Creating scenario with OpenBSD, network

[benky]

Hello,
At college for a final thesis I chose OpenBSD. This is my first encounter with OpenBSD. So I need your help. I started to read over man pages and book Absolute OpenBSD.

There are some directions I must follow in writing thesis as follows:
-show security features of OpenBSD.
-show modifications inside OS that enhance security and availability.
-show why it is possible to set up sec services in OpenBSD.
-show ways of using a system by realization of sec services as a goal.

Work must contain a practical part, and this is the part where I need a little bit of your help. Because I never used before OpenBSD this is a whole new world to me. I came from Win world and know basics of Linux, networking.

Can you provide me some scenarios for practical part?
The first thing that is in my mind is to:
-set up virtual network with few hosts and use a OpenBSD host to act as a firewall/IDS.
-acting as a web server

thank you!

[ibara]

I'm gonna take this in a little different of a direction but it is useful for you to understand that the security reputation that OpenBSD has rightfully earned is based on its holistic approach; that is to say, what you are thinking about as the "obvious" cases of security is only one very small part of the entire ecosystem that makes OpenBSD secure.

A good start would be to read the Project Goals and Security pages:
http://www.openbsd.org/goals.html
http://www.openbsd.org/security.html

I gave a general OpenBSD security overview talk at my university back in October to the computer security club on campus:
http://devio.us/~bcallah/openbsdrpisec.pdf (The OpenBSD specific stuff is the second half of the talk.)
It might be worth your while to look over this and follow some of the links to YouTube videos. Especially the LibreSSL talk by beck@ and the security mitigation talk by deraadt@.

I'm going to point you to my favorite feature, which goes quietly unmentioned but really needs more attention.
When you write code, you often compile it (duh). But a lot of times people end up using unsafe functions like strcpy(). The OpenBSD ld(1) has been modified to inform you where you are using such unsafe functions and will even recommend better functions for you to replace them with! That's as practical as it gets: OpenBSD makes you a better programmer, more in-tune with using secure functions, for free just by using OpenBSD as your development platform.

Good luck!

[jggimi]

I'm going to second ibara's point of view. As an example, I'll point you to a recent talk given by Theo de Raadt on one small but critical component of the OS -- the management of entropy and pseudo random number generation. Its exemplary of the holistic approach mentioned above. There's a link in a post I made earlier today where I recommended the presentation to another forum member.

[J65nko]

A possible scenario:

Code:

---------------------
       attacking 
     internet host
----------|----------
          |
          |
          |
+---------|----------+
|    -----|------    |
|    external NIC    |
|    ------------    |
|                    |
|                    |
|               |D|  |
|               |M|--------- web server
|               |Z|  |
|                    |
|    -----|------    |
|    internal NIC    |
|    -----|------    |
|         |          |
+---------|----------+
          |
          |
          |
          |
----------|----------
     LAN client 
---------------------

• The attacking host is a compromised webserver, that Mr. Cracker is using to attack the webserver in the DMZ. He is hoping that through cracking the webserver he can get access to the internal network. You configure a web server on this attacking host.
  
• The box with the external, internal and DMZ network interfaces is an OpenBSD router/firewall. You configure the pf packet filtering rules to only allow external connections to go the webserver in the DMZ
• The LAN client should be protected from external attacks directly coming from the internet as well as from the possible compromised webserver in the DMZ.
  On the other hand it should be allowed to visit the website of the external compromised webserver.

You could collect some "real hardware" to configure this. Or set up this scenario with virtualized hosts, but I think this is more complicated.

[jggimi]

You'd asked about IDS. OpenBSD doesn't have one built-in, but is often used in IDS deployments, and there are IDS systems in its packages and ports system.

Examining logs, while not automated, can provide insights into attacks / attack strategies. Peter Hansteen (author of The Book of PF) gave a presentation today in Trondheim at the Passwords 14 conference, on a distributed password attack designed to defeat IDS detection and analysis.

[benky]

thnx to all of you!

Now I have a huge amount of information in front of me, dozen of opened tabs. When I settle down a little bit I'll come back here to ask you for help. Just need to chose right direction in which I want to go with my work. No matter what I chose I need to do it virtual environment (I can't took laptop from my wife and father in law )

[jggimi]

I use Qemu as my virtual machine host when testing features and functions. For virtual networks, I use its multicast bus to interconnect virtual machines, and its "vlan" facility to separate logical network segments.

[TronDD]

I'll point out to be careful testing the security of a system which you do not know how to use. A lot of insecurity on a system comes from the inability to correctly configure it. No matter how secure OpenBSD is, you sure can open up all kinds of holes.

OBSD is more "out of the box secure" than other OSes which means you have to put the work into opening those holes, but it can't stop you from doing so.


I also like OBSD's malloc(3) tuning with malloc.conf and customize it quite a bit and see what crashes.

Tim.

[J65nko]

I prefer "real hardware". If you "advertise" to your friends and family that you could use their old PC stuff, I am sure some old hardware will be offered to you.

If you have a small budget for your thesis you could get an Alix system with 3 NICs. See PC Engines Alix 2d13 board

You first could use it a "personal" firewall in your home and you experience by yourself what the bad guys are doing in order to "get in".

Another good method is to rent a cheap VPS system for a month. For 10 euro a month, and often discounted to 5 for the first month you could get one at https://www.transip.eu/vps/

Then install OpenBSD on the VPS and configure a webserver to host a temporary website. Secure the server with a suitable pf.conf and inspect the firewall and webserver logs. These logs will show you how the site is being bombarded with efforts and probes to get in. Then you really will understand the need for pro-active security measures

[benky]

Quote:

Originally Posted by J65nko

You first could use it a "personal" firewall in your home and you experience by yourself what the bad guys are doing in order to "get in".

I'm familiar with some of the techniques, taking OSCP course.

Quote:

Originally Posted by J65nko

Another good method is to rent a cheap VPS system for a month. For 10 euro a month, and often discounted to 5 for the first month you could get one at /www.transip.eu/vps/

Then install OpenBSD on the VPS and configure a webserver to host a temporary website. Secure the server with a suitable pf.conf and inspect the firewall and webserver logs. These logs will show you how the site is being bombarded with efforts and probes to get in. Then you really will understand the need for pro-active security measures

This is what I'll definetly do.

To summarize: I now that OpenBSD is secure out of box, and as TronDD wrote, vulnerabilities come from unpropriate configuration of system, services.
jggimi I found interesting the talk by Theo de Raadt about management of entropy, that is kind a stuff I need in my thesis.

I started enumerating and there is so much new stuff to me, I need some time to catch it.

[benky]

...with a help from my professor I received the soekris net5501-70. Can't wait to get serial cable