Re: Security Comparisons
On 11/10/07, Douglas A. Tutty [EMAIL PROTECTED] wrote: of philosophy. Linux is about making all kinds of toys work in a hot-plug way and allow people to boast about their uptime. OpenBSD is about security. I would add usability (conciseness, least surprise and coherency) and thus maintainability to the list. I end up having less to do for OpenBSD Servers to keep them happy running than for some Debian boxes, and Debian _is_ damn well maintainable. --knitti
Re: Security Comparisons
On Sat, Nov 10, 2007 at 05:52:03PM +0100, knitti wrote: On 11/10/07, Douglas A. Tutty [EMAIL PROTECTED] wrote: of philosophy. Linux is about making all kinds of toys work in a hot-plug way and allow people to boast about their uptime. OpenBSD is about security. I would add usability (conciseness, least surprise and coherency) and thus maintainability to the list. I end up having less to do for OpenBSD Servers to keep them happy running than for some Debian boxes, and Debian _is_ damn well maintainable. True. Although I have't run into the problem, there have been many cries for help on the debian-user list when udev renames drive devices and a machine refuses to boot. The answer has been to use linux's ability to mount by LABEL= instead of /dev/* so that the kernel looks at all the devices for the approprate filesystem label. Just an example of a surprise gotcha. Doug.
Re: Security Comparisons
On Nov 9, 2007 10:53 AM, new_guy [EMAIL PROTECTED] wrote: If this is off-topic, I apologize. Just tell me and I'll go away ;) I'm having discussions with a coworkers about moving to OpenBSD for Apache/PHP web hosting. Right now, we use various Linux distros. I have no problem with that. Linux is cool... but it's takes more time to secure and manage. I like the Suhosin (Hardened PHP patch in OpenBSD's PHP package) and the fact that Apache is chrooted by default. We even uploaded some php exploit code onto a test OpenBSD box (r57shell) to see how well it contained the exploit. It worked well. All of these demos and discussions are informal. So here's the question: Are there any formal/corporate comparisons that demonstrate the enhanced security of OpenBSD when compared to other solutions in this space that we can provide to upper management? Sadly, justifying the obvious through these means is often a requirement. Here's an approach you might consider. Take a best practice / standards guide such as from NIST: http://www.itl.nist.gov/lab/bulletns/bltndec02.htm http://csrc.nist.gov/publications/drafts/800-44-Version2/Draft-SP800-44v2.pdf And for the points your organization feels are important (like what you've listed above), map how OpenBSD's implementation and OS approach addresses those points. You'll find this is a pretty good indicator and should be well accepted by the folks that matter. DS
Re: Security Comparisons
Darren Spruell wrote: Sadly, justifying the obvious through these means is often a requirement. Here's an approach you might consider. Take a best practice / standards guide such as from NIST: http://www.itl.nist.gov/lab/bulletns/bltndec02.htm http://csrc.nist.gov/publications/drafts/800-44-Version2/Draft-SP800-44v2.pdf And for the points your organization feels are important (like what you've listed above), map how OpenBSD's implementation and OS approach addresses those points. Thanks... that's a good suggestion. I found the Secunia OS advisories very telling as well. Comparing OpenBSD 3.x (85 Advisories) to Debian 3.x (577). http://secunia.com/product/ -- View this message in context: http://www.nabble.com/Security-Comparisons-tf4779123.html#a13676309 Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: Security Comparisons
On Fri, Nov 09, 2007 at 02:27:16PM -0800, new_guy wrote: Darren Spruell wrote: Sadly, justifying the obvious through these means is often a requirement. Here's an approach you might consider. Take a best practice / standards guide such as from NIST: http://www.itl.nist.gov/lab/bulletns/bltndec02.htm http://csrc.nist.gov/publications/drafts/800-44-Version2/Draft-SP800-44v2.pdf And for the points your organization feels are important (like what you've listed above), map how OpenBSD's implementation and OS approach addresses those points. Thanks... that's a good suggestion. I found the Secunia OS advisories very telling as well. Comparing OpenBSD 3.x (85 Advisories) to Debian 3.x (577). http://secunia.com/product/ However, you should read their PLEASE NOTE: comment. Especially when you figure that the reports for Debian are for all the packages in debian (thousands of them) whereas OpenBSD doesn't have as many pieces. They specifically say not to use the number of advisories to compare the relative security of the products on which they report. You also have to look at the duration of support. OpenBSD comes out with a new version every six months. Debian comes out every few years. Since Debian is designed with continuous updates possible, the only impitus for a new OS version is new versions of software. Otherwise, the Debian security team takes security advisories in newer versions and backports them to the version supplied in the current stable branch. If you look specifically at, for example, Debian 3.1 (Sarge) and want to compare it with OpenBSD, you'd have to look at the dates from Sarge release to Etch (4.0) release and count the security advisories (which are both security and important bug fixes). Then look at the security advisories for OpenBSD in that time. Then weed out of Debian's count those updates that applied to applications that aren't in OpenBSD, and weed out bugfixes only (that may have been applied to OpenBSD -current but not backported in to -patch). The one thing you will find is that there have been more updates to any single version of the Linux kernel than to the OpenBSD kernel. Its the nature of the beast: Linux is all about new features to work on new hardware. To me the biggest difference between Linux and OpenBSD is one of philosophy. Linux is about making all kinds of toys work in a hot-plug way and allow people to boast about their uptime. OpenBSD is about security. If you add a new piece of hardware, do a reboot and forget about uptime as a quality indicator. Its not a fair comparision since OpenBSD handles USB stuff too but the philosophical difference is there. Doug.