Linux vs OpenBSD as a router
Paul Mooring
drpppr242 at gmail.com
Wed Oct 21 07:46:09 MST 2009
I don't know as much about security as you do, but surely your not
suggesting that distros like suse or ubuntu or more secure than openbsd.
I thought the whole purpose behind openbsd was to make a secure os, as
oppose to suse for example which I quit using on firewall servers for
the security issues created from all the unwanted packages installed by
default. Are you saying I'm wrong in thinking that by default
openBSD/pf has siginificantly less security issues than say
gentoo/iptables (which is what I'm currently using in this set up).
-----Original Message-----
From: Lisa Kachold <lisakachold at obnosis.com>
Reply-to: Main PLUG discussion list
<plug-discuss at lists.plug.phoenix.az.us>
To: Main PLUG discussion list <plug-discuss at lists.plug.phoenix.az.us>
Subject: Re: Linux vs OpenBSD as a router
Date: Tue, 20 Oct 2009 19:09:39 -0700
On Mon, Oct 19, 2009 at 2:46 PM, Paul Mooring <drpppr242 at gmail.com>
wrote:
I've been running linux routers using iproute2 and iptables for
a while now, and openBSD just had a new release which has me
considering switching my home setup to a BSD pf solution. Does
anyone have any experience comparing the two? I guess I'm also
concerned about other software I use on my linux router not
being supported in openBSD (OpenVPN, OpenSwan, and Quagga
primarily).
Hi! I agree that pf is easier. My first copy of FreeBSD was won from
Defcon 6, answering a question correctly from the crowd, and I proceeded
to learn about the wonders that are BSD for a command line (and Xterm)
systems administrator.
But seeing a good number of implementations of both linux and especially
OpenBSD in the field, I see shameful exploits that have never been
patched. I.E. They set it up, (fail to test their rules fully with a
full tool suite like BackTrack4 [but that is another subject]) and call
it functionally adequate; the world marches on, and reverse engineers as
progress continues, yet OpenBSD core kernel exploits (for instance) are
never patched (like the well known null kernel deference exploit).
Here are the top $n reasons to avoid OpenBSD:
1) Use a distribution that provides automated source and binary patch
management or updates like SLES, Redhat, or Ubuntu for your firewall
source.
http://www.openbsd.org/faq/faq15.html
You are not going to have time to deal with issues brought forth from
updates and kernel rebuilds on your bastion firewall system.
2) Example OpenBSD PF null pointer deference & scapy:
____________________________________
PROBLEM:
OpenBSD PF Remote Denial Of Service
Vulnerability Exploiting this issue
allows remote attackers to cause a
kernel panic on affected computers,
denying further service to
legitimate users.
PLATFORM:
OpenBSD 4.3, 4.4, and 4.5 are
affected.
ABSTRACT:
OpenBSDs PF firewall in OpenBSD 4.3
up to OpenBSD-current is prone to a
remote Denial of Service during a
null pointer dereference in relation
with special crafted IP datagrams.
If the firewall handles such a
packet the kernel panics. The
vulnerability resides in
'sys/net/pf.c' in the pf_test()
function.
Ref: http://www.doecirc.energy.gov/bulletins/t-110.shtml
Current release is 4.6, but you can bet there are no proactive patches
for anything older than April 2009! Get scapy baby! Ref:
http://pentestit.com/2009/09/03/scapy-powerful-interactive-packet-manipulator/
3) IPV6 wa hopelessly broken in OpenBSD up to 4.1 (2007)
Remotely exploitable buffer overflow vulnerability, due to kernel memory
design flaw in IPv6.
Hey? Good thing I mentioned it, right, or are you all checking the
source exploits on each distro tool you use? Are you all keeping up on
all that source code in legacy systems? Script kiddies could just be
running the python exploit example publicized here:
http://blog.lifeoverip.net/2007/03/14/only-two-remote-holes-in-the-default-install-in-more-than-10-years/
Ref: http://www.coresecurity.com/content/open-bsd-advisorie
4) Quagga bgpd denial of service vulnerability (not just for OpenBSD 4.4
or earlier, but it is trivial to update source in other distros):
http://www.openbsd.org/errata44.html
Other distros:
Ref: http://www.securityfocus.com/bid/17979
5) OpenBSD 4.6 BIND dynamic zone update message crash (should you need
to use BIND on your firewall).
http://www.openbsd.org/security.html#46
6) Exploit mitigation techniques are very complex. Once you read through
a well explained example, you will agree, that one mitigation technique
might not be sufficient.
http://www.openbsd.org/papers/ven05-deraadt/index.html
Summary:
Check your security patch and exploits by release for OpenBSD here:
http://www.openbsd.org/security.html
Be sure to indicate to all your stakeholders that when you take down
your firewall to implement these fixes EVERYTHING will be either down or
at risk? Be sure to dd that original kernel to backup before attempting
a patch, so you can swiftly roll back? Same thing for all the juicy
binary sources, running unpatched...ignored and constantly under seige!
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
--
Skype: (623)239-3392
AT&T: (503)754-4452
www.obnosis.com
http://www.obnosis.com/motivatebytruth/will_work_4_bandwidth.jpg
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20091021/8581db58/attachment.htm
More information about the PLUG-discuss
mailing list