On Tue, 1 Jun 1999, gill wrote:
> With all of the discussion about why anyone would not want to use that other
> operaNTing system, I am inclined to ask the same question about FreeBSD
>
> Why not FreeBSD?
I answered the last one, so I'll answer this one as well.
> What is the level of trust/distrust for this OS among you, the security
> community?
I have a fair to good level of trust in FreeBSD for most things. I'm
comfortable with being able to disable everything not essential. Darren
Reed's IPFilter, which I also have a high level of trust in performs well
on the platform as well as a good number of others.
> How does that rival other commercial *nix OSes and other free *nix OSes,
> specifically Linux?
About as well as the rest of the *BSD family - not as many paranoid
security weenies as OpenBSD, more developers than NetBSD. Given source
code availability, I'd probably choose any of those over a closed-source
implementation for my own work. FreeBSD is good for Intel, obviously
horizontal scale is important for some things and not for others.
OpenBSD has some good goals and good code, but it's long-term viability
as a project is uncertain. FreeBSD and Linux both have good momentum and
good pools of very talented developers.
I'm Linux-biased, most of my home machines run Linux, and I find it a
comfortable environment. My level of trust in FreeBSD is higher, and
while I really like the 2.2 kernels, the last IP DoS patch was (around)
yesterday. As the 2.2 code (esp. IP Chains) matures, I think it'll be
good. At this point though, I wouldn't use it for my entire protection
scheme. Again, it's time/stability trust - not on the order of the lack
of trust I have in NT, and I've got 2.2.x machines running internally.
Where I am excited about using Linux is with Aman Ott's Rule Set Based
Access Control (RSBAC) kit, which starts to bring B-level features to Linux
in an Open Source project. I think that as that matures, it'll be good for
DNS, Web servers, and proxy firewalls. A search on RSBAC will turn up
more info if you're interested. I think the OpenBSD folks have been
looking more into strong security features at the OS level as well.
DG/UX with the B2 set should be close to or have passed final evaluation, and
obviously the level of assurance is much higher. I think trusted OS's
are good. Solaris has good DoS protection that comes out of high-volume Web
service, and now that the source is available, I'm liking it much more.
I've used a lot of AIX in the past, and its evolution is ok, but from an
admin point-of-view, the ODBM is such a pain in the butt that I'm hesitant to
go with it anymore. Also, it seems as if it's the last platform to get
anything written to it, and porting has been a pain in the past. HP/UX just
doesn't make me happy. It's more of an admin comfort thing though - I know
the CMW has a good level of assurance, but I'm waiting on the Puffin Group to
get a little further with the Linux port before playing much more with the one
HP box I have, and it won't be in a security context. SGI has had Trusted
Irix, and I'm at a loss to figure how the same company could release normal
Irix - a few years ago one of our departments had SGI in to do a demo and
I rooted the box before the presenter could get logged on. BSDi has a good
reputation and clueful people.
I'm sure I've missed some. I tend to use a mixture of commercial and
Open Source systems. They all have strengths and weaknesses, but I've
got a good level of trust in most of them for specific jobs, and I'm
comfortable paring them down to absolutely essential code and services.
I'm most comfortable with source code available software running above
the OS because it's still necessary to tweak and fix things.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
