Hi Steve, Thanks for taking the time to provide me with your feedback. I'm not adverse to getting or taking criticism if I'm wrong and/or if I learn something. As my very close father-like friend says to me, "Mark, if you're not careful, you'll learn something everyday!" :)
> Overall the presentation is well-done, but I take some exception with > some of your conclusions on slide 34. I know when I talk to a vendor > and get unrealistic comparisons, mentally that vendor is out the door. I agree with you that things do not look right on slide 34 at face value. It's at this point in my talk that I give a little background on why the switch in the first place. DNS and DHCP were running on the Domain Controllers that were not replicating. In fact, Active Directory was corrupt and the only good AD backup was done six month prior to me taking over the SysAdmin position. It was a nightmare as the whole office was dependent on one last remaining Primary Domain Controller that was on it's last legs. Nothing could be done to repair the situation and I tried so hard. It was an upgrade from a previous NT4 Domain Controller with a 4 GB C:\ drive that was as red as rudolf's nose as there was no room left for the much needed defrag :( This is not what I set up, it's what I inherited. I never wanted to be put in that position again and so I decided to separate DNS and DHCP from AD. In doing so, I found that I was able to troubleshoot and find problem hosts a lot more efficiently and effectively. > DNS: You don't need a dual P3 with 2gb for a DNS server in Windows. If > the server isn't an AD controller, that P3/500 would be plenty. If it > is an AD controller, then the server size depends on how many users you > have, and to offer a good comparison, you'd have to size the OpenBSD > machine for Kerberos and LDAP. You may be right here. DNS and DHCP were the only internal conversions that I made from Windows to OpenBSD. I was mostly concerned with stability and security issues that I had to contend with. I therefore concentrated mainly on perimeter security. Yes, we rebuilt a new Domain, Windows Servers and all PCs but that wasn't really exciting. It just had to be done. I could have done a lot more but I didn't. I didn't need to push the envelope. Just because it can be done, doesn't necessarily mean it should be done. I did what was needed to restore stability and improve security. The by-product was the savings and less dependance on commercial hardware/software. > (Same argument for DHCP, if you run a DHCP server on a dual P3, the > server is going to be bored most of the time.) Yup. > I also noticed you're comparing a PC to a server. For any OS, a "real" > server will generally be a higher quality and more stable than a PC. > PCs don't have hot-swap drives or power supplies. Again, this isn't a > fair comparison. This all depends on the purpose. I know that I don't need dual everything and redundant power supplies for my firewalls thanks to pfsync and CARP :) Imagine trying to rebuild a whole new windows domain and infrastructure all the while maintaining business as usual. We had no choice but to use anything that was available to us as we were also told not to spend anything :( The previous Adminstrator took advantage of his situation. As usual, rational decision makers tend to go from A-Z and we were the beneficiaries :( So we did two migrations: one to the old servers and back again to the really good servers when they were available again. Another point that I made in the talk was that the switch to OpenBSD as a necessity. We didn't have a choice as most of the Windows Servers were just too resource intensive for the older servers. If we didn't offload the services such as DNS and DHCP as an example onto many older machines, we would not have been able to clean the whole mess up. > Remote access: Windows' built-in Remote Desktop is included with the OS, > you don't need OpenBSD for that. You couldn't do that over your Intel > VPN? Remote Desktop is potentially vulnerable to MITM, but it's > probably more secure than an external web site like GoToMyPC. I can't comment too much on the security aspect. I'm not at liberty to say what was done here. Suffice it to say, that I could have easily done a couple of talks on just what was done in this area. Please don't get me going on Intel. Remote Desktop has poor authentication and therefore it only made sense for us to tunnel RDC through OpenSSH. > You can also install OpenSSH on your Windows machines and manage them > with netsh or a variety of other command-line tools. I for one have problems putting a Windows Server on the Internet. Even within a DMZ and hardened as much as I know how. I just wouldn't be able to sleep at nights. > Wireless: I'm not sure if Server 2003 can act as an AP, I haven't tried > setting it up. It can, however, provide 802.1X authentication, which > requires less end-user configuration (on Windows clients) than authpf. This just happens to be another area where OpenBSD shines above the commercial alternatives. Most WAPs don't encorporate any firewalling. They'll do authentication and encryption to some extent but many lack true firewalling capability unless you pay through the nose for it. If there is a Secure Commercial Wireless Solution that even comes close to the solution that I have implemented in regards to the OpenBSD's security track record, usability, interoperability and ease of use, ease of administration and cost, then please do enlighten me. The basis of what was implemented are on the slides. You mention authpf in a negative sense. I think it was the best thing developed since sliced bread :) That's not totally true. OpenBSD on Zaurus, PF, CARP and SPAMD are also right up there ;) > VPN: Why the hell does everyone hate the included Microsoft VPN? If you > run an MS shop, it's easy and cheap. That uses IPsec, ISAKMP and PKI. Maybe because there's an easier, cheaper and more secure alternative! > It also has features to quarantine Windows clients that don't meet your > criteria for system security. No comment. > (Yes, the MS PPTP protocol had some weaknesses, but that was 1998. > That'd be like avoiding OpenSSH because the SSH 1.0 protocol had some > weaknesses.) MS has their own way of implementing standards. They've done it time and again. Here's there latest example: http://tinyurl.com/bavw4 http://www.eweek.com/article2/0,1759,1820921,00.asp I don't want to go down this path. We need to play nice with windows but there are better alternatives at least in the area of security. > Web: I assume you had some talking points here, specifically about > privsep and code cleanup in OpenBSD's Apache. The biggest problems with > IIS are from admins enabling it when they don't need to, or using IIS > when another product would do. The Microsoft developers are even > learning to run the web processes as low-privilege processes (Srv 2003 > SP1), although third-party developers aren't paying attention. Yup. > Besides, you can run Apache on Windows, so the core argument is between > the trunk Apache and OpenBSD's Apache. Good point as alternative to IIS but I'd still use it only for internal purposes. Apache on OpenBSD in the Wild Wild West is still the only way to go for me ;) > IDS: Snort doesn't run on Windows? Diddo. > Firewall: I'm not familiar with Checkpoint, but their web site > (http://www.checkpoint.com/products/downloads/firewall-1_datasheet.pdf) > says that Checkpoint on Windows requires 256mb RAM and doesn't list > processor requirements. Sounds like somebody just wanted to buy a big > server. There's no good reason to have two processors in a firewall. Obviously you've not run Checkpoint on Windows :) But that's okay, I wouldn't wish it on anyone 8-) By the way, in my talk, I do mention a point in time (August 2003) when I had to protect my firm standard Checkpoint Firewall with my OpenBSD Firewall due to an outbreak of 'nachi', 'msblaster' & 'sobig' viruses. Imagine that, an OpenBSD firewall out in front protecting another firewall because it was going to 100% CPU utilization with dual CPU's! > Other comments: When you boil it down, the $500 for Server 2003 isn't > really all that expensive for a mid-size or large company. CALs can > make a difference in large companies, but that doesn't really come in to > play here. This company just happens to be the oldest and largest services firm in the world. I'll stop at that. The switch wasn't about saving money. It was about stability and security. Cost reduction was an added bonus :) > You've made a good argument for using OpenBSD as a redundant firewall or > access point, but that's more Cisco's domain than Microsoft's. Maybe > find out if you can set up a redundant file server using OpenBSD/CARP, > and compare that to active/passive Windows server clustering. I know that Bob Beck has one such solution. It's on my list of things to do ;) I'm sure that someone has done a comparison but the point is that it can be done if need be. > Avoid relying on cheap hardware to make your cost point. OpenBSD runs > well on "real", modern servers. Managers at mid/large companies aren't > going to want to hear about how you pulled machines out of the trash and > now the business depends on them, even if they're 4x redundant. Good point. Most of the people in attendance at the talk commented positively on this very point. They were quite impressed with what could be done using OpenBSD and more so when I showed them what could be done using those very little commell boxes that I used in the demo :) > Slide 3: The first two paragraphs only preach to the converted. Maybe > add a fourth bullet point, "Your competitors are probably saving money > using it", depending on your audience. Excellent suggestion. Thanks for that. Once again, thanks for your comments and your time :) Cheers, Mark Uemura OpenBSD Support Japan Inc. www.openbsd-support.com
