Blog article "Security: OpenBSD VS FreeBSD"

[gkbsd]

Hello,

I tried to objectively compare the security of OpenBSD and FreeBSD, and explain their security features. I'm a user of both OS, and my purpose by writing this article was to bring information, not to attack any OS:
http://networkfilter.blogspot.com/20...s-freebsd.html

I hope you will like it

Regards,
Guillaume

[ibara]

Without saying too much, I will note just as you did that HardenedBSD is not part of FreeBSD mainline.

[Oko]

Disclaimer: I primarily OpenBSD user but I use both OSs at my work (only OpenBSD at home). I would like to thank you for taking the time to spell out security differences. I like your article very, very much. +1 for sticky post.


Systrace deficiencies as a security tool has been exposed by numerous papers and it is not considered serious security tool by OpenBSD team if I can speak for them. Jails are really killer FreeBSD feature.

I am going to mentioned few things which should be taken into consideration by some. FreeBSD uses black magic of PAM modules and more recently porting SSSD to enable LDAP authorization. OpenBSD has its own ingenious ypldap daemon. I am not aware that there is move to remove vulnerable Sendmail from the base of FreeBSD but I there is a white paper stating desire to bring DragonFly dma to FreeBSD (which is a perfect solution for people who don't need full blown mail server).

One should also mentioned that FreeBSD has its own genuine firewall IPFW which has serious following. Their version of PF is patched for "improved" multi-threading performance but kind orphaned because it is neither genuine for nor it is possible to update it. For the record the latest PF on OpenBSD IIRC is about 4 times faster without any mutl- threading patches.


I would love to see similar comparison of the Network stack performances where I generally very strongly prefer OpenBSD. I use FreeBSD mostly in roles of storage OS and to visualize (Jails) some non essential services.

One last remark. I could not emphases enough the importance of code audit, code correctness, and overall size of code as a major factors which contribute to the security of an OS. OpenBSD seems to have heads up in all these aspects. One of particularly annoyances with FreeBSD is a number of half backed projects which have never been finished nor pruned. One that I can think from the top of my head is FreeBSD's indigenous sensor frame work which is half usable unlike stellar OpenBSD sensors frame work (FreeBSD encourages use of security ridden IPMI).

[gpatrick]

Quote:

I am not aware that there is move to remove vulnerable Sendmail from the base of FreeBSD

Sendmail in its early days had a bad reputation for vulnerabilities, but those "years" are long ago. Sendmail before 8.14.9 in June 2014 had a vulnerability with a rating of 1.9. Before that the last US-CERT vulnerability for Sendmail was in 2010.

It is safe to use and you're only disseminating FUD.

[ibara]

There was talk on the FreeBSD lists about moving to the DragonFly BSD mailer. I don't remember what happened with it (I want to say the discussion took place back in February) but I guess judging by the previous post it wasn't integrated.

[gkbsd]

Quote:

Originally Posted by Oko

Disclaimer: I like your article very, very much. +1 for sticky post.

Systrace deficiencies as a security tool has been exposed by numerous papers and it is not considered serious security tool by OpenBSD team if I can speak for them. Jails are really killer FreeBSD feature.

Thanks for your comments

About systrace, I am aware it is not strong enough used alone, even the man page at the end mentions it in the BUGS section:

Quote:

Applications that use clone()-like system calls to share the complete address space between processes may be able to replace system call arguments after they have been evaluated by systrace and escape policy enforcement.

However, a privilege separated/revoked process, being chrooted and systraced, can still gain some valuable security from it in my opinion. I'm using this combo with OpenVPN.

Regards,
Guillaume

[Oko]

Quote:

Originally Posted by gkbsd

Thanks for your comments

Guillaume

Thank you for this

Quote:

Originally Posted by "gkbsd

At http://www.bsdnow.tv/episodes/2014_12_10-must_be_rigged they provide some interesting links:
Get RID of the multi threading patch in FreeBSDs version of PF
FOLLOW-UP
Why merging recent OpenBSD PF code is not easy (was Re: FOLLOW-UP)

post on FreeBSD forum. I was aware of the big PF thread last Summer but I was not aware of the other discussions.

On the security related note I was working over the weekend on Kerberos and AFS (Andrew File System). As many of you know Kerberos (actually its international/Swedish implementation Heimdal) has been moved from OpenBSD base to ports due to the lack of men power to properly clean this complicated protocol used by few. Kerberos support was removed from LibreSSL as well. Arla (AFS) has been removed long time ago due in part to political reason (Theo refused to use the name of the company Arla for the file system). With OpenAFS port stuck at 1.4.something (current release is 1.6.10) and compiling only on i386 OpenBSD has no AFS support to speak of.

All of above is very appealing to security conscious but not very practical in real life at least at my work place. For the record FreeBSD has great support for both Kerberos and OpenAFS.

[ibara]

Just want to mention that your article has gone big. Friends of mine in the security world (who aren't *BSD users at all) have been forwarding me the article. I feel somewhat awkward saying to them I was probably one of the very first to read it in its published form

[gkbsd]

Quote:

Originally Posted by ibara

Just want to mention that your article has gone big. Friends of mine in the security world (who aren't *BSD users at all) have been forwarding me the article. I feel somewhat awkward saying to them I was probably one of the very first to read it in its published form

I have been overwhelmed by Twitter's notifications and I had many feedback too. I am very happy the article has that success If in the process it can make some advertising for the BSD world that's even better

[pawaan]

Thanks for the great article ! sure it will make many mouths water.

[vanGrimoire]

Well done, what a clear explanation of available features. Thoroughly enjoyed. g/trought/through/s

[benky]

Great overview of sec features! thank you, nicely done!