Since there seems to be a lot of interest in BSD on the list, I thought
I'd forward this article which I received from ZDNet. (Please note that I
personally do NOT use OpenBSD, this is just the title of the article.)
Dexter Graphic
Why I use OpenBSD
by Stephan Somogyi, ZDNet News
http://news.excite.com/news/zd/001204/08/why-i-use
OpenBSD is a good example of why less is more.
If there's one thing that I have increasingly less of, it's time. There's
more and more stuff I want to do -- and do as well as possible -- but it
seems that the number of hours in a day is not keeping up. Consequently,
when I decided that my network infrastructure needed a security upgrade,
after some initial research I settled on OpenBSD. After several months of
further tinkering, learning, and tuning, I haven't regretted my choice.
OpenBSD, whose new version 2.8 was announced last Friday, is the one entry
in the panoply of open source operating systems that currently doesn't seem
to be on too many radar screens. However, I suspect that will change sooner
rather than later, since OpenBSD has been focusing on one particular set of
features that other OSes -- open source and otherwise -- are frantically
working to add.
Secure by default
OpenBSD's claim to fame is its focus on integrated security and
cryptography. To this end, the OpenBSD developers spend a substantial
amount of their time auditing the core OS source in an effort to find and
fix bugs with security ramifications before they're actually exploited.
The purpose of this column isn't, however, to simply extoll OpenBSD's
virtues. Those with an interest in a security-focused, Unix-like OS can
make their way over to the OpenBSD site to read as much (or as little) of
the plentiful documentation as they need and make up their own minds.
That said, I suspect that my set of needs aren't unique and that others
might find OpenBSD useful, yet aren't aware of it. Hopefully this column
will change that.
Personal preference
My goal is to build a Unix server that runs the services that I need,
without exposing my data or network to unnecessary vulnerability. I've
installed various Linux and BSD distributions in various stages of
evolution over the years. Most of the popular distros install way too much
stuff that I don't need and at the same time make it far too difficult to
opt out of the stuff I don't need. With all that extra software comes the
increased probability that something in there is going to have a security
vulnerability. While I'm sure I can spelunk through and remove what I don't
want, I don't have the time or the inclination to do so.
OpenBSD has good install granularity and lets me pick from a collection of
basic building blocks. The base install contains OpenSSH as well as
bridging, packet filtering, and routing software, not to mention IPsec and
various other useful things that I want, but little else. I also feel
confident in assuming that the software in the base install is configured
in a secure way by default and that after bringing up the machine for the
first time on a live network I won't have to worry about someone taking
advantage of even a brief window of opportunity to root my Unix box out
from under me.
Empirical data
Some of you might think me a bit paranoid with all this
security-centricity, but the threat is real. Microsoft's recent network
security problems were widely reported, but closer to home I have two
recent examples that should give cause for pause.
I loathe spam and use the various MAPS services to keep the majority of it
at bay before it even lands on my servers. Unfortunately, enough of it gets
through, and even proto-spam, such as increasingly frequent Rumplestiltskin
attacks, fills my error logs. Being a nerd, I often look at spam's headers
to see whether the server that sent the spam is noteworthy. Imagine my
surprise when two recent items did come from interesting sources.
On Nov. 17, I received spam from a server whose IP address reverse resolved
to staging.quicken.com.au. Yes, that's "Quicken" as in "financial
services." Apparently, the venerable purveyor of money management
applications has an Australian operation with a staging server that's happy
to relay mail. (One must wonder what else isn't secured on that machine and
its immediate neighbors.) Yet another uu.net-based spammer in Clearwater,
Fla., had relayed through Quicken's Antipodean server, from where it made
another transoceanic hop to my server.
Nov. 24 brought spam originating from the London Daily Telegraph's domain
name server. Looking at the headers of this message, it even looks to my
layman's eyes as if either the spammer spoofed the Telegraph's firewall to
relay the spam or just broke into the firewall machine directly. Either
way, it didn't look very good.
I've heard from a number of people who over the past few years have gotten
broadband connections at home and within very short order had their home
network port-scanned by outsiders.
If you think your network -- home or office, tiny or vastly corporate --
doesn't need real security these days, you're living in denial.
Wakey wakey!
I mentioned above that I hope this column might serve to make a larger
audience aware of OpenBSD. One particular group of entities that needs a
wakeup call is hardware vendors, who typically are focused on Windows
support. Those that have contemplated an open source OS have only pondered
Linux.
The three BSDs -- of which OpenBSD is one -- aren't even small fry. As I've
pointed out in the past, Yahoo relies on FreeBSD for its server
infrastructure, as does much of Hotmail. OpenBSD is a lesser known sibling
of FreeBSD, but since it has such a prominent security focus, I would've
thought that vendors with security-oriented hardware would know about it
and have actively provided the OpenBSD project with documentation to have
it support their products. I discovered that this is not the case.
Both Intel and 3Com make inexpensive 10/100 NICs with IPsec hardware
acceleration on the card. From a cost perspective, the nearest alternative
to one of these cards costs about three times as much, making accelerated
crypto affordable only for corporations, or Windows users.
One would think that IPsec NIC vendors would realize the usefulness of
their products for an OS with built-in crypto and IPsec such as OpenBSD. An
entire untapped market, just waiting to be sold product to.
Yet when I contacted 3Com and Intel, both admitted to having been unaware
of OpenBSD, much less its security focus, and promptly professed a desire
to work with the OpenBSD developers to add support for their cards.
Considering that the OpenBSD group seems to have tried unsuccessfully to
get both companies' attention in the past, I look forward to seeing whether
something comes of this. I told both Intel and 3Com that I'd check in again
in two months to see whether there had been progress -- look for an update
then.
Regardless of cheap hardware crypto support, I like OpenBSD because it
installs a solid operating system foundation that I can build upon, nothing
installed by default is likely to have any exploitable security weaknesses,
and the crypto, VPN, and security features it has built-in save me from
having to find ways of adding them manually. For me and my needs, this is a
compelling combination.
