, in OpenBSD, the NIC device
   file depends on the driver for the NIC.  I prefer GNU/Linux's level
   of abstraction here.  Similarly, partitioning for OpenBSD is based on
   BSD slices and partitions, which operate at a different level from
   GNU/Linux partitions.  Confusing.



Summarizing:  

OpenBSD comes from the point of: harden the shit out of it, then lock
down the configuration, and ship it, but bolt on a modifications
infrastructure.


Debian GNU/Linux is more:  try to avoid the obvious blunders, but
provide a high degree of configurability and have an updates system
which makes distribution of fixes trivial.

Or:  preemptive security vs. adaptive security.

While I don't think one approach wins absolutely over the other, I see
the balance afforded by Debian to be easier to work with, and offering a
higher overall degree of useful security as a result.  The final win
was:  I'm running Debian on everything else.  The one oBSD box was an
outlier and hassle to perform maintenance on.  Not that it needed much
-- once configured, it just ran.  But that's in part the point --
because updates were problematic, they simply didn't happen.  Which made
me feel uncomfortable.

Don't let me talk you out of experimenting with OpenBSD, and note that
my experiences are a few years out of date (2.6).

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   LNX-BBC:  Bootable GNU/Linux -- Don't leave /home without it.
     http://www.lnx-bbc.org/

Attachment: pgpae5L6krtIU.pgp
Description: PGP signature


Reply to: