DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 8th December 2014
benky benky is offline
Port Guard
 
Join Date: Dec 2014
Location: Croatia
Posts: 14
Default Creating scenario with OpenBSD, network

Hello,
At college for a final thesis I chose OpenBSD. This is my first encounter with OpenBSD. So I need your help. I started to read over man pages and book Absolute OpenBSD.

There are some directions I must follow in writing thesis as follows:
-show security features of OpenBSD.
-show modifications inside OS that enhance security and availability.
-show why it is possible to set up sec services in OpenBSD.
-show ways of using a system by realization of sec services as a goal.

Work must contain a practical part, and this is the part where I need a little bit of your help. Because I never used before OpenBSD this is a whole new world to me. I came from Win world and know basics of Linux, networking.

Can you provide me some scenarios for practical part?
The first thing that is in my mind is to:
-set up virtual network with few hosts and use a OpenBSD host to act as a firewall/IDS.
-acting as a web server

thank you!
Reply With Quote
  #2   (View Single Post)  
Old 8th December 2014
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

I'm gonna take this in a little different of a direction but it is useful for you to understand that the security reputation that OpenBSD has rightfully earned is based on its holistic approach; that is to say, what you are thinking about as the "obvious" cases of security is only one very small part of the entire ecosystem that makes OpenBSD secure.

A good start would be to read the Project Goals and Security pages:
http://www.openbsd.org/goals.html
http://www.openbsd.org/security.html

I gave a general OpenBSD security overview talk at my university back in October to the computer security club on campus:
http://devio.us/~bcallah/openbsdrpisec.pdf (The OpenBSD specific stuff is the second half of the talk.)
It might be worth your while to look over this and follow some of the links to YouTube videos. Especially the LibreSSL talk by beck@ and the security mitigation talk by deraadt@.

I'm going to point you to my favorite feature, which goes quietly unmentioned but really needs more attention.
When you write code, you often compile it (duh). But a lot of times people end up using unsafe functions like strcpy(). The OpenBSD ld(1) has been modified to inform you where you are using such unsafe functions and will even recommend better functions for you to replace them with! That's as practical as it gets: OpenBSD makes you a better programmer, more in-tune with using secure functions, for free just by using OpenBSD as your development platform.

Good luck!
Reply With Quote
  #3   (View Single Post)  
Old 8th December 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,599
Default

I'm going to second ibara's point of view. As an example, I'll point you to a recent talk given by Theo de Raadt on one small but critical component of the OS -- the management of entropy and pseudo random number generation. Its exemplary of the holistic approach mentioned above. There's a link in a post I made earlier today where I recommended the presentation to another forum member.
Reply With Quote
  #4   (View Single Post)  
Old 8th December 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,798
Default

A possible scenario:
Code:
---------------------
       attacking 
     internet host
----------|----------
          |
          |
          |
+---------|----------+
|    -----|------    |
|    external NIC    |
|    ------------    |
|                    |
|                    |
|               |D|  |
|               |M|--------- web server
|               |Z|  |
|                    |
|    -----|------    |
|    internal NIC    |
|    -----|------    |
|         |          |
+---------|----------+
          |
          |
          |
          |
----------|----------
     LAN client 
---------------------
  • The attacking host is a compromised webserver, that Mr. Cracker is using to attack the webserver in the DMZ. He is hoping that through cracking the webserver he can get access to the internal network. You configure a web server on this attacking host.
  • The box with the external, internal and DMZ network interfaces is an OpenBSD router/firewall. You configure the pf packet filtering rules to only allow external connections to go the webserver in the DMZ
  • The LAN client should be protected from external attacks directly coming from the internet as well as from the possible compromised webserver in the DMZ.
    On the other hand it should be allowed to visit the website of the external compromised webserver.

You could collect some "real hardware" to configure this. Or set up this scenario with virtualized hosts, but I think this is more complicated.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 8th December 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,599
Default

You'd asked about IDS. OpenBSD doesn't have one built-in, but is often used in IDS deployments, and there are IDS systems in its packages and ports system.

Examining logs, while not automated, can provide insights into attacks / attack strategies. Peter Hansteen (author of The Book of PF) gave a presentation today in Trondheim at the Passwords 14 conference, on a distributed password attack designed to defeat IDS detection and analysis.

Last edited by jggimi; 8th December 2014 at 01:06 PM. Reason: clarity
Reply With Quote
  #6   (View Single Post)  
Old 8th December 2014
benky benky is offline
Port Guard
 
Join Date: Dec 2014
Location: Croatia
Posts: 14
Default

thnx to all of you!

Now I have a huge amount of information in front of me, dozen of opened tabs. When I settle down a little bit I'll come back here to ask you for help. Just need to chose right direction in which I want to go with my work. No matter what I chose I need to do it virtual environment (I can't took laptop from my wife and father in law )
Reply With Quote
  #7   (View Single Post)  
Old 8th December 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,599
Default

I use Qemu as my virtual machine host when testing features and functions. For virtual networks, I use its multicast bus to interconnect virtual machines, and its "vlan" facility to separate logical network segments.
Reply With Quote
  #8   (View Single Post)  
Old 8th December 2014
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 290
Default

I'll point out to be careful testing the security of a system which you do not know how to use. A lot of insecurity on a system comes from the inability to correctly configure it. No matter how secure OpenBSD is, you sure can open up all kinds of holes.

OBSD is more "out of the box secure" than other OSes which means you have to put the work into opening those holes, but it can't stop you from doing so.


I also like OBSD's malloc(3) tuning with malloc.conf and customize it quite a bit and see what crashes.

Tim.
Reply With Quote
  #9   (View Single Post)  
Old 8th December 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,798
Default

I prefer "real hardware". If you "advertise" to your friends and family that you could use their old PC stuff, I am sure some old hardware will be offered to you.

If you have a small budget for your thesis you could get an Alix system with 3 NICs. See PC Engines Alix 2d13 board

You first could use it a "personal" firewall in your home and you experience by yourself what the bad guys are doing in order to "get in".

Another good method is to rent a cheap VPS system for a month. For 10 euro a month, and often discounted to 5 for the first month you could get one at https://www.transip.eu/vps/

Then install OpenBSD on the VPS and configure a webserver to host a temporary website. Secure the server with a suitable pf.conf and inspect the firewall and webserver logs. These logs will show you how the site is being bombarded with efforts and probes to get in. Then you really will understand the need for pro-active security measures
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 8th December 2014
benky benky is offline
Port Guard
 
Join Date: Dec 2014
Location: Croatia
Posts: 14
Default

Quote:
Originally Posted by J65nko View Post

You first could use it a "personal" firewall in your home and you experience by yourself what the bad guys are doing in order to "get in".
I'm familiar with some of the techniques, taking OSCP course.

Quote:
Originally Posted by J65nko View Post

Another good method is to rent a cheap VPS system for a month. For 10 euro a month, and often discounted to 5 for the first month you could get one at /www.transip.eu/vps/

Then install OpenBSD on the VPS and configure a webserver to host a temporary website. Secure the server with a suitable pf.conf and inspect the firewall and webserver logs. These logs will show you how the site is being bombarded with efforts and probes to get in. Then you really will understand the need for pro-active security measures
This is what I'll definetly do.

To summarize: I now that OpenBSD is secure out of box, and as TronDD wrote, vulnerabilities come from unpropriate configuration of system, services.
jggimi I found interesting the talk by Theo de Raadt about management of entropy, that is kind a stuff I need in my thesis.

I started enumerating and there is so much new stuff to me, I need some time to catch it.
Reply With Quote
Old 12th February 2015
benky benky is offline
Port Guard
 
Join Date: Dec 2014
Location: Croatia
Posts: 14
Default

...with a help from my professor I received the soekris net5501-70. Can't wait to get serial cable
Reply With Quote
Reply

Tags
openbsd, security

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Nsh - network shell for OpenBSD appliances J65nko News 2 14th February 2013 04:10 PM
Network problem with OpenBSD 4.6 under QEMU eherrera OpenBSD General 1 17th May 2012 08:23 PM
Help on getting WEP-Encrypted Network on OpenBSD chicago OpenBSD General 24 18th May 2011 05:15 AM
Openbsd 4.5 network connection timeout andrewm OpenBSD General 4 11th September 2009 02:32 AM
Mail scenario mtx General software and network 1 12th December 2008 06:37 PM


All times are GMT. The time now is 06:32 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick