DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th December 2014
gkbsd's Avatar
gkbsd gkbsd is offline
Port Guard
 
Join Date: Jun 2013
Posts: 23
Post Blog article "Security: OpenBSD VS FreeBSD"

Hello,

I tried to objectively compare the security of OpenBSD and FreeBSD, and explain their security features. I'm a user of both OS, and my purpose by writing this article was to bring information, not to attack any OS:
http://networkfilter.blogspot.com/20...s-freebsd.html

I hope you will like it

Regards,
Guillaume
Reply With Quote
  #2   (View Single Post)  
Old 14th December 2014
ibara's Avatar
ibara ibara is offline
WR Slowest SNOBOL4 laptop
 
Join Date: Jan 2014
Posts: 522
Default

Without saying too much, I will note just as you did that HardenedBSD is not part of FreeBSD mainline.
Reply With Quote
  #3   (View Single Post)  
Old 14th December 2014
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Disclaimer: I primarily OpenBSD user but I use both OSs at my work (only OpenBSD at home). I would like to thank you for taking the time to spell out security differences. I like your article very, very much. +1 for sticky post.


Systrace deficiencies as a security tool has been exposed by numerous papers and it is not considered serious security tool by OpenBSD team if I can speak for them. Jails are really killer FreeBSD feature.

I am going to mentioned few things which should be taken into consideration by some. FreeBSD uses black magic of PAM modules and more recently porting SSSD to enable LDAP authorization. OpenBSD has its own ingenious ypldap daemon. I am not aware that there is move to remove vulnerable Sendmail from the base of FreeBSD but I there is a white paper stating desire to bring DragonFly dma to FreeBSD (which is a perfect solution for people who don't need full blown mail server).

One should also mentioned that FreeBSD has its own genuine firewall IPFW which has serious following. Their version of PF is patched for "improved" multi-threading performance but kind orphaned because it is neither genuine for nor it is possible to update it. For the record the latest PF on OpenBSD IIRC is about 4 times faster without any mutl- threading patches.


I would love to see similar comparison of the Network stack performances where I generally very strongly prefer OpenBSD. I use FreeBSD mostly in roles of storage OS and to visualize (Jails) some non essential services.

One last remark. I could not emphases enough the importance of code audit, code correctness, and overall size of code as a major factors which contribute to the security of an OS. OpenBSD seems to have heads up in all these aspects. One of particularly annoyances with FreeBSD is a number of half backed projects which have never been finished nor pruned. One that I can think from the top of my head is FreeBSD's indigenous sensor frame work which is half usable unlike stellar OpenBSD sensors frame work (FreeBSD encourages use of security ridden IPMI).

Last edited by Oko; 14th December 2014 at 06:25 PM.
Reply With Quote
  #4   (View Single Post)  
Old 14th December 2014
gpatrick gpatrick is offline
Package Pilot
 
Join Date: Nov 2009
Posts: 212
Default

Quote:
I am not aware that there is move to remove vulnerable Sendmail from the base of FreeBSD
Sendmail in its early days had a bad reputation for vulnerabilities, but those "years" are long ago. Sendmail before 8.14.9 in June 2014 had a vulnerability with a rating of 1.9. Before that the last US-CERT vulnerability for Sendmail was in 2010.

It is safe to use and you're only disseminating FUD.
Reply With Quote
  #5   (View Single Post)  
Old 15th December 2014
ibara's Avatar
ibara ibara is offline
WR Slowest SNOBOL4 laptop
 
Join Date: Jan 2014
Posts: 522
Default

There was talk on the FreeBSD lists about moving to the DragonFly BSD mailer. I don't remember what happened with it (I want to say the discussion took place back in February) but I guess judging by the previous post it wasn't integrated.
Reply With Quote
  #6   (View Single Post)  
Old 15th December 2014
gkbsd's Avatar
gkbsd gkbsd is offline
Port Guard
 
Join Date: Jun 2013
Posts: 23
Default

Quote:
Originally Posted by Oko View Post
Disclaimer: I like your article very, very much. +1 for sticky post.

Systrace deficiencies as a security tool has been exposed by numerous papers and it is not considered serious security tool by OpenBSD team if I can speak for them. Jails are really killer FreeBSD feature.
Thanks for your comments

About systrace, I am aware it is not strong enough used alone, even the man page at the end mentions it in the BUGS section:
Quote:
Applications that use clone()-like system calls to share the complete address space between processes may be able to replace system call arguments after they have been evaluated by systrace and escape policy enforcement.
However, a privilege separated/revoked process, being chrooted and systraced, can still gain some valuable security from it in my opinion. I'm using this combo with OpenVPN.

Regards,
Guillaume
Reply With Quote
  #7   (View Single Post)  
Old 15th December 2014
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by gkbsd View Post
Thanks for your comments

Guillaume
Thank you for this

post on FreeBSD forum. I was aware of the big PF thread last Summer but I was not aware of the other discussions.

On the security related note I was working over the weekend on Kerberos and AFS (Andrew File System). As many of you know Kerberos (actually its international/Swedish implementation Heimdal) has been moved from OpenBSD base to ports due to the lack of men power to properly clean this complicated protocol used by few. Kerberos support was removed from LibreSSL as well. Arla (AFS) has been removed long time ago due in part to political reason (Theo refused to use the name of the company Arla for the file system). With OpenAFS port stuck at 1.4.something (current release is 1.6.10) and compiling only on i386 OpenBSD has no AFS support to speak of.

All of above is very appealing to security conscious but not very practical in real life at least at my work place. For the record FreeBSD has great support for both Kerberos and OpenAFS.

Last edited by Oko; 15th December 2014 at 08:18 PM.
Reply With Quote
  #8   (View Single Post)  
Old 17th December 2014
ibara's Avatar
ibara ibara is offline
WR Slowest SNOBOL4 laptop
 
Join Date: Jan 2014
Posts: 522
Default

Just want to mention that your article has gone big. Friends of mine in the security world (who aren't *BSD users at all) have been forwarding me the article. I feel somewhat awkward saying to them I was probably one of the very first to read it in its published form
Reply With Quote
  #9   (View Single Post)  
Old 17th December 2014
gkbsd's Avatar
gkbsd gkbsd is offline
Port Guard
 
Join Date: Jun 2013
Posts: 23
Default

Quote:
Originally Posted by ibara View Post
Just want to mention that your article has gone big. Friends of mine in the security world (who aren't *BSD users at all) have been forwarding me the article. I feel somewhat awkward saying to them I was probably one of the very first to read it in its published form
I have been overwhelmed by Twitter's notifications and I had many feedback too. I am very happy the article has that success If in the process it can make some advertising for the BSD world that's even better
Reply With Quote
Old 17th December 2014
pawaan pawaan is offline
Fdisk Soldier
 
Join Date: Jan 2013
Posts: 82
Default

Thanks for the great article ! sure it will make many mouths water.
Reply With Quote
Old 19th December 2014
vanGrimoire's Avatar
vanGrimoire vanGrimoire is offline
Port Guard
 
Join Date: Nov 2012
Posts: 37
Default

Well done, what a clear explanation of available features. Thoroughly enjoyed. g/trought/through/s
Reply With Quote
Old 13th January 2015
benky benky is offline
Port Guard
 
Join Date: Dec 2014
Location: Croatia
Posts: 14
Default

Great overview of sec features! thank you, nicely done!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to replace "ectags" with "ctags"? fender0107401 OpenBSD Packages and Ports 5 16th April 2013 10:01 AM
Thoughts on Information "Security" jggimi OpenBSD Security 1 22nd June 2011 09:02 PM
Other Interesting "Security" Issue on GRUB 2 vermaden News 2 10th November 2009 01:19 PM
Fixed "xinit" after _7 _8, "how" here in case anyones' "X" breaks... using "nvidia" jb_daefo Guides 0 5th October 2009 09:31 PM
"free" command/perl script for freebsd unixdude FreeBSD General 0 17th November 2008 09:23 PM


All times are GMT. The time now is 10:13 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick