I run OpenBSD for almost anything that is exposed to insecure digital spaces,
like the
Internet, that needs to be seriously hardened. I run and Linux (or god forbid,
Windows) on
servers that can be a little "soft" because they are only exposed to "trusted"
access.
My company's main websites are run on hosted servers that we don't directly
control the
OS of. I believe they are running on Debian 3.1 GNU/Linux systems, and I am
satisfied with
the expertise of those responsible for running them, so it's not my issue.
My router/firewall/VPN box is OpenBSD. It is the gateway to all the "soft"
bits on my
intranet. The intranet server runs Linux (Slackware), for multiple reasons.
Generally you
have a wider applications base and possibly easier access to more modern
versions of
tools, and more people who have expertise to draw upon. Also, there are some
performance
reasons, it being an SMP machine.
There are two exceptions to the hard/soft rule. There are two tunnels through
the
hardened OBSD gateway into "soft" Linux servers: Mail and DMZ HTTP.
For architectural reasons, my SMTP server runs on the "soft" Linux intranet
server.
However, I run qmail, a piece of software written by someone who is equally
concerned
about code quality and security as the OpenBSD team themselves. I am generally
confident
that exposing access to qmail on a "soft" Linux system is not a point of
failure. If an
exploit were found in qmail, I would need to move quickly to resolve it since
Linux does
not have nearly as much exploit-prevention architecture as OpenBSD.
The second soft hole is access to a Linux-based low-load webserver running in
my
network DMZ. I chose Linux here to have wider access to more modern webserver
software and
applications. Due to the higher potential for exploitation, this machine is
walled off
into a DMZ with no access to the Intranet. It is remotely backed up by a
revision tracking
system on a daily basis so that it can be rebuilt or rolled back to a known
good state if
it is compromised.
There are a couple of Windows remote-desktop machines and an ancient Windows
fax server
lurking in the intranet zone, but they aren't allowed to speak to the outside
world except
via secure VPN connections established and controlled by the OpenBSD gateway.
Use systems of trusted security (OpenBSD and/or qmail) whenever compromise
would be
expensive. Allow less hardened systems only where compromise is not likely
(intranet), or
not costly (DMZ).
--
Chris 'Xenon' Hanson | Xenon @ 3D Nature | http://www.3DNature.com/
"I set the wheels in motion, turn up all the machines, activate the programs,
and run behind the scenes. I set the clouds in motion, turn up light and
sound,
activate the window, and watch the world go 'round." -Prime Mover, Rush.
